Data Security Whitepaper

Mobile RDD Sample

Pulsed Mobile RDD

Consumer Sample

Global coverage with more than 250 key variables

RDD onDemand

RDD onDemand provides direct access

to our global RDD data base

Geocoding Services

Enrich Data with NUTS regions or other socio-demgraphic data

Data Security Whitepaper Wh

Sample SolutionsP R E M I E R . S A M P L E . P R O V I D E R

PREMIER.SAMPLE.PROVIDER

SAMPLE SOLUTIONS

Landline RDD Sample

Pulsed landline RDD for more than 140 countries

NAME OF THE CHAPTER

3Brochurename or the title

Introduction

Data security is a critical component for all businesses. Business data protection helps to secure customer details, financial information, survey data and other key business data which are key company assets. Many companies, including Sample Solutions, rely on the fact that data they have and work with is secure, encrypted and can not be breached. Losing the data in a natural catastrophe is one thing but losing it to a breach can lead to severe consequences. Not only do data breaches damage a company’s reputation and destroy consumer trust, breaching may also lead to lost business opportunities and financial consequences, along with disrupt safety and natural workflow.

NAME OF THE CHAPTER

4 Brochurename or the title

Content

More rigorous requirements for obtaining consent for collecting personal data

3

68

Data security is a critical component for all businesses

Background

General Approach to Data Protection

Introduction

NAME OF THE CHAPTER


1011

12

Products of Sample Solutions

Future Steps towards 2018

Works Referenced

SMS Survey Platform;Sample on Demand.

Breaching may also lead to lost business opportunities


NAME OF THE CHAPTER

BackgroundIn the age of digitalization and e-commerce, data protection and security have become

increasingly important. Not only must companies protect their own data from cyber

espionage, but they must also safeguard consumer data and abide by ever-changing

data protection regulations or face severe consequences. Data breaches cost compa-

nies millions each year, just ask Target--a large US retailer--who had to pay out 67

million for a massive data breach in 2013. According to the Ponemon Institute in 2015

alone, data breaches cost companies an average of $3.79 million (≈3.39 million euros).

Thus it is essential for companies to have proper data safeguard mechanisms inte-

grated into their systems along with regulatory compliance for all countries in which

they conduct business. Issues like new Data Protection Regulation as well as what

companies need to do regarding this will be discussed later in this whitepaper.Data protection regulation is intended to strike a balance between the rights

of individuals to privacy and the ability of companies to use data for com-

mercial purposes. The main purpose for the existence of data legislation

is that the personal data is not processed without the knowledge of the individual.

Moreover, In 2018 the General Data Protection Regulation (GDPR) will come into place which requires all companies conducting business within the EU to handle

I


NAME OF THE CHAPTER

Data protection regulation is intended to strike a balance

“the personal data is not processed

without the knowledge of the

individual.”

It is essential for companies to have proper data safeguard mechanisms

“regulatory compliance for all

countries in which they conduct

business”

Intensive work with data“we will look at how these new practices apply

to our core products: telephone

samples, sms surveys and lastly -

data services.”

data in specific ways. Besides the EU countries, it also addresses the transfer of personal data outside the EU. Key changes to EU data protection introduced by the GDPR are the following: - More rigorous requirements for obtaining consent for collecting personal data- Raising the age of consent for collecting an individual’s data from 13 to 16 years old- Requiring a company to delete data if it is no longer used for the purpose for which it was collected- Requiring a company to delete data if the individual revokes consent for the company to hold the data- Requiring companies to notify the EU government of data breaches within 72 hours of learning about the breach- Establishing a single national office for monitoring and handling complaints brought under the GDPR- Companies handling significant amounts of sensitive data or monitoring the behaviour - of many consumers will be required to appoint a data protection officerFines up to €20m or 4% of a company’s global revenue for its non-compliance.

NAME OF THE CHAPTER


General approach to data protection policies

Data security and the challenge of data protection is increasing in scope—and difficulty. While organiza-tions have long needed to safeguard intellectual property and confidential information, changes in informa-tion technology and business models introduce new actors, new threats, and new regulations. As a result, companies, including Sample Solutions, need to think beyond the traditional models of securing the perim-eter and locking down specific segments of IT infrastructure in order to achieve their data protection goals.Even before the new Data Protection Regulation comes into force, Sample Solutions has always complied with the EU’s Data Protection Directive which requires data controllers to ensure data protection requirements are met and safeguards are in place including measures related to security, and we continually strive to further improve and develop these measures beyond what is required. Our systems require identity assurance, visible trust and strong protection, some of Sample Solu-tions general policies include data encryption, safely storing the data, SSL certificates for security and reliable web hosting. All of our data is delivered via our own platform where we host the data on a dedicated server -https://www.surveyplatform.eu There are several advantages of providing the data via platform and not FTP or other third-party applications. Reliable web hosting, SSL and encryption are provided for each and every sub-platform as well as all orders that we deliver to clients. We discuss security security protection pro-vided by third party applications and how they contribute to better data protection in the following sections.

www.surveyplatform.eu

NAME OF THE CHAPTER


Web HostingThe server hosting for our platform is provided by Strato ( https://www.strato.nl/ ) . It’s 100% hosted in Germany as they provide excellent IT security which is verified repeatedly each year through independent TÜV certification (ISO 27001). STRATO also offers three-tiered security concept which includes: - Security data centers, complying with Germany’s strict legal requirements where they host more than 60.000 serves and 4 million websites - Backup control and risk management at the highest level - Secure data transmission through encryption

