To avoid the risk of identity theft and guarantee adequate protection of personal data, user interaction with a website for the purpose of transmitting personal data must be protected with cryptographic protocols (such as “https”).
Using the “http” network protocol, which is not encrypted and not secure, to access the “online services” of a website does not give adequate protection to the data of customers registered in the reserved area.
The use of a non-encrypted protocol violates important principles established by the European GDPR Regulation, such as that of “integrity and confidentiality” of the data processed. The data controller must implement technical and organizational measures suitable to guarantee a level of security appropriate to the risk (e.g. encryption of personal data) and adopt adequate systems to protect personal data right from the design phase (privacy by design), subsequently carrying out periodic reviews of the safety measures in place.
It is also good to know that these obligations also apply to systems pre-existing on the date of entry into force of the GDPR (25th May 2018).
More information available at: