If you’re like me, you were recently bombarded with a slew of emails from companies that you do business with telling you all about their wonderful privacy protection and data security policies. This activity was spurred by the May 25, 2018 roll out of a new European privacy law, the General Data Protection Regulation or GDPR.
Like many small and mid-sized business owners in the Washington, DC area, I wondered what is all of the fuss about? More importantly, what does GDPR mean to me as a consumer or a business owner, and to my customers? So here’s a quick primer to understanding GDPR and its impacts.
GDPR in a Nutshell
On May 25, 2018, the European Union (EU) enacted a new regulation called the “General Data Protection Regulation” (GDPR) to protect the personal information of EU residents. The law intends to provide individuals with greater transparency and control of how their personal information is processed, used, and stored.
As a consumer, GDPR provides individuals with rights over how companies use their personal data. It stipulates that consumers have the right to:
• Access their personal data
• Correct errors in their personal data
• Erase their personal data
• Object to processing of their personal data
• Export personal data
GDPR applies to all EU member countries, thus removing the need for national legislation. It’s important to note that GDPR covers all businesses that process and/or hold personal data of individuals located inside the EU, even if the organization is not based in the EU. Failure to comply with GDPR can result in significant fines, as high as 4% of the organization’s annual revenue.
Now that this law exists, I personally believe the EU is waiting for the next breach of personal information to occur. Then a lawsuit will be filed and how the breach occurred will be investigated, and a company will be targeted as the test case. Legal precedents, due diligence, best practices and penalties will be set through the legal system and not the Information Technology industry. This will be followed shortly by the insurance industry ready to sell risk avoidance.
What I find unfortunate about this approach is that the real criminal, the computer hacker that illegally steals our personal information, is not mentioned in the legislation. It is the unfortunate that the company that “allowed” this crime to be committed is the target of punishment. You don’t want that to be your company.
What is important is to prepare your company and employees to not be a victim of these crimes and to be held accountable for inaction. Although I have not been able to confirm a statistic, being victim of a cybercrime is very bad for business. A small breach at best can be a wakeup call, but a noteworthy breach can put a small company out of business and the owners at risk.
Is Your Organization Prepared?
Even though GDPR is an EU directive, industry experts believe similar regulations will come to the U.S. in the near future. Organizations can get ready now by focusing now on policies, procedures, and tools that will help you stay ahead of the regulation curve.
The GDPR is designed to protect what the industry calls PII or Personally Identifiable Information. Here is the definition:
“Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.”
Start by conducting an assessment of personal data you collect or store. Personal data means any information relating to an identifiable person and can include full name, identification number, or even social profiles. Make sure you know where you are putting your data, and what protections exist when you use cloud applications. Note that what often constitutes PII is the combination or linking of information. For example, a list of names or birth dates alone are not PII, but name with a birth date is PII.
Don’t collect more data than you need. Data minimization is an important privacy principle within the GDPR and stipulates that businesses limit personal data collection, storage, and use to the minimum necessary to achieve the purpose or objective. GDPR also requires consent from the subject for any data you collect.
Foster a security culture within your organization. GDPR stipulates the appointment of a Data Protection Officer (DPO), but great data protection means everyone being advocates for good practices. Most data breaches begin with a phishing email, so end user Security Awareness Training is a good place to start.
Under the GDPR, organizations must report a breach within 72 hours. In the U.S., each of the 50 states, the District of Columbia, and Puerto Rico also have reporting requirements. Be prepared and know how to report data breaches if they do occur. For example, notification in the state of Virginia looks like this:
“Attorney General/Agency Notification. The state AG must be notified whenever any VA residents are notified under the criteria above. In the event an Entity provides notice to more than 1,000 persons at one time pursuant to this section, the individual or entity shall notify, without unreasonable delay, the state AG of the timing, distribution, and content of the notice. For health information, the Entity must also notify the Commissioner of Health.”
Finally, make sure your organization has the tools in place to secure against data breaches. Invario has a range of security solutions for small and mid-sized business that we offer our customers. At a minimum, I recommend starting with an advanced endpoint security solution such as Sentinel One, a strong password policy, email filtering, firewalls, Security Awareness Training and Advanced Network Monitoring.
My suggestions here should not be used as legal advice, but hopefully I’ve given you some useful guidance regarding GDPR and data privacy protections. Feel free to reach out to me if you have questions or if you would like more information on IT tools or best practices to help with data security.
If you know of a company that would be interested in the services of Invario, please e-mail me the name of the company and phone number and email for the person we should contact.
That is all you have to do! Upon completion of the onboarding of a new customer, Invario will pay the equivalent of one month of Invario service to that customer.
Recipients that cannot or do not wish to receive a referral payment may elect to have the referral fee donated to a charity of their choice or put into a company entertainment fund.
If there is an IT topic you would like to know more about please e-mail me your suggestions.