Written by: Joe Robinson
The European General Data Protection Regulation is widely misunderstood by many small businesses. It’s one of those topics that many people have some idea about and are keen to talk loudly about, while frequently missing the point, although few really understand it.
At its core, GDPR governs how businesses must protect EU citizens’ data, and sets out specific obligations for those who control or process personal data.
The regulation came into force on May 25th, 2018, and replaced the 1995 EU data protection directive, which allowed each EU member state to govern their own rules, leading to a disparity in the way data protection was enforced across the EU.
GDPR created a standard set of rules across the continent and enforces penalties for misuse and loss of data.
Despite what many, many, marketers believe, GDPR is not a marketing issue. Sure, some marketing processes are affected, but at its core, GDPR isn’t concerned with marketing but, rather, how companies obtain, store, and process personal data.
The point in GDPR is not to catch small businesses out but to protect EU citizens’ digital information and set a standard for data privacy that leads the world.
Identity fraud is growing year on year. For this reason, data protection should be a massive concern for any company that processes personally identifiable information (PII).
GDPR simply adds protection by way of a legal framework that all companies controlling or processing European citizens’ data must abide by.
GDPR requires organisations to notify the Information Commissioner’s Office (ICO) in the event of a breach of personal data, and allows citizens to make a complaint against any organisation they think is wrongfully collecting or processing their personal data.
Since May 25th, 2018, the number of breach notifications and data protection complaints across Europe has increased significantly.
According to the European Commission, Between May 25th and December 31st, 2018, there were 95,180 GDPR complaints from individuals, according to the European Commission. DLA Piper reports that in the 8 months since the regulations came into force, there were over 59,000 data breach notifications and a total of 91 fines.
The largest fine so far isn’t actually connected to a data breach, but non-compliance with regards to collection of data, and was handed to Google.
In January 2019, the French data regulator, CNIL, fined Google €50m for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
CNIL decided that Google had “no valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes”.
According to CNIL, Google had not obtained clear consent to process data because “Users are not able to fully understand the extent of the processing operations carried out by Google” as essential information was “excessively disseminated across several documents”.
Whilst Google claims they do in fact obtain the user’s consent to process data for ads personalisation, the committee decided that the consent is not valid for two reasons:
“User’s consent is not sufficiently informed. “The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent”.
“Collected consent is neither specific nor unambiguous. “The user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked… consent is “unambiguous” only with a clear affirmative action from the user.
Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose”.
Now, having a pre-ticked box is just asking for trouble as it’s specifically against the terms of GDPR. The part I find most interesting, though, is that even though users agreed to the processing of their information, the consent is not considered valid as users had to tick a single agreement box to consent to all of Google’s data processing and is therefore not unambiguous.
This decision may have set a precedent that will likely have major implications not only for Google, but for any company that collects user data as part of their business model.
Any data you store about a person is personal data. Certain types are personally identifiable information (PII), in that they can be used alongside other pieces to identify an individual.
The sheer amount of PII floating around is more than most people realise.
Name, date and place of birth, social security and tax ID numbers, vehicle registration, etc. are the obvious ones, but PII also includes racial or ethnic origin, biometric data such as iris and retinal scans, and fingerprints, as well as digital information such as email address and IP address.
Allowing unauthorised access to these pieces of data can be extremely damaging to the individuals concerned. Whilst losing a single piece of PII is unlikely to harm a person, when several pieces are combined they can be used to open fraudulent credit card accounts, falsify police reports, and even take out a mortgage.
We’d hope that the bank or other organisation involved would be helpful in clearing up the situation, but these types of identity theft can impact a person’s financial and mental wellbeing for many years.
There are three ways to get into trouble with GDPR.
It’s extremely important to identify personal data and be conscious of how your organisation is keeping it protected in its three main states – in use, at rest, and in motion.
From this you can establish a framework of securing PII and GDPR compliance that can be demonstrated in the event of inspection.
The lengths you have to go to with regards to cyber security really depend on which data you collect and how. For many small businesses that don’t directly collect or control their customers’ data, security is often provided by the services they use.
A business collecting email newsletter signups on their website, for example, will generally have all data encrypted by their email list integration such as customer.io or Mailchimp, and use HTTPS to protect the data in transit between the user and the website.
