When PII is stored in your website's database, it is essential to:
Use strong encryption methods to protect data at rest.
Our preferred form plugin (Craft Formie) has an option to encrypt form field data. We turn this on by default for forms initially created by us during the development process and we recommend you enable this for any future forms as well.
Implement access controls to restrict control panel access to authorised personnel only.
If multiple users are accessing the back-end of your website, we need to ensure that the right people have the right permissions, so access to the PII is limited.
Regularly update and patch database management systems to address security vulnerabilities.
We recommend jumping on board our maintenance plans to ensure your website CMS can be kept up to date and have regular check-ups. Find out more about how we keep your website up to date here.
Consider your data retention settings
Data retention policies should be defined and enforced to determine how long PII is stored. Only retain PII for as long as necessary to fulfill the purpose for which it was collected. For any web forms that store PII we recommend a 14 day data retention period.
Make sure you have a process in place for easy data deletion
It's important to ensure data deletion processes comply with relevant regulations (ie. GDPR). When a user requests for their data to be completely removed from your website storage system, you must be able to action this quickly and easily.