The GDPR law (article 32) requires every company to implement technical measures to ensure a level of security. More specifically: the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures This applies to every website since only by having a European citizen visit the website, the owner processes their personal data. And even more if the user leaves their email or other personal data on the website. How to comply with this obligation?
Have a check on what 3rd party plugins/API services you are using and what data they collect. Whether the data is completely stored in your server or sent to them/others. It should be fine if the data is completely stored in your server and no data sent to them. Its better to anonymize the IP's and collect only personal data if its really needed. Use a cookie consent plugin. These would make sure what data you are collecting and where they are stored and if its personally identifiable, how it is managed and if the user can at any point ask to delete those data.
Compliance with the GDPR, especially Article 32, to ensure the secure processing of personal data, is an important aspect for companies processing data of European Union citizens. Here are a few steps that can help fulfil these obligations: Risk Analysis and Threat Assessment: Assess the risks associated with the processing of personal data on your website. Identify potential threats to data confidentiality, integrity, availability and resilience. Develop security measures: Design and implement technical measures to ensure data confidentiality, integrity, availability and resilience. Use data encryption, authentication mechanisms, access control systems, and other technical measures. Regular testing: Conduct regular security testing, including vulnerability scans, penetration testing, and security audits. Monitoring and incident detection: Install monitoring systems to detect anomalous activity and potential security breaches. Develop procedures for responding to incidents and providing notifications in the event of security breaches. Personnel Training: Train staff who process personal data on security and compliance with GDPR policies. Ensure employees understand the importance of complying with data security measures. Documenting and evaluating effectiveness: Document all security measures taken and testing performed. Periodically evaluate the effectiveness of your technical and organisational security measures. Compliance with policies and standards: Ensure that your security measures comply not only with GDPR but also with other applicable security standards. Consultation with experts: If necessary, consult with professional security auditors and legal experts on GDPR. GDPR compliance is an ongoing process that requires you to continually update and improve your security measures to meet changing threats and legal requirements.
I used to work for a website design company I've since left. They use North IT cyber security company to have web app tests performed. Check them out northit.co.uk I'm sure they could offer some advice is this thread is still valid.
You could use OAuth for authentication, then you would not have to worry about storing user data, because it will get stored by facebook, github, google, ... This also increases security and lowers maintenance effort, due to not having to worry to implement authentication (It's done by OAuth provider).