Benjamin Franklin famously once said, “By failing to prepare, you are preparing to fail” – a piece of wisdom that can be applied directly to any discussion on Global Data Protection Regulation (GDPR), a directive coming to force on May 25, 2018.
Although we have been covering this topic for the last two years, it seems like there are never enough pieces of advice, opinions or insights into what it really means to be compliant. The closer the deadline gets, the more feature stories with the right keywords appear and one could easily be confused which of the articles accurately applies to their business.
WeLiveSecurity spoke with David Tomlinson, Manager of ESET Endpoint Encryption, who has spent time analysing the impact of GDPR on small and medium businesses (SMBs) and is therefore perfectly placed to explain the issues facing SMBs. “This directive is very heavy burden for small and medium businesses. The list of requirements is too big for them to digest and they tend to close their eyes and hope when they regain their sight the issue will disappear,” he says.
GDPR requires any business inside or outside the European Union (EU) that collects or in any other way handles the personal data of EU citizens to be compliant with all its regulations and abide any legal implications resulting from non-compliance.
With its complex rules and fines for non-compliance climbing to €20 million or more, GDPR penalties demand a financial outlay that is not easy to cover for any SMBs. With staff headcounts varying from 10 to 250 and annual turnover reaching between €2-50 million, the impact on their profit would be catastrophic.
“Ideally companies need to have dedicated personnel for creation of documentation, processes, procedures, someone overseeing the whole business in relation to GDPR, and lastly staff to implement it into the daily lives of employees. This is something that cannot be easily stowed in a structure of a smaller business,” adds Tomlinson.
As a recent survey by IDC shows, only 29% of European small businesses and 41% of midsize businesses have taken steps to prepare for GDPR. Among non-European SMBs, the share of prepared firms declines to 9% among small businesses and 20% of midsize businesses.
Nevertheless, this is not a lost battle. The majority of companies still can ensure their compliance before the deadline of May 25. “The greater part of them have been doing the right things all along, and GDPR will bring only marginal changes to their structure and business,” encourages Tomlinson.
The key lies in understanding what the role of personal data in each business is, and what protective measures need to be applied to meet the requirements of GDPR. Let’s define what personal data is. “It is any information that relates to an identified or identifiable living individual. For example: name, surname, home address, e-mail address, location data”, the directive reads.
If we take a generic recruitment agency as an example – in their terminology, personal data would be referring to a client number or a code assigned to each of the candidate’s résumés. Even with no obvious direct identification of the individual, this code is classified as personal data and should be handled according to GDPR rules.
With the directive coming to force near the end of May, there is a need not only to audit internal processes and structures, but for additional security measures to be implemented across all industries as well. For easy understanding of what needs to be done, you can review the seven step guide on GDPR by the European Commission or read further into this topic on WeLiveSecurity.
After all that’s been said in media about GDPR, we shouldn’t forget that the primary role of the directive is to enforce better data protection rights for European citizens. This, however, includes notification of a data breach to the supervisory authority, limiting businesses to disclose such information no later than 72 hours after becoming aware of such an incident.
It’s important to remember that not every business is exposed to the same risks. While large businesses name malicious attacks as the highest risk, SMB’s list of risks is crowned by employee negligence.
There are many ways to mitigate these risks – including tools for process automation, encryption and two-factor authentication solutions, along with training your staff to comply with the processes. None of them will magically solve all your problems at once – but it is safe to say it will solve the majority of them when set up correctly.
“Security of USB sticks and laptops plays an important role, as these sometimes can become lost or stolen, leading to the loss of customer data, HR files, etc. that are stored on them – if the data are not encrypted. If you invest in easy-to-use encryption software for your business to store and work with the personal data safely, you are close to a win,” concludes Tomlinson.
For more information on GDPR, ESET has a dedicated page to help ensure that you have everything covered before May 25.