In this digital age, businesses and individuals are becoming more aware of the importance of privacy and security of their data with regards to apps, websites and online systems to avoid being victims of identity theft and fraud.
Governing bodies around the world are reacting to these concerns by implementing new legislation that aims to protect your personal data with a number of enforceable regulations and guidelines. Two of these major changes that relate to the World Manager community is the Mandatory Notifiable Data Breach (NDB) and General Data Protection Regulation (GDPR).
This article will provide an overview of these changes and how they relate to World Manager along with recommendations that will help reduce potential security risks related to your platform.
Mandatory Notifiable Data Breach (NDB)
In Australia, the NDB law comes into effect February 22, 2018.
The NDB law requires businesses to disclose or provide notice of any breaches relating to personal data to all individuals who may have been impacted by the breach if this breach is likely to result in serious harm to the individual. Serious harm in this instance includes physical, emotional, financial, psychological and reputational variants.
Prior to this change, notification of breaches was recommended but was not mandatory.
The NDB law applies to businesses governed under the Privacy Act 1988, including any with an annual turnover of $3 million, or business that collects and store sensitive user information such as World Manager.
It has always been and will continue to be World Manager policy that any potential breaches or security-related incidents be communicated as quickly as possible to any affected brands and that this communication should include:
- A clear description of the incident that has occurred including time, date, severity and current status
- All data or information that may be potentially affected by the incident
- Any relevant actions or recommendations that affected brands or individuals should follow as a result of the incident
- Contact information for the World Manager team should brand's or individuals require more information
General Data Protection Regulation (GDPR)
The European Union (EU) General Data Protection Regulation (GDPR) update comes into effect as of May 2018.
GDPR is intended to protect individuals’ personal data by ensuring businesses implement adequate security processes and procedures when handling and storing personal information.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
World Manager has recently been working with a third-party security firm to ensure that we comply with all relevant regulations and can continue to provide the most secure platform possible. In addition, during the course of the year, we will be implementing added security measures across the platform and back-end infrastructure.
We believe that security is of the utmost importance and this will be a continued area of focus for the World Manager team in 2018.
Security Recommendations
Although your World Manager platform is already configured with encrypted passwords, enforced HTTPS and a host of other security features built in there are many ways that you and your users can decrease the likelihood of sensitive data being exposed. World Manager recommends the following:
Audit your Custom Fields & Recruitment Questions
World Level → System Configuration → Custom Fields
World Manager stores a minimal amount of personal data by default: name, email address and phone number. Access to this data is limited to the user or authenticated managers that hold sufficient access permissions however this access can also be completely removed at the discretion of our brands using built-in permissions configuration tools.
In addition to these default user account fields, the Recruitment tool also stores basic personal information relating to applicants that are also limited to use by authenticated managers however this tool does allow brands to create and request any type of data from an applicant as part of the position questionnaire.
We do not recommend storing of sensitive data such as (but not limited to) bank or tax details, social security numbers etc. within custom fields as these details are not used for processing in any related functions within the platform. Care should also be taken when building Recruitment Questionnaires with regards to the information being requested from applicants.
If your platform does use these types of fields or questions for storing sensitive personal data, please take note of the following disclaimer:
The World Manager platform allows for custom fields or questions to be created by brands for the purpose of storing data relating to individuals or locations at the discretion of the brands.
As such, World Manager does not warrant the confidentiality or accuracy of information or data that the Company, employees or its agents' store or input into the World Manager platform.
The Company accepts it is the owner of its own data and content inputted into the World Manager platform and accepts all liability and responsibility for any information or data that it may choose to store or input into the World Manager platform.
Audit the Number of Administrator Accounts
World or National Level → System → Accounts
We recommend that you limit the number of users who have World Level and National Level administrator access within the platform as this will limit the number of people who have unrestricted access to your platform data.
If you must have multiple users with World or National level access, we recommend that you consider using the custom permissions functionality available to limit the visibility for each user to the relevant tools and data that they require to perform their duties within the platform.
Never Use Shared Accounts
Sharing a single account across multiple users creates problems in identifying which user made changes within the platform and can lead to people retaining access to the platform when they no longer require it. Shared accounts are a security risk and should not be used.
Audit your Password Settings
World Level → System → System Configuration → Accounts Settings
Minimum Password Length
The longer the password, the more secure it will be. Try increasing this to at least 8 characters.
Password Inactive Period
This functionality is intended to automatically deactivate a user after a period of inactivity in the event that they have left the business, but their account was not deactivated. Take a look at the value in use here and adjust this period depending on the typical employee lifecycle and processes within your business.
Contact Details
Should you require more information regarding World Manager data security or recommendations for a more secure platform, please get in touch with our Privacy Team at privacy@franconnect.com, or by calling:
- Australia: +61 2 8005 4271
- United States: +1 214 297 0006 ext 1
- Canada: +1 604 409 4336 ext 1