GDPR (General Data Protection Regulation) is a broad-reaching regulation meant to protect the private data of Europeans in IT systems.
The 99-article regulation is very long and covers a broad variety of topics.
Announced in 2017, GDPR went into effect as a requirement on May 25, 2018.
GDPR applies to any company doing business in Europe even if it is located elsewhere.
So for any business with an online presence that is available for Europeans to use - if you sell to Europe or give access to online services - you need to be GDPR compliant or potentially face massive fines.
Though it does not contain any specific section on the use of SSL certificates, GDPR has clear requirements that can only be addressed through the use of SSL certificates.
Article 32 of the regulation ("Security") begins this way:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
The pseudonymisation and encryption of personal data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
In other words, GDPR states that regulated information must be protected with "appropriate technical and organisational measures," including encryption of personal data and the ability to ensure the ongoing confidentiality of systems and services.
Digital certificates (including TLS/SSL) and encryption have been de facto requirements for all confidential communications across the open internet more than 30 years and are among the most ubiquitous computing paradigms in place today.
So what data are affected? The regulation includes nearly any personal data including PII (personally identifiable information), PHI (personal health information), web usage information, and a set of personal characteristics such as race, sexual orientation, and political opinion.
The good news is that from an SSL perspective GDPR aligns with well understood best practices anyway.
If you're putting all your site pages under https and using certificates to authenticate and encrypt communications between internal systems, you're meeting the GDPR requirements for that component of data protection.
And if you're not, you should be doing so anyway in order to protect your customers, protect your own business, and maximize confidence in your site.
Web sites that neglect to have an SSL certificate are often subject to penalties.
The following article is about the case that 10 Korean homeshopping companies did not encrypt the section where personal information is transmitted on the smartphone app, so were imposed a correction order and a fine of 10 ~ 15 million KRW from the Korea Communications Commission in violation of the information communication network law .
Why do we need an HTTPS (encrypted traffic) security certificate?
When you run website with HTTP address, someone you do not know can see website traffic.
To protect your website visitor’s valuable information, you must encrypt all communications on your website with SSL.
As above, now installing SSL certificate is mandatory, not optional.
Target of the security server installation
GDPR designated 'online business that collects personal information for profit' as target of security server installation.
All providers handling personal information must establish a security server.
This includes collecting personal information such as ID / password and social security number through counseling, ordering, quotation and bulletin board as well as membership registration.
How to verify SSL certificate applied to website
A padlock icon is displayed in the address bar at the top of your web browser.
Click on this icon and 'Certificate'. Then the certificate information is displayed as below right.
If the valid period of the certificate expires, the following warning page appears when accessing the website. In this case, the certificate must be renewed.
SSL certificate installation service is provided by most hosting companies and costs about 100 USD per year.
(It depends on accessing users’ amount and the cost is Comodo’s example.)
However, after signing up for the Cloud WAF (Web Firewall service) in AIONCLOUD, you can enjoy free SSL certificate installation and website protection up to 5GB per month.