The GDPR (General Data Protection Regulation) that went into effect May 25, 2018. If you’re starting out with a fresh website without a SSL certificate, or are still struggling to get GDPR-compliant in 2021, you’re not alone.
Since this EU regulation is a lot to bite off and most organizations simply don’t know all the steps required to comply.
What is GDPR?
GDPR is a broad-reaching regulation designed to protect the private data of Europeans in IT systems. It covers a broad range of topics, from how and when to notify regulators about data breaches to user transparency about what data is being collected and why.
Does GDPR apply to you?
From a purely technical standpoint, here are a few of the criteria that determine who’s impacted:
- You have customers, employees or contractors who are EU citizens or based in EU countries (and, yes, the United Kingdom still counts as they have their own copy of the regulation now)
- You do business in Europe, even if your business is located elsewhere
- You have an online presence (including your website) that’s available for Europeans to use
Spending your resources on trying to exclude your company from GDPR isn’t the best use of your time. And, there are other considerations that extend beyond regulations and fines, reaching all the way to your bottom line:
- You deal with business partners that want to be GDPR compliant (and if you aren’t, they won’t want to contaminate their compliant databases with your non-compliant data)
- You don’t focus on doing business in EU, but can’t stop EU citizens from visiting your website and leaving their personally identifiable information behind
- Trust is everything online and, if your website collects or processes user data, even via signup or contact forms, visitors expect you to keep their information secure and protected
The question is, “How do you get compliant?”, since a majority of the GDPR requirements are best practices that most companies should have been doing all along. If that’s not incentive enough, let’s look at the consequences of not meeting these requirements.
Non-Compliance Can Be Crushing
Suffer a single data breach and you’re looking at a fine of €20 million or up to 4% of your annual turnover, whichever is greater. Just to put this into perspective, this would equate to $7 billion for Amazon, more than two years of profit.
Plus, you may face additional fines based on the type of breach, data exposed, notification, remediation and response. And, this doesn’t include irreparable damage to your reputation or costs associated with insurance, legal fees and settlements.
SSL is an Essential Part of GDPR Compliance
Though the GDPR doesn’t contain any specific section on the use of SSL certificates, it includes clear requirements that can only be addressed through digital certificates. Article 32 of the regulation ("Security") begins this way:
… the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
the pseudonym-ization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
Basically, GDPR states that, if your site collects and stores any information from your users, you have a responsibility, as a data controller or data processor, to keep this information secure and protected, including encrypting personal data and ensuring ongoing confidentiality.
Verizon’s Data Breach Investigation Report cites lack of encryption and lack of security when handling confidential information among the top most common causes of breaches, so these requirements make perfect sense.
And, alarmingly, only 4% of breaches reported were protected by encryption, rendering the data useless to cybercriminals. If you suffered a breach, wouldn’t you at least want to make sure your company and customer data couldn’t be decrypted by evil doers?
SSL certificates have been the de facto encryption and authentication standard for all confidential web communications for more than 30 years. Not having an SSL certificate increases your risk of a data breach.
If you have an eCommerce website that takes user payment information such as bank account details, having an SSL is a necessity. But, even if your site is a static HTML page that doesn’t sell anything and has no contact us or signup forms, you still need an SSL certificate to avoid Not Secure browser warnings.
SSL Delivers Other Business Benefits
If you’re still on the fence about investing in an SSL certificate, consider the benefits to your business that go way beyond GDPR compliance.
Faster Website Performance— In this “I want it now” world, no one’s going to wait for your webpages to load. SSL certificates enable HTTP/2 to speed up page loads and deliver a great visitor experience.
Boost Search Engine Traffic— Google rewards HTTPS websites with as much as a 5% boost in search engine rankings. That means more people clicking through to your site.
Optimize the Mobile Experience—The most in-demand mobile features, including browser notifications, geo-location, device orientation, full-screen, microphone and camera, are only enabled over sessions protected by SSL certificates.
Check SSL Off Your GDPR Compliance To-do List
Making sure all your website pages use SSL certificates to authenticate and encrypt communications is a smart step toward meeting the GDPR requirements. And, even if you’re not technically impacted by the GDPR, you should be using digital certificates to protect your customers and maximize visitor confidence.
Every day you go without SSL, you’re also scaring away visitors with Not Secure warnings. Review your SSL options to make sure your website instantly builds trust and satisfies the GDPR’s requirements for encryption and confidentiality.
The featured image for this post is People vector created by pch.vector - www.freepik.com