Practical Application of the GDPR for Marketers: Data Security & International Transfers

/, Channel Execution/Practical Application of the GDPR for Marketers: Data Security & International Transfers

Practical Application of the GDPR for Marketers: Data Security & International Transfers

(Third in a series of articles from Arke on the practical application of the GDPR to clients who use marketing technology platforms. You can read the introduction to the GDPR in part one. Part two is on Consent and Data Governance.)

The European Union’s new legal framework for data protection imposes new requirements on marketers who collect personal data. Known as the General Data Protection Regulation (GDPR), the legislation requires marketers to ensure adequate security to protect the privacy of data subjects.

The GDPR, which goes into effect May 25, 2018, defines “data subjects” as “identified or identifiable natural person[s].” More simply, data subjects are all of the people from whom or about whom you collect information in connection with your business and its operations.

While the GDPR was designed to protect European Union (EU) residents, it has global reach. It affects any company that handles the personal data of any EU residents — regardless of where the company is based.

GDPR Sets Security Standards

Under GDPR, marketers are required to encrypt all personally identifiable information (PII), when the data is at rest as well as when it’s in transit. PII is any data that can be used to identify a specific individual.

For practical purposes, this means all web browser connections must occur over HTTPS (HTTP Secure). HTTPS is the hypertext transfer protocol that creates a secure encrypted connection between the web server and the web browser.

HTTPS aims to prevent personal data from interception or compromise. To address GDPR security regulations, marketers should:

  • Enforce HTTPS for their entire website
  • Support Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) with a key size of at least 2048 bits instead of SSL (Secure Sockets Layer) version 3

Marketers should also use the most secure cipher available. The list of cipher suites supported by TLS continues to expand so be sure to check https://www.owasp.org for the latest recommendation. The Open Web Application Security Project (OWASP) currently recommends using “Elliptic Curve Diffie-Hellman Exchange (ECDHE) and Galois/Counter Mode (GCM) ciphers instead of static RSA (Rivest–Shamir–Adleman) key exchange and Cipher block chaining (CBC) ciphers.”

All network connections between your web server and backend systems that contain PII must occur over secure connections as well. This includes web services, databases, content delivery networks (CDNs), Customer relationship management (CRM) systems, marketing automation systems, and, especially, third-party cloud systems.

Marketers Must Encrypt Data

Additionally, all PII stored in files or databases must be encrypted. This means marketers now need to enable file system encryption at every point possible.

Some systems such as SQL Server offer transparent data encryption. Others, however, do not. In that case, marketers will have to enable file system encryption within their operating systems.

The following table provides recommendations for meeting data security requirements in common marketing technology platforms. Platforms hosted by cloud providers, including Salesforce or Marketo, already require secure connections and encrypt their data at rest.

SystemNetwork ConnectionData at Rest
SQL ServerSSLTransparent Data Encryption feature in SQL Server 2008 or newer
SolrSSL
  • Windows –BitLocker
  • Linux – Ext4 or F2FS
MongoDB EnterpriseTLS/SSLAES256-CBC
MySQLTLS
  • Windows –BitLocker
  • Linux – Ext4 or F2FS
RedisSSH Tunnel
  • Windows –BitLocker
  • Linux – Ext4 or F2FS

 

Systems like Redis are designed for performance over security, so the question of the performance impact of encrypted file systems may arise. Patrick Perrone, a Sitecore MVP and Sitecore Practice Director at Arke, said, “On Redis, encrypted file system tax will be on the order of a few milliseconds … Redis is mostly memory bound.”

For MongoDB, we recommend using a cloud provider such as mLab or Object Rocket. These options greatly simplify your environment with a managed Platform-as-a-Service (PaaS). Both also offer data encryption at rest.

Test and Document Your Security

Before going live, test your system to make sure it complies with all data security requirements. You should maintain the testing results documentation for the duration of your system. It’s also a good practice to retest periodically.

Next, as you prepare for a data protection strategy — back to your data map and data flow from part two in this series — expand your documentation to track the data fields that are contained in each system, Note which of those contain PII.

It’s important to have governance over the location of PII in your systems. In part four of this series, we’ll discuss the importance of being able to delete the PII for a particular visitor.

GDPR chart

Data Protection Guidelines

Be prepared to document and discuss the location of your servers with your legal team. That’s because the GDPR restricts the countries in which EU data is permitted to reside. The data is allowed to be stored in all EU countries. It is also permitted to reside in other countries offering an “adequate” level of data protection.

The European Commission has so far recognized Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework). Adequacy talks are ongoing with Japan and South Korea.

If your website tracks visitor behavior and if your business has the intent to engage EU customers, build a GDPR compliant system.

By keeping your servers with PII in the allowed countries and applying GDPR to all website visitors regardless of their location, you’ll reduce your potential liabilities and increase trust with your site visitors.

(We’ll explore data retention, the right to be forgotten, data access requests, and preference management in the next part of this series.)

For More Information

Arke is providing these articles for informational purposes only. They are not intended to provide, and should not be relied on, for legal advice. Do you want to learn more about GDPR compliance? Email Eric Stoll for more information.

About Arke

Atlanta-based Arke develops strategies and implements digital technologies for better brand experience for your customers.

By |2018-05-30T14:39:20+00:00April 25th, 2018|

About the Author:

Eric Stoll co-founded Atlanta-based Arke in 2005. Today he serves as CEO of Arke with responsibility for the strategic direction of the company, execution of its growth plans, and overall operations. A graduate of the State University of New York (SUNY) Geneseo, he previously worked for Turner Broadcasting Systems, Mindex Technologies, and Auragen Communications.

Leave A Comment