Story image

Small businesses don't ignore the GDPR; it matters now

22 Jun 18

Impact on SMEs

The GDPR is a set of legislative conditions on how you can collect, process and manage personal data and one of the key aspects to it is the addition of subject access rights.

It applies to global entities, whether you're based in Europe or not.

Any company that's doing business in Europe will be subject to the GDPR. This includes companies based in a foreign country, even if they do not have an office in Europe, if they provide services to, or they collect personal data from, an EU citizen.

While GDPR has been in effect since May 2016, enforcement began in May 2018. A lot of talk around this regulation is about a significant increase in fines. The fines, at the minimum, are a 10 million Euros or 2% of your global gross revenue, or if it's a really bad data breach, or if the data breach contains sensitive or large amounts of personal data, 20 million Euros or 4% of your global gross revenue.

Yet GDPR is a cultural shift, not simply fines

GDPR is not a matter of compliance. It’s an exercise of accountability and risk management at minimum, and it’s a cultural shift. There is the simple aspect