However, getting proper consent is still extremely important irrespective of which tools a business uses to store and process customer data.
Any business that collects, controls, or processes any personal data of EU citizens must take careful steps to avoid a data breach.
Even without the threat of huge GDPR fines, a data breach is terrible PR and leads to decreased trust in an organisation, as extramarital dating site Ashley Madison discovered in 2015 when attackers leaked the personal data of 37 million users back in 2015.
GDPR doesn’t specify how organisations should integrate technology in order to meet the requirements because cyber security is a constantly evolving field that needs frequent updating.
Each organisation is free to implement their security as they please, so long as it keeps user data safe as per the requirements of GDPR.
So what should small businesses do comply with GDPR and avoid data breaches?
Ensuring all employees use strong passwords is absolutely essential to any organisation. Tools such as Lastpass have become very popular for good reason. Enterprise level password managers allow businesses to easily integrate and enforce strong passwords throughout their IT systems at a low cost.
This allows the passwords themselves to be encrypted so they never need to be vulnerable.
One of the most common ways for company networks to become infected is through viruses spread via email. An enterprise level email scanning solution reduces the risk of email-borne threats significantly by implementing layered security that checks elements of all incoming email such as identity validation and authentication, AntiSpam lists, attachments, and images.
Instead of storing customer data or any other PII on local machines that are entirely the responsibility of the business, consider moving everything to a secure cloud-based storage system such as AWS.
These solutions are provided by large companies that invest a huge amount of money into their security systems so your customers can benefit from the increased privacy and you’ll stay on the right side of the law.
One of the most effective methods of keeping your company’s data safe, especially where social engineering attacks are concerned, is employee training. Even basic cybersecurity courses help to foster a culture of data protection and raise awareness towards risk and help keep employees diligent.
Even the most advanced technological security systems can’t protect a business against employees making judgemental errors, so make sure everyone is on the same page.
Not everyone at an organisation needs to access all company information. Just as most employees won’t have access to payroll details or bank accounts, personal information needs to be segmented so that only elements that are essential to someone’s job are accessible.
Bring your own device has quickly become a staple within startups and enterprises alike, and has many benefits such as time and cost savings, and increased productivity. The danger of BYOD policies is that employees can unintentionally create a situation where normal security policies are ineffective and may increase the risk of a breach.
Some concerns with regards to BYOD are physical theft of devices that have access to PII, malware, and data interception – if a compromised device is sending data it could be a GDPR liability.
If you must allow BYOD, there are a few ways to mitigate the risks:
Social engineering is the biggest threat to data confidentiality today. As we’ve seen time and time again, even large enterprises with solid cybersecurity frameworks are frequently hit by attacks.
One of the ways this is possible is through social engineering, or tricking someone into giving you information.
Social engineering is often the entry point for a larger technical attack.
Technical exploits are extremely difficult to pull off without being detected if a business has decent security in place, but a social engineering attack could be as simple as claiming to be a technician who needs to access a logged-in computer to run some quick tests or updates.
The classic social engineering attack is the phishing email that is so enticing that an employee or manager can’t resist opening it and opening an attachment.
Now, companies will often already have safeguards in place to minimise the chances of this happening such as email scanning, but all too someone will see an interesting looking email in their spam folder and decide to open the attachment.
Having done a fair bit of work in SEO and online marketing, I’m astounded by the number of people that ask if they should implement HTTPS, and whether it’s worth doing as a “ranking factor” for SEO.
I always point them to this excellent article and mention that securing your website is not an SEO issue, but rather an important security measure for any website.
An SSL certificate doesn’t just provide security to people entering information on your website, but also authenticates that your users are experiencing the website as you intended, and not a modified version of it, and that the data isn’t being intercepted or modified in transit.
Since GDPR doesn’t specifically require encryption to be used at any point, an SSL certificate isn’t mandatory but is definitely strongly recommended since any data your users input on your website is your responsibility under GDPR (and it’s good for SEO too).
What exactly do you have to do if disaster strikes and you discover personal data you control has been breached?
The rules regarding this are quite clear. You must notify the supervisory authority within 72 hours, “unless the breach is unlikely to result in a risk to rights and freedoms of natural persons”.