SSL CertificateSSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. The adoption of SSL certification is on the rise. SSL is a transparent protocol which requires little inter-action from the end user when establishing a secure session. As opposed to unsecured HTTP URLs which begin with “http://” and use port 80 by default, secure HTTPS URLs begin with “https://” and use port 443 by default.Most information security professionals would think that SSL is a basic security measure due to the fact that HTTP is insecure and is subject to eavesdropping attacks which can let attackers gain access to online accounts and sensitive information. Data that is sent or posted through the browser using HTTPS is ensured that is encrypted and secure.Sample Solutions has enabled Extended Validation SSL Certificates ( EV SSL ) as the highest class of SSL available. This kind of certificate activate both the padlock and the green address bar in all major browsers. EV SSL Certificates provide the strongest encryption level available and enables us to present our own verified identity to website visitors. EV SSL Certificates offer a stronger guarantee, are globally standardized and have verification process defined within the EV

EncryptionAs a concept , encryption does not prevent inter-

ception, but it denies the message content to the

interceptor. In our system all of the delicate data is

encoded in such a way that only authorized parties

can read it. In our platform we encrypt the files

with an encryption key which specifies how the

messages should be encoded. All the sessions and

session variables are encoded in the backso all the

sub-platforms are secured as well.

Everyone agrees that - usernames and passwords

are the ultimate thing that needs to be protected.

Sample Solutions encryption offers encoding for

these as well , so that in the unlikely case of a data

breach, this information will not be published or

accessible by third parties.

https://www.strato.nl/

NAME OF THE CHAPTER


Sample Solutions wants to make sure all of our security policies are provided for the products we offer to clients. Here we are mention policies for our two most used platforms - the SMS survey platform which enables one and two-way SMS surveys and Sample on Demand which offers internal work with RDD and B2B databases and includes our Client Delivery System where all the processed orders are safely stored and delivered to clients.

1. SMS Survey PlatformThe SMS Survey Platform is currently our only platform in Sample Solutions that handles personal data. So far the company has complied with all internal regulations in every country that we have performed surveys in. Based on the data protection regulations discussed in the preceding sections, the SMS Survey platform is built with a modern and widely popular web framework that provides additional safety measures. The SMS Survey platform utilizes a sophisticated authentication and user- management system. This provides a safe and secure way of logging into the application and managing the users accordingly. The system also provides user roles, so that not all users are allowed to have access to the delicate parts of the application. By using a modern web framework to develop the SMS plat-form – several securi ty measures are already covered, such as: Cross-site request forgeries – targeting some URLs may have some side effects. That is why not all users have the same roles and cannot access all the parts and routes of the application.XSS Cross-site scripting – placing unwanted client-side code that steals informa-tion. This is solved by escaping and making sure that every user-submitted data is safe.SQL Injection – when an application uses unfiltered user input in communication with the database. By default, the framework offers techniques that are SQL injection proof which the SMS platform extensively uses.Forced HTTPS when exchanging sensitive data – if someone tries to communicate with the system without a secure connection, the system forces them to use HTTPS over HTTP for additional security measures.By using a popularly, supported and regularly maintained web framework for developing this platform and also implementing the best programming techniques – we have made sure that this platform is completely data-secure.

2. Sample On DemandSample on Demand is the general tool for delivering the main product of Sample Solu-tions - RDD, B2B, B2C samples - can be found under https://sample.surveyplatform,eu SSL protected and encrypted as well, this platform is highly protected in several ways since the data we are delivering are delicate and of great importance to our clients. Generally devel-oped both for administrators and users it provides encrypted authentication for both parties.During the upload and delivery of an order the following actions are taken:

Products of Sample Solutions

NAME OF THE CHAPTER


Future stepstowards 2018

Around 18 months are left till 2018 and the implementation of the new EU data protection guidelines. Therefore we have developed a roadmap towards 2018 to further strengthen our data protection policies. Although, only a part of the data that Sample Solutions works with is classified as personal data, we will strive to comply with the new regulations and continually improve our system. As part of our next steps, we will establish a data protection management team to implement the ISO27001 international standard for Information Security Management. Furthermore, we plan on appointing a data protection officer, to ensure that the use personal data only in cases the data protection regime allows using the data in question and obtain specific and explicit consent by individuals for the processing of their data ( Opt - In ).

- Once the order is uploaded, the client will immediately receive two sep-arate emails. One contains the access link to the order and the second email contains the password for the submitted order. The files are kept in our own dedicated server thus they can not be access in any other way.- After the order is processed, the system automatically sends the client an internal and external link to access the files. The internal URL demands authentication by the user itself, and the external URL is equipped with additional protection by including randomly generated unique strings that do not allow any kind of prediction guessing from an outside party.- The platform offers a unique password per order after the client passes the general verification and is equipped with a limited number of downloads per order to prevent outside attacks or abuse of data.- For general protection, the link to the platform automatically expires after 21 days. However, the client can still access the origi-nal files past the expiration date upon request as we store these.

“By using a modern web framework to develop the SMS platform -

several security measures are already covered”

Works Referenced

1. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sec-tor (Directive on privacy and electronic communications)

2. Official Journal L 201 , 31/07/2002 P. 0037 - 0047Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning measures to ensure a high com-mon level of network and information security across the Union /* COM/2013/048 final - 2013/0027 (COD) */.

3. M Law Group, 2012, New Draft European Protection Regime. Available from: http://www.mlawgroup.de/news/publications/detail.php?we_ob-jectID=227

4. Global Sign, What is SSL? Available from: https://www.globalsign.com/en/ssl-information-center/what-is-ssl/

5. Ponemon Institute Research Report, 2015, 2015 Cost of Data Breach Study: Global Analysis. Available from: www.ibm.com/security/data-breach

www.sample.solutons

http://www.sample.solutions

Data Security Whitepaper

Business

Transcript of Data Security Whitepaper