Why the Contact form had to go! #GDPR

Why the contact form had to go #GDPR
We still want to be contacted so we can help businesses improve their information and cyber security, but from now on, please do it by email or by calling.

Removing the website Contact form may seem extreme, but it eliminates a risk to personal data over which we have very little control.

As everyone probably knows*, the General Data Protection Regulation (GDPR) replaces the Data Protection Act in May 2018. It provides a new data protection framework to cover the collection, processing and protection of personal data on EU citizens. With so many possible ways to compromise personal data, the GDPR says you should “evaluate the risks inherent in the processing and implement measures to mitigate those risks”.

Having done the audit of personal data being collected and processed it was time to evaluate the risks of it being compromised. The website had a contact form where people could enter their name, email address and details of the issue they wanted to discuss which may also include some personal data. The details are accessed via the WordPress backend. The main risks are not in the WordPress core product, but in the plugins being used…and one was used for the Contact form.

Coming from a development background, we know there is the possibility of data entered in the Contact form being stored in a file for debug purposes. This should not happen in a live environment, but it sometimes does. And if it is there for debug purposes, there is probably a way to get at it via the internet which could lead to unauthorised access. The risk of this happening is low, but rather than accept it the Contact form was removed. An alternative way to address the risk was considered – to use a specialist web agency that had access to the Contact form rather than having the website on WordPress.com where there is no access to the code. That may happen at a later point, but isn’t a current priority.

Is this an extreme measure? Probably, but it eliminates a risk to personal data.

Would this be the right approach for your company?

If you use a web development agency that has access to the Contact form code there would be a much lower risk. Or if you have higher risk processing activities on personal data, address those first. Do your risk assessment to find out.

If you want help with risk assessments, please get in touch via email or phone.
e: ian.grey@wadiff-consulting.co.uk
t: +44 (0)7941 188462

* Shame on you if you didn’t know about the GPDR!