Securing a website

The development and maintenance of your website plays an important part in your online presence. Cybersecurity incidents such as theft of your customers' data could have a high impact on your business or brand on multiple levels:

• loss of brand reputation
• disruption of your services
• loss of your customers' trust
• regulatory sanctions and lawsuits

Cybersecurity incidents that affect online shops can consist of:

• theft of customers' data
• alterations to information on the e-commerce platform
• website shut down
• leaking of confidential business information

It is also very important that you note what sensitive information you have on your site, prior to any security breach. You should consider the following:

• What information is mission-critical to your business?
• Where does it reside?
• How quickly can it be reinstated if it's stolen in the event of an attack?

You should also perform a complete audit of your systems, take note of the most important components and track everything. Make sure you are not the only person in your organisation who is aware of this audit, but also bear in mind that access to all data systems should only be granted on a need-to-know basis.

Protecting information on your website

It is important to reflect on how the core aspects of information security – confidentiality, integrity and availability – apply to your website and services and determine the service level requirements needed. Note that these requirements might be different depending on what other elements you have decided to integrate.

If you want your system to be secure, you need to make sure that the following components are protected:

• Confidentiality: this means protecting information such as credit/debit card numbers and other personal information from disclosure to unauthorised parties. You can do this by:
  • setting up a proper authentication mechanism (such as multi-factor authentication solutions, which rely on a user providing 2 or more ways of verifying their identity)
  • using encrypted connections (HTTPS; SSL Security protocol) to ensure that only the right people have access to sensitive information
• Integrity: this means making sure the information remains accurate and trustworthy by protecting from being altered by unauthorised parties. This can be achieved by:
  • carrying out a daily check for altered files
  • foreseeing security testing for your website and services, in order to avoid attacks
  • setting up an intrusion prevention system
• Availability: this means making sure your website is up and running all the time, if you are hosting your own site. You can ensure this by:
  • implementing an emergency back-up power system
  • rigorously maintaining all hardware

How to respond to security incidents

It is important that, in the event of a security breach, there is an actionable plan developed which provides specific, concrete measures and procedures to follow a security incident. The procedures should address:

• who has lead responsibility
• how to contact critical personnel
• what data, networks, and services should be prioritised for recovery
• who needs to be notified (data owners, customers, or partner companies) if their data, or data affecting their networks, is exposed

If you do detect a breach, follow these steps:

• inform your customers about what happened, which can ensure continued trust
• make sure all the relevant players involved in your online shop are aware as well. You should designate a permanent IT officer in the event a security problem is detected
• determine the cause of the breach, with documented evidence that can eventually be used in court
• if financial information, such as credit card details, is impacted, you must inform the provider handling your financial transactions

You should also create a data breach notification policy, which could be included in your privacy notice, and it should state how and when you will notify your customers if personal data is breached. You must also take into account that under the GDPR rules you are required to notify the supervisory Data Protection Authority once you become aware of any data breach.

At a national level, Computer Emergency Response Teams (CERT) are teams of security experts responsible for the management of security incidents (such as reporting and responding to security threats). They can give you information on what to do and who to turn to for help if you are under any type of cyberattack. They also publish alerts about vulnerabilities and threats in your country.

Data protection compliance

The General Data Protection Regulation contains obligations for businesses collecting, storing and managing personal data. The 2 main goals of the GDPR are transparency and informing the public about how their data are used.

For more information on the overall provisions of the GDPR and how they apply to your business, visit the data protection subsection.

The part of your online shop that the GDPR concerns the most is the privacy notice (or policy). This notice is a public document issued by your business, in which it explains how it processes personal data and how it applies data protection principles. If your website collects a user's personal data directly, the privacy notice should be displayed the moment it does so.

The privacy notice should be written in:

• concise, transparent, and intelligible language
• be easily accessible
• provided free of charge and delivered in a timely manner

Find out what your privacy notice should contain

• You collect personal data directly from individual users
• You receive personal data from third parties

The privacy notice displayed on your online shop should include the following information:

• identity and contact information for your business, its appointed representative and its Data Protection Officer
• purposes in which your business processes users' personal data and the legal grounds to do so
• your business's legitimate interests in processing personal data
• all recipients of users' data
• whether personal data is transferred to a country outside the EU
• retention period of the data
• users' rights in relation to their processed data, specifically their rights to:
  • withdraw consent at any time
  • lodge a complaint with a supervisory authority
• whether the users' personal data are provided based on statutory or contractual obligations
• whether an automated decision-making system is in place, which includes data profiling (the process by which data already collected are analysed for statistical reasons)

The privacy notice displayed on your online shop should include the following information:

• identity and contact information for your business, its appointed representative and its Data Protection Officer
• purposes in which your business processes users' personal data and the legal grounds to do so
• your business' legitimate interests in processing personal data
• all recipients of users' data
• whether personal data is transferred to a country outside the EU
• retention period of the data
• users' rights in relation to their processed data, and specifically:
  • their right to withdraw consent at any time
  • their right to lodge a complaint with a supervisory authority
• categories of personal data obtained by your business
• whether an automated decision-making system is in place, which includes data profiling

Privacy notices must be provided in writing and supplied electronically (where applicable), published on a specific section of your website (for example: Privacy policy) and must be accessible directly from any page or subpage on the site.

For more details and useful advice on drafting your privacy policy, you can refer to these practical Guidelines.