GDPR & Cybersecurity: How Can I Make My Website Compliant?

In addition to the health crisis of which we are all aware, the year 2020 was marked by a 46% increase in the number of hours spent in front of screens, whether remote working, searching for activities, watching videos, creating content or even online shopping. Taking that all into account, an increase of 8.5% was seen in the e-commerce sector, or €112 billion thanks to the accelerated digitization of companies.

If this was a boom for commerce, it was also a fairground for sites created quickly, often in haste, sometimes without means and without taking into account the cyber risks and legal obligations involving publishers or editors of publications.

It seemed logical that 2020 would also be marked by a massive increase in cybercrime. It must be said that this activity was lucrative: it cost the global economy $1 trillion in 2020, this figure could be multiplied by 6 this year.

The ANSSI (National Agency for the Security of Information Systems), which published its figures, has made reference to an “explosion” of cybercrime, up 255% with phishing attacks accelerating up to 600%. In this context, the affected companies and organizations have sought as best they could help and assistance from the site cybermalveillance.gouv.fr.

The duality of this crisis for companies, whatever their size (mid-market company, SME, VSB, etc.) consists in the fact that they are victims but are also responsible; responsible in particular for not having engaged the compliance and security of their website.

It is in this context that the CNIL in its publication of February 4, 2021 encouraged ”private and public organizations to audit their websites and mobile applications” while recalling that since the publication of its amending guidelines and recommendation on the use of cookies (September 17, 2020), it had left 6 months for interested parties to comply, that is until March 31, 2021.

How to proceed? Where to start?

The finding was swift:

• 90% of companies had IT weaknesses in 2020,
• More specifically, 77% of French companies are in violation of GDPR (General Data Protection Regulation) and 88% of them have no program in place for data retention,
• Finally, l’Usine Digitale revealed according to a study that in 2020, only 11.8% of CMPs (Consent Management Platforms) meet the requirements of GDPR and cookie regulations and 32.5% use implied consent.

Faced with these figures, asking the right questions about the status of its website regarding the regulation is essential:

• GDPR imposes the principle of minimization. This requires that the data collected by the organization be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Therefore, what types of data are collected on my site? Are they relevant?
• The principles of fairness and lawfulness impose two questions:
  *Is my processing lawful with regard to Article 6 of GDPR, i.e. do I have the right to carry out this processing? Is it consensual? Is it authorized by law? Is it contractually permitted? Required with regard to my legitimate interest?
  *On the other hand, have I sufficiently informed my users about the processing of personal data that concerns them? Is this information easily accessible and delivered in your clear and precise terms?
• Is my site sufficiently secure with regard to, for example, the requirements of the ANSSI so that my users’ data are sufficiently protected?
• Have I properly informed my users of their rights with respect to their personal data and have I set up an effective procedure enabling them to exercise these rights?
• Are the consents required for certain processing operations informed? How is it stored?

This list is far from exhaustive and at first glance discourages many data controllers. We know this. This is why our consultants accompany private and public organizations on all issues related to the compliance of their website and their security.

More than compliance, a certification.

However, our reflection went much further because beyond a legal and basic compliance, it is now necessary for organizations to restore their reputation with their users.

The legitimacy and credibility of websites must be restored and to do this, we have developed a GDPR compliance and web security certification to overcome this feeling of insecurity about personal data.

Thanks to a complete and detailed matrix built by our experts in personal data protection, which is based on several checkpoints, we will establish the degree of compliance of your website.

Our audit is based on the classic benchmarks such as the guidelines for cookies, the recommendations for securing websites of the ANSSI, the general security benchmark, the cybersecurity guide, and more.

This will lead to operational recommendations which, if they are followed or even carried out subsequently by our experts, will allow you to obtain DPO Consulting’s GDPR Certification to be affixed to your site with the objective for you to:

• Reinforce trust by promoting a serious and responsible image of your company
• Improve commercial efficiency based on accurate data,
• Better manage your business and enhance the value of prospect and customer data by asking the right questions about your business and processes
• Improve data security and protect your company’s information assets
• Reassure your customers and principals by presenting a competitive advantage
• Develop your business by creating new services (for example with data portability or personalization).

– Stephanie Broggini

‍

Our solutions

GDPR and Compliance

• GDPR Software (myDPO)
• GDPR Compliance Audits
• Privacy Impact Assessments (PIA)
• Clinical Trial Compliance

Outsourced DPO & Representation

• Outsourced DPO
• International DPO
• EU Representative
• UK Representative
• US Privacy Services

Training & Support

• Customized DPO Coaching
• GDPR Training

‍