Category Archive: Technology

Four Steps to Prepare Your Website for GDPR Compliance

Christi Liongson May 10th, 2018 by

In less than two weeks (May 25, 2018), the most significant change in data privacy in 20 years and protection regulation goes into full effect. The EU’s General Data Protection Regulation (GDPR) is aimed at protecting the personal and sensitive information of all EU residents, regardless of where an organization is based. Under GDPR, individuals are allowed greater control over their personal information that is shared with organizations.

GDPR is built around the idea that organizations make good data governance a high priority. While your organization may not be required to comply with the new regulations, ensuring your site and processes embrace the spirit of data protection and privacy will gain and keep the trust of your users. Once your organization has completed a comprehensive data governance review (If you haven’t, check out our blog post on how to do this!), take these five steps to ensure your website matches your organization’s stance on data privacy by design.

1. Make sure your site is secure.

An SSL certificate is a small bit of code on your web server that creates an encrypted connection between a user’s web browser and your website. Having SSL on your website is like sealing your message in an envelope that your recipient will open and read. Having an SSL certificate signals to your users that your organization values the security of any personal information that they share with you.
There are many other benefits to having an SSL certificate installed on your site. In cases where you are collecting payment information, SSL is required to be on your site to meet the security standards set by the Payment Card Industry (PCI). In addition, major browsers like Google Chrome and Mozilla Firefox have started to include a warning for all insecure sites.

2. Review your newsletter, registration, and other email subscription forms.

When it comes to GDPR, one of the major areas of change facing website administrators and digital marketers is how to collect and store email subscription consent. To maintain compliance, organizations must collect affirmative consent that is, “freely given, specific, informed, and unambiguous.”
At a minimum, your email subscription forms must:

  • Be separate from other terms and conditions: Signing up to receive marketing communications must not be a requirement for registering for a service.
  • Contain a clear affirmative action: For consent to be valid under GDPR, users must actively confirm their consent, such as by checking an empty opt-in checkbox. Pre-checked boxes or inactivity does not constitute consent under GDPR.
  • Describe who will be using the information and how: Each form must state the name of your organization and any other third-party services that process the information in the submitted form. You will also need to state why and how the user’s information will be processed.

3. Review installed and active plugins, as well as any information that you collect and store on the website.

Note: While the information in this step is specific to WordPress, this can be applied to any site using any content management system. For non-WordPress sites, be sure you review all modules and custom-built functionalities that may collect and process personal data.

The WordPress community is already hard at work at adding WordPress core tools for GDPR compliance and other privacy laws and requirements. As the website owner, you are ultimately responsible for ensuring your installed plugins, as well as the usage of them, are GDPR compliant.

We recommend you review every plugin that you have installed and activated on your WordPress site for the following:

  • What individual data is being collected by this plugin? Of the data collected, is any of it personal or sensitive?
  • What services process the data that is collected?
  • Contact Form or Comments plugins: Can you add a required checkbox that allows the user to consent the storing and processing of their data?
  • Analytics, retargeting, and tracking plugins: Do you have the option to anonymize the IP address of your users? Can you modify data retention settings?

In addition, make sure that you have an internal process to perform the following:
Manage requests to view and delete user information
Provide a user with a downloadable file of their personal data

There are many WordPress plugins available for download that can help you with the task of auditing your installed plugins for GDPR compliance, implementing form consent checkboxes, and even allowing your users to request secure access to their data.

4. Update your website’s Privacy Policy statement.

Any organization that processes personal data is required by GDPR to provide clear, accessible information about how user personal data is being used. This is often done through a Privacy Policy statement on the organization’s website. Once you have finished reviewing and documenting your website’s plugin and data usage, you can start working with your legal team to update your website’s Privacy Policy statement.
The UK’s Information Commissioner’s Office (ICO) comprehensive guide to GDPR includes a privacy notice checklist and what to include in your privacy notice that your organization can use when updating your site’s Privacy Policy and terms of use.
At a minimum, your website’s Privacy Policy should include details on:

  • How and why your organization collects and processes personal data;
  • How your organization gains and records user consent; and
  • What data is shared with other third parties

As a best practice, your Privacy Policy should also include information on:

  • Consequences of not providing personal information – for example, declining to provide an email address will result in not being able to receive member e-newsletters;
  • What your organization is doing to ensure the security of personal information;
  • How users can manage and update their personal information;
  • Information about data subject rights; and
  • What you will not do with their data

fusionSpan can help support your organization’s data audits by documenting what data is currently collected and processed in your WordPress or Drupal site. fusionSpan can help you navigate the new expectations set by GDPR and the impact it will have on your digital strategy.

Refresh expiring Salesforce X509 certificates

Avatar photo September 14th, 2017 by

Tired of receiving the “You have one or more certificates in your Salesforce org XYZ* that will expire soon…” notices? Or worse, when your CEO receives it and sends a panicked email to you at 3 in the morning?

You can solve the countless email bombardment, for you and your users, by creating a new certificate and transitioning all your connected Apps and API’s to use the new certificate. SSL certificates in Salesforce are used by Connected Apps using SAML, SOAP and REST APIs. This post will take you through the steps of creating new certificates with longer expiry dates to replace the expiring ones.

The process of creating and configuring a new certificate is fairly straightforward and can be done in 2 fairly quick steps:

The issue is that Salesforce, by default, will create self-signed certificates that are valid for only a year. This means that every year you have to create new certificates. The process (as described above), is relatively painless, but most of these Connected Apps are third-party integrations, which means there is a whole lot of coordination needed to migrate these applications to use the new certificate. The actual work is relatively easy and just involves importing the certificate by these third-party systems/vendors. The coordination to make it happen and then test all of these integrations is time consuming.

One way to mitigate is to not rely on Salesforce, and just generate these certificates with longer expiry dates.

Note: Most Certificate Authorities (CA) will only issue shorter term certificates because they want to be able to guard against private keys that get compromised. Since we are using a single self-signed certificate, we can change the key and certificate on our schedule.

Openssl is an excellent open source tool to do this. Here is a quick-and-dirty guide to generating a certificate for use with Salesforce:

Step 1: Generate a self signed certificate valid for 10 years

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -days 3650

Here the -days flag is setting the expiry date of this certificate for 10 years. You can set it to any number of days.

Step 2: Convert the certificate and key into pkcs12 file

openssl pkcs12 -export -in cert.pem -inkey key.pem -out server.p12 -name salesforce_cert

Note: Use a password when prompted, as you will need it later.

Step 3: Import the new certificate into a keystore file (the format Salesforce expects)

keytool -importkeystore   -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -alias  salesforce_cert

Step 4: Import the new certificate into Salesforce

Go to Setup->Certificate and Key Management->Import from Keystore

and then import the keystore file created in Step 3.

You now have a new certificate available that is valid for 10 years. Just modify any of your connect apps to use the new certificate. And send the public key (cert.pem from Step 1), to any of the external system, so that they can continue working with the new certificate.