Personal Data Websites: 3 Things That You Must Be Informed
Nowadays, as more and more people are getting addicted to the digital world, the concern for data privacy is rising. Adding to this concern is the speculations which say that the online privacy of users is being breached by certain website owners who sell info to companies or the threat actors to make money.
It is increasingly essential for organizations to have a website as part of their sales, marketing, and customer relationship management efforts. If your organization is used to collect or store personal data websites such as customer and payment details, then it should be aware of the obligations under the Personal Data Protection Act (PDPA).
When setting up a website for your organisation, do consider the following:
- Features and functions of the website, especially those functions that collect and handle personal data websites (e.g. online ordering portal, membership management, online forums);
- Amount and type of personal data websites that will be collected or used;
- Extent of security required;
- Location where the website will be hosted; and
- Resiliency of the website. As websites are connected via the Internet, they face a multitude of cyber threats. Poorly protected websites can be compromised easily, putting any personal data that they collect or store at risk. Data breaches can be costly as this may lead to financial loss and loss of consumers’ trust in your organisation.
Hence, the security of the website and the protection of the personal data websites should be a key design consideration at each stage of the website’s life cycle:
- Requirements Gathering
- Design And Development
- Operations And Support
Where data protection is not considered until the development of the website has been completed, making changes to the website at that later stage will incur additional cost, including cost to resolve any security breaches.
Policies and Processes
Put in place policies and processes to protect the personal data websites handled by your organization’s website. Suggested policies and processes include:
- Use of risk assessments to select the most appropriate security arrangements
- Secure configuration of hardware and software components
- Security testing before the website is launched, and regular security testing thereafter
- Keeping track of the storage of all personal data
- Incident management
Include security as an important requirement when designing the website. Some key security requirements include:
- Access Control
- Audit Log
- Server and Network Security
- Website Programming
Negotiating Responsibilities of IT Vendors
Your organisation may consider outsourcing the development and maintenance of the website if it does not have the technical resources to do so by engaging one or more IT vendors.
When engaging IT vendors, do emphasise the need for personal data websites protection by stating clearly the responsibilities of the IT vendor with respect to the PDPA. These responsibilities will depend on the IT vendors’ scope of work. For instance:
- Developing the website in a way that ensures that it does not contain any web application vulnerabilities; and
- Ensuring that the servers and networks are securely configured.
Additionally, your organization should require that the IT vendors prevent unauthorized disclosure of personal data by their personnel or sub-contractors. Consider the following:
- Put in place processes for the secure handling of personal data; and
- Require confidentiality agreements between your organization and all IT vendor personnel and sub-contractors who have access to the personal data.
Some companies and researchers argue it’s not enough for the government to simply protect personal data; consumers need to own their information and be compensated when it’s used.
For more information, please refer to the Guide on Building Websites for SMEs and the Guide to Securing Personal Data in Electronic Medium, which can be found on the PDPC website at www.pdpc.gov.sg.