Security of your online business and customer data

Security and privacy are valued by customers and there are also legal requirements. In another recent article, I wrote about the requirements for a secure connection (SSL). This article talks about the different types of data you usually store as an online business and the requirements for it. The law states:
"The controller shall implement appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. Having regard to the state of the art and the costs of implementation, these measures shall ensure an appropriate level of security in view of the risks presented by the processing and the nature of data to be protected."
So this obligation can be interpreted quite broadly, but in short it means that the data must be "adequately" secured.

Different types of data

For all data you have on your site and server as an online business owner, it goes without saying that you don't want to lose it. This applies to all written (SEO) texts to product descriptions and images. You also collect data from visitors and customers. Besides protecting this data against loss (backups!), you must also adequately protect this data against misuse. Due to software errors and/or hackers, this data can end up on the street and you must prevent that. There are a number of legal requirements for this security and these differ between the types of data involved.

Personal data (&accounts)

This includes: Name, address, zip code/city and also date of birth. Does your online business use accounts (login option) then the password is also personal: passwords are also a popular target of hackers so these must be sufficiently secured (hashed). Ask your developer about this!

Payment details

Most online businesses will use a payment provider to handle payment transactions. Usually the consumer first chooses a payment method and then proceeds to a site of this payment provider where the data is left. In my opinion, the best choice is not to store bank account numbers etc. yourself: it is usually unnecessary and very sensitive information. The same goes for Credit Card data. So make sure that your login details with your payment provider (Mollie, Targetpay, Internet Cashier etc.) are protected.

Email addresses

Often, as an online business, you also have a newsletter. Besides subscribing buyers (after permission!) to this newsletter, you can also process individual subscriptions on the site. E-mail addresses are a sought-after prey for spammers and fall under "personal data".

Security

Some aspects of online business data security: 

Physical

The security that physically takes place is that in the data center where your site resides. With almost all hosting providers in the Netherlands, this security is in place. It involves ensuring that only authorized people can access the servers in the data center.  Because of the many hacking possibilities, this form of unauthorized access is actually not a problem if you run an online business/website without extra high risk.

Database

If you let your online business be developed by an developer (think WooCommerce, Magento etc.) then the developer often has access to the database. For many systems, this access is required or convenient during development and installation (e.g. via phpMyAdmin software). Make sure this access is properly protected or blocked. If the access is no longer needed: remove it.

Access / users

Your employees or fulfillment agency will need to be able to log into the back office to process orders . For this, create accounts with as limited permissions as possible: so they can only see the data that is strictly necessary. Provide new passwords from time to time, and block employee accounts. Use only personal accounts (not an account used company-wide), this way users can be blocked and it is often possible to see what someone has performed.

Software

The biggest problem with data leaks is the software used. For an open source package, there are all kinds of methods to make sure it stays up-2-date. Therefore, always check the updates of the software you are using. And that is not only 'Wordpress' itself but also all plugins, themes, and server software (apache, mysql, phpmyadmin). If you don't know enough about this, you won't be able to provide adequate security and will have to hire a specialist.

When selling

In a business sale (an entire company changes hands), all the above information remains with the company, and little needs to be arranged contractually. However, as a buyer it is important that you know for sure which (part of) an address file has given permission for e-mail (opt-in). 

If a buyer takes over an online business by means of an asset/liability transaction, then the transfer becomes more complicated. The customer data (including personal data), opt-in addresses, etc. must then be transferred from one company to the other (also pay attention to guarantees after the transfer date!). The old owner must then also carefully delete this data (with the exception of the obligation to the tax authorities).