In our work as Cloud and Mobility consultants in Australia, our Workspace Consulting Practice has noticed that the EU’s General Data Protection Regulations (GDPR) are getting the attention of IT and HR departments in this part of the world. We’re using Avanite WebData control to help our customers understand their potential exposure to unsolicited tracking and personal information sharing for Australian businesses with staff based in the EU.
With its implementation on May 25 2018, the GDPR has far reaching and strict privacy and data protection controls, with regulations on how personal data within a business is handled. It will most likely require changes to business processes for our customers who deal with any EU personal data. The Australian Federal Government has guidance on how the GDPR regulations may impact Australian businesses on the Office of the Information Commissioners website here and here. Australian businesses with customers in the EU, or that operate in the EU may be covered by the GDPR.
Our key observations on GDPR compliance
- Must obtain consent to collection or use of personal data. Offering an “opt-out” or unsubscribe button alone is not likely to be an acceptable form of consent.
- Restrictions on the transfer of personal data from the EU to Australia.
- Some business will need to enhance their accountability procedures such as implementing a technical ethos of “data protection by design and by default”, appointment of a data protection officer, or even a representative to the EU.
- The Right to Erasure – if an Australian company collects an EU resident’s data, that person can ask for the erasure of their personal data or restrict how it is used
- When internet cookies can be used to identify an individual, they are regarded as personal data.
Cookies, Privacy and the GDPR
When cookies can identify an individual via their device, they are considered personal data within the statute of the GDPR (Recital 30, click here and here). As “data subjects” under the GDPR rules, employees who fall under these rules will have new rights to ask for rectification, deletion or freezing of their data, which may include removal of the cookies that identify them within their Windows User Profile.
When users browse a website, personal data is generated, such as browsing history and temporary internet files, and the website is able to download data such as cookies to your computer. In addition, web pages contain links to other websites which in turn open connections to third parties allowing them to also download data to the client machine. You can see this in real-time when you open almost any website – in addition to the website that you actually want to see, you will see a series of sometimes cryptic links loading in the bar at the bottom of the screen. As a consumer of even a trusted website, you have little idea what these links are doing, and how they are accessing or sharing your data. For example, here is a screen shot of some of the content, analytics and tracking URL messages that are loaded when opening the Sydney Morning Herald homepage in the Firefox browser.
Many of the sites or connections that load alongside your “desired” website in this manner deposit cookies in your web browser cache. In fact, third party cookies are also saved, and data relating to these cookies is typically sent to other companies who then sell this information on to even more removed companies who will use it for targeted advertising (remember Cambridge Analytica ?). Third parties typically account for 80% of the cookies stored. The data held in these cookies can often present a cyber security risk, as it can contain sensitive information such as usernames and passwords to systems that store personally identifiable data.
Simply put, uncontrolled cookies sitting in the user profiles of a company employee represent:
- A security risk to the company and its data
- A personal data risk to employees
As the EU GDPR comes into force, IT administrators who run their client computing environment for Australian organisations with EU based staff and offices will most likely need to have a view of what is actually on their users’ client computers, including web data, and then be able to set policies to define what is required and what can safely be removed.
At Peninsula IT, we believe that Avanite WebData Control is the only tool that can feasibly and effectively manage cookies on Windows client computers on an enterprise wide basis.
What can Avanite WebData Control do to manage Cookies and help with GDPR?
Manage WebData using Active Directory Group Policy settings for most common browsers:
- Microsoft Internet Explorer 10/11
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
IT Administrators can define which cookies to keep and which to remove via advanced policies which provide granular control over the management of cookies. Examples of the settings available are:
- Remove cookie data associated with cookies not created, modified or accessed in the last x number of days
- Remove cookie data relating to the third-party cookies (with a domain name other than the site visited)
- Remove cookie data relating to specific cookie types (eg, identify unneeded analytics cookies even if they are identified as “first party cookies”)
- Remove cookie data for expired cookies or cookies which are no longer relevant
- Remove cookie data for defined sites (a black list)
- Always retain cookie data for defined sites (a white list)
WebData Control provides an administrator with the capability to report on history and cookie information that exists in each user session to understand the web data being stored for each user. This information can be used to further configure WebData Control to achieve greater control and efficiencies.
Getting Started with WebData Control
- Try out the free WebData Analysis tool at this link: https://avanite.com/analysis. The screenshot below shows how huge numbers of cookies for this single user from first and third party sites can be controlled with WebData Control.
- Sign up for a trial of Avanite WebData control at https://www.avanite.com/webdatacontrol
- Contact us a Peninsula IT for more information.