DPA & GDPR: assessing a sample of websites of large companies in Mauritius.

Data Protection Act 2017 (DPA) and EU General Data Protection Regulation (GDPR): assessing a sample of websites of large companies in Mauritius.

With the DPA and the GDPR becoming relevant in 2018, we took up the challenge of finding out whether implementation has happened in websites in Mauritius. One way was to find out if large corporates in Mauritius had upgraded their websites to be in line with the requirements of these two sets of rules.

We have come up with some simple questions and we created our sample to mainly look at what the largest companies have been doing in managing our use and access to their websites. Our intention is not to provide any name; so if you wish to have a copy of the non-anonymised report, please email us on contact@comon.mu

Our sample consists of 17 companies/organisations including government subsidiaries/organisations and the most well-known and very important companies to the local economy.

What questions did we ask? And what are the results?

1. How many organisations from the sample have a domain name and a website?

All of them, so that is a 100%.

2. Do the organisation’s website use cookies?

100% of websites we have reviewed use cookies in some form and mostly cookies from Google (analytics etc) with a few bespoke cookies (essentially session cookies).

We need to explain here that we are speaking about the main website; i.e. for banks, we have not reviewed their internet banking platforms.

The websites we have reviewed are all available to other countries, including Europe and therefore could be subject to GDPR.

3. Does the organisation’s website have a cookie notification?

This is where it gets interesting since all websites have cookies and organisations know what cookies are.

Only 6 of them have a cookie notification (a bit more than 35%). We started getting a bit worried here.

3 of them are in the hospitality sector, so we presume that given the use of their websites by Europeans and possible presence in Europe, they are more aware of the requirements of the GDPR.

4. Is the cookie notification in the form of “Accept/Reject” or “Manage”?

The percentages now fall to 11.76%, as only 2 of the reviewed websites allow for “Manage” features. Given that this is part of best practice, and not really a mal-practice in the event a website has a cookie notification, we feel that there is more to be done here. These two websites are part of the hospitality industry.

5. Is there a link to a cookie policy?

Only 5 out of the 17 websites have a link to a cookie policy. We checked as to whether there were regional variations in the cookie policies, but these do not seem to be available.

6. Is the cookie policy readily available i.e. part of cookie notification?

This question is more about whether the organisation has the internet user in mind so as to create a better user experience.

The result is the same as for Question 5. This is not a surprise as these organisations seem to know what they are doing – result 5 out of 17.

7. Is there a data protection/privacy policy accessible online?

9 out of the 17 organisations have a data protection or data privacy policy online. That is 54% of the sample.

Given that most of the organisations we reviewed have a wide public reach and are defined as Public Interest Entities, they therefore need to adhere to the Code of Corporate Governance.

We would have expected a much higher rate of compliance.

8.Is the website domain secure i.e. is it https?

Cyber-security is one of the main risk topics for C-suite worldwide. 4 of the websites we have reviewed do not have an SSL certificate.

Suffice to say that protecting users during interaction with these websites have not been well taken care of.

9. Are there websites which (i) set cookies without permission and (ii) do not provide a cookie notification?

The sample indicates that yes. Despite the very low cost of a cookie notification implementation, we still have 58% of the sampled organisations which fall foul of cookie setting as well as cookie notification.

Digging deeper in the review results

1 – website failed all our tests including not having a SSL certificate, while having a contact form where name, email and address were mandatory fields.

1 – website has implemented all best practices. Kudos to them.

2 – websites (both from the hospitality industry) allow users to manage their cookie settings.

3 – hospitality industry companies have spent time and effort in doing the right thing – but then not 100%.

8 – sites failed all our tests except that of having a SSL certificate.

Our take

The organisations we have reviewed are all PIEs, and have a requirement to adhrere to corporate governance rules.

Our results show that in certain cases, the most visible and accessible aspect of a modern organisation, its website, does not really bring out the element of trust you wish to see.

It would seem that companies do not believe that their own websites can actually be a medium of how others will judge their organisations.

We expect the large organisations in Mauritius to continue to be role the models they have been to the entire business community over the years.

We hope that our expectations as members of the Mauritian business community will be met.

Quirky things we have found…

One organisation still had mention of the Data Protection Act 2004 on its website while another has mention of a data protection officer which is not based in Mauritius.