This is the year for SSL, if you don’t have an SSL certificate Google will flag your website this year.
We use the internet for everything, from buying, selling, communicating, emails etc etc Online security is a necessity no longer a luxury.
It’s no surprise that the recent flurry of information being thrown at you around GDPR & Data Protection is often referencing cybersecurity. SSL is just one of the ways that Google is working towards a safer internet.
In 2017 Google announced that it would be flagging all unencrypted sites as ‘not secure’ by the end of 2017, you’ll notice this more and more if you’re a Chrome user, Internet Explorer, Edge, Firefox and Safari will soon follow suit if they haven’t already. Expect to see this message alot as Google estimates around 2/3 of the internet is unencrypted.
Do you need SSL?
- Does your website have a login, contact form, search, eCommerce data capture?
- Is your website currently HTTP:// ?
If it’s a yes to both then you need to install SSL to avoid any risks of warnings. If you don’t do this soon your website visitors will be seeing that warning. Even if you don’t answer yes to both questions it’s generally a good idea to encrypt your sites as HTTPS (a site with SSL) is a recognised Ranking Factor for search, albeit a minor one.
What is SSL and how does it work?
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. Basically, any data that is passed between your browser (i.e you typing into a form) and the web server is encrypted and remains private. If you don’t have SSL on the website a secure connection cannot be established.
An SSL Certificate holds the following information
- Name of Holder
- Serial Number and expiry date (generally they are annual licenses)
- Copy of the certificate holders public key
- Digital Signature of the certificate-issuing authority
Why do I need SSL?
Encryption – Any information you send over the internet is passed from computer to computer to get to the destination server. Any computer in between you and that server can potentially see your credit card numbers, usernames, passwords etc if that information is not encrypted. When SSL is used the information becomes unreadable to everyone except for the destination server you are sending the information to.
Cybercrime – According to most reports cybersecurity damages will cost the world over $6 trillion annually by 2021. It’s almost impossible to escape the rising tide of cybercrime. If your site doesn’t have SSL you make it easier for criminals intent on compromising your sites to identify weaknesses on your network and on your site. Installing SSL offers a vital means of defending against transit-based hacks (intercepting the data transmitted between Browser –> Servers).
Trust – If you have a SSL certificate installed your website visitors (customers) will see visuals like the padlock icon and green address bar that indicated the site has well trusted encryption. As a customer I’ll be more assured that my information is travelling safe between my browser and your site.
There is a raft of info out there on this topic, the bottom line is that it’s best practice now to install SSL on your websites.
We are more than happy to install and set these up on your behalf, if you’d like to discuss further please give us a call or drop us a line!
May 28 2018 – Are you ready?!
Before we begin, a couple of key points on GDPR itself:
Who does the GDPR apply to?
- The GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What information does the GDPR apply to?
- Personal data
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
- Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
You can find the rest of the detail behind GDPR in terms of the definitions, specific articles of law etc here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/
We’ll mostly be referencing the ICO website here as they are the ones who’ll be overseeing GDPR and it’s implementation and frankly if the information is not on here it’s not worth knowing (or paying for)
- What is GDPR?
GDPR was adopted by the European Parliament in April 2016 to bring data protection rules up-to-date mostly around the use of personal information. It applies to all data processed within the EU and to data on EU subjects used by companies outside the union.
The rules come into effect on 25 May 2018 and will continue to apply in the UK after the country leaves the EU. The GDPR rules will be mirrored in the Data Protection Bill that is currently going through Parliament. It applies to applies to both ‘controllers’ and ‘processors’, and covers existing rules that have now been strengthened as well as a series of new rights for data subjects.
- Things you need to do – Identify and document the data you hold
Basically, you need to identify the data you currently store, where it’s held, what’s personal or sensitive, how it’s processed and who has access to it. Document this information as thoroughly as possible.
“Have an initial catalogue so that you know the personal data in your business, where it is, its lineage and what processing you do,” is the minimum level of record-keeping suggested by Richard Hogg, IBM’s Global GDPR Evangelist, “That would form the basis that you could use if and when the regulator comes knocking from May 2018.”
- Review current data governance practices
Evaluate your current data practices and policies, document (if you haven’t already) the lawful basis for any processing and identify any areas that require improvements. Internal records have to be kept of any processing activities, with all data tagged and classified.
You need to look at how data flows across different borders both within the EU and outside it, and pay special attention to any practices involving children’s data, GDPR has significantly strengthened the security requirements around processing, age verification and consent for such information.
The ICO has produced a series of data protection self-assessment toolkits to help you check your preparations in general and around information security, direct marketing (if you do any), records management, data sharing, subject access and even CCTV.
- Check your consent procedures
Under GDPR, consent for any data processing has to be specific, transparent, and auditable. The consent has to be simple to understand and easy to withdraw.
Be aware that under the new requirements for consent you may have to approach current data subjects (for example email subscribers) again to request new permission to use their data.
It’s worth reviewing your current consent processes and establishing whether consent is needed and how it should be provided to ensure your obligations are being fulfilled.”GDPR is focusing on the record-keeping around consent and the audit trail you need to have,” says head of international strategy and intelligence at the ICO Steve Wood.
“Consent has got to be easy to withdraw, and you’re going to need to be able to clearly name your organisation and make that clear to individuals, and also the third parties whom the data may be shared with.”
In essence, you have to now keep clear and transparent records of all consent taken, establish simple methods to allow the data subjects to withdraw their consent and regularly review your procedures to keep up with any changes in processing activities.
- Do I need a DPO?
A data protection officer (DPO) is necessary for public authorities or organisations that do large-scale monitoring of individuals or of special categories of data or data relating to criminal convictions and offences.
Even if a DPO is not essential for your organisation, designating an individual responsible for data governance will help keep your GDPR compliance on track. Ideally you should really appoint, at the very least, an individual to act as a contact point for the data protection authority (DPA) and data subjects.
- Procedures, procedures, procedures
Put in place processes for detecting, investigating and reporting breaches and develop an internal plan for responses. Data breach testing can ensure your procedures are effective. Do you have cyber insurance? It’s worth investing in some. If you know any forensic investigators and PR people, keep their numbers handy you may need them if your procedures aren’t robust enough.
- Develop your policies to support the rights of data subjects
You need to ensure your policies and procedures are adequate enough to enable data subjects to exercise their extended rights under GDPR. This includes (all the links will take you to the ICO website):
The right to be informed
The right of access
The right to rectification
The right to restrict processing
The right to data portability
The right to object
The right to not be subject to automated decision-making including profiling
The right to erasure
Consider how you, the business, can respond to any requests to implement each of these rights, who is responsible, what systems will be required to support them and how to ensure that the information can be provided in a commonly used format.
The ICO recommends including a description of the processing operations and purposes, an assessment of the needs of the processing in relation to the purpose and an assessment of the risks and the measures in place to address them.
- Tell them about it!
The GDPR requires privacy protection by design and by default. Best practice for information governance should be part of your companies DNA not just the domain of one person.”Data is critical to many business processes, products, and services,” explains the Centre for Information Policy Leadership (CIPL) report.
“This is why GDPR implementation must be a concerted effort across the organisation, with the DPO working hand-in-hand with Chief Data Officer (CDO), Chief Information Officer (CIO), Chief Information Security Officer (CISO) and other senior leadership.”
Ideally, you should ensure there’s training in place for every staff member, at the very least ensure that your staff know the basic requirements of GDPR and their responsibilities for ensuring compliance.
- Make a plan
After figuring out which current policies and practices need amending, establish a plan for implementing the necessary changes.
- Keep calm
Complying with GDPR will require time and effort, but there are positives that will come out of these regulations, as Elizabeth Denham writes on her blog (and I recommend you read it it’s sometimes quite amusing!)”One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. That is why both the ICO and UK government have pushed for reform of the EU law for several years.
The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.”
Take the ICO’s checklist for Data Controllers hereAnd for Data Processors you’ll find the information here
As always if you need any assistance with your websites or policies please do drop us a line.
Link Digital today announced that it has acquired the award winning agency Bread, making the combined company one of the leading digital agencies in the region.
Link Digital is on the move to new purpose built office in Hertford’s Mead Lane Business Centre.
Link Digital is delighted to have been selected for Google Premier Partner status in recognition of the high-quality service and results consistently delivered for clients.
We are pleased to announce that Link Digital has been nominated in four categories for the upcoming Hertfordshire Digital Awards 2016.
An opportunity to join a successful and expanding digital marketing agency, based in Hertford, with clients in all industries.
Late last month, one of the most anticipated events of the advertising year took place as Google hosted a performance summit event where advertisers and the like congregated as new features and updates to existing products were shared.
A unique opportunity to be part of a young and successful digital agency in Hertfordshire that has ambitious plans for growth. In this newly created role, you will be responsible for delivering first class digital marketing services to an expanding client base, across a variety of industries.
We are proud to announce that we have gained the prestigious Google Partner status.