This is a huge case for encryption as attackers can’t do much with encrypted data.
This means companies need to carry out an investigation as soon as they become aware of a breach, and be able to report on the specific nature of the breach, including identifying exactly what has been accessed and when, as well as affected users and perform an assessment of the potential impact on those users.
In addition to that, it’s necessary to detail specific measures that were in place to protect the data, along with forensic details of how the breach occurred and a remediation plan.
In addition to notifying the appropriate governing body, the company must also inform the affected users, which is likely to cause a PR nightmare.
GDPR doesn’t only apply in the event of a data breach. All organisations that process EU citizens’ personal data must be able to provide documentation that demonstrates compliance.
All data processing operations must be checked for compliance, and a record of the checks must be kept. A data protection impact assessment (DPIA) must be completed for any high risk operations such as the processing of sensitive or special categories of data (i.e. medical records or ethnic origin), systematic monitoring such as CCTV, or employee internet activity.
Inspections are carried out by the European Data Protection Authority, who check and verify compliance with regulation, and recommend areas for improvement. Organisations are usually informed four weeks in advance, although certain documents may be requested immediately.
Encryption is recommended by the EU as a GDPR safeguard but isn’t legally required. Although, just because something isn’t mandatory, that doesn’t necessarily mean it shouldn’t be done.
Encryption protects your customers, users, employees, and anyone else whose data you possess.
Article 32; Security of processing, states that “the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”, including, as appropriate, “pseudonymisation and encryption of personal data”.
So again, whilst encryption is not mandatory, it can be considered a standard tool to help achieve the security required under GDPR.
What’s more, a breach of encrypted data will most likely result in an embarrassment for the company, whereas losing unencrypted personal data will lead to serious questions being asked and potentially massive fines.
As Google discovered, protecting data isn’t enough because GDPR is particularly interested in transparency and consent, however, a system of strong encryption will certainly help in the event of a data breach.
GDPR clarifies the responsibilities of organisations that control or process personal data of EU citizens.
The main focus of GDPR is to protect the public by stopping unscrupulous companies collecting vast amounts of data on individuals that can potentially violate their right to privacy or be stolen by hackers and put individuals at risk of long-term financial or other damage.
Something that cybersecurity professionals have been saying for years – security should never be an afterthought but, rather, built into the very fabric of technology. The old mantra “security should be baked in, not sprayed on” has finally become the law.
This isn’t to say that the regulation forces companies to adopt certain privacy technologies, as it’s not the process of protecting data that’s important, but the result.
At the very core of Article 25: data protection by design is the principle of data minimisation – limiting the amount of stored personal data to the minimum required for the purpose. This means that companies have to stop collecting personal data just because they can.
The result of this being that even after a breach, the effects are minimised if superfluous data was never collected in the first place
Under GDPR, certain conditions for consent must be met. The organisation is required to be able to demonstrate that consent has been freely given through a clear, informed, and unambiguous affirmative action, specific to the use of the data.
Silence, pre-ticked boxes, or other inactivity cannot be considered consent. Consent must be verifiable and can be withdrawn at any time.
In most cases, it is prohibited to collect personal data that reveals racial or ethnic origin, political opinions, religious beliefs, or trade union membership, as well as genetic and biometric data.
There are specific situations where this does not apply, but again, these safeguards are in place to protect citizens, and breaches of these data types can carry much bigger penalties.
All European citizens are now protected by the 8 GDPR rights that must be upheld by the organisation controlling or processing the data. Companies must put systems in place that make it possible for data subjects to exercise their rights or risk fines for non-compliance.
The full scope of GDPR and an organisation’s full responsibilities can’t possibly paraphrased into a single article, and the intention of this piece is not to provide a definitive guide or legal advice.
It is very important to start thinking about the way your organisation handles data, and whether it’s in compliance with GDPR in a documented and demonstrable way should you face a data breach, complaint, or inspection.
GDPR aims to protect the data of European citizens through enforced regulations in a time when cybercrime is on the rise in a massive way. Even though it may seem inconvenient to implement compliance, the laws are there to protect the public and set an example for the rest of the world to follow.