GDPR Compliance for Insynergi
V1.0, date 20 October 22
Process & Adherence
- Create and enforce roles & permissions
- Security
- Access Log
- Alerts to notify of any breach attempts
- Prevent configuration drift and data loss
The privacy policy declares the data collector and controller and is also clear on what all user information is being collected on the app and how it is processed. We are not directly collecting any payments on the app and as it is routed through a 3rd party, there is not much to worry about. However, we still have personal data being collected. The following GDPR articles should be our primary focus as of now:
Recital 39 of the GDPR states: “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data and the equipment used for processing.”
Also, GDPR Article 32(2) refers to the measures that must be taken to prevent “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data.”
Keeping this in mind, once the app goes live and starts having real user information in the database, it is advisable to adhere to the following process:
1. Appoint 2 authorized personnel (APs) who will make changes and will have direct access to the database - appoint a single person from the Data Controller a.k.a. Insynergi/Everlume (he will be the same as per the Controller in the privacy policy document) and a single person authorized from NCrypted. Nobody else should have direct access to the database and every time the production (live) database needs access, both these APs.
2. Maintain a log file with a written approval or signatory from both the APs whenever the production (live) database requires any access. The log also must register the purpose of the access whether it is for a change, data collection or inspection and who has requested it. The log file must not be accessible by anyone else without approval.
3. Create a staging environment that will have the exact replica of the production environment with the same data structure except for any live data/information. It will have dummy data within the database and must be used as the first deployment point to test any change to the application or database before it is deployed to production.
4. Ensure automatic backups of the database and application at server level on regular intervals. Every day should be fine to begin with and when the number of users and interactions accumulate over a period of time, going for hourly backup is advisable. Keep the last 2 or 3 instances of the database backup.
5. Ensure an instant backup of the subject data and its related structure before implementing any new change. This is to prevent configuration drift and accidental data loss. Ensure the backup data is immediately removed and the action is duly logged in the log file.
6. Ensure any sensitive data (payment related information, passwords, email, contact number) is in encryption format within the database and nobody is allowed to decode it through any mechanism without the APs approval.
7. Instill a system or use a 3rd party tool at server/database level that alerts both the APs to notify of any breach attempt without their mutual approval.
8. Ensure at least 128 bit SSL certificate at the domain level (all subdomains, if any, must also have SSL)
9. Conduct a regular Audit for all the Personal Data. Audit must be conducted by the APs in presence of an independent 3rd party auditor. The auditor has to be an experienced individual/agency in this field and can be part of Everlume and NCrypted as well but must be someone other than the APs. A quarterly audit is encouraged. All the audits must be reported and filed for any future EU inspection.
A data protection impact assessment is also required before any major change release to the production server that may impact the way data is processed.
10. As per the privacy policy draft, remove all personal data collected of a user if the contract is ended. This can occur if the user is deleted, has removed his/her own account, is removed by the site admin, or the user is asking his data to be permanently removed.
11. Ensure the application is seeking permission from the user to send a newsletter and only send such marketing mails to those users who have opted for it. By default, the newsletter option should be off (not ticked), so the user should check it manually. Transactional emails can still be sent, so have two checkboxes to ask for permission.
Have the following after the sign up form before the sign up/register button for the user:
- By clicking on the 'sign up' button, you agree to our Privacy Policy
- Send you transactional emails
- Send you promotional emails
Privacy policy should be linked to the privacy policy page (open in new window).
The user must tick mark both the 'Privacy Policy' and 'transactional emails' otherwise the app cannot sign him/her up - mandatory requirements for sign up. Display alert if not tick marked and only sign up the user if they are tick marked. Promotional emails are optional.
12. Cookies
[Application is not directly using any cookies but possible breach due to 3rd party APIs, checking data connections, checking with legal/consultant]
- For any website visitor, show the following message to any new visitor (should not be shown to repeat visitors based upon IP or user login once accepted)
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. If you continue to use this site we will assume that you are happy with it.
[OK] [No]
By default we collect cookies to store IP and other information from the user's system, however ensure that is declared in the privacy policy.
-where 'Ok' is the button and pressing it should make the message disappear - not to be repeated again for the same IP/user.
'No' should open up a pop-in as per the screenshot and message:
https://nimb.ws/t1bIyN followed by 'Save & Accept' button
(In the screenshot, you will notice two links for Privacy and Cookie Policy - keep only Privacy and link it to the Privacy Policy page, open in a new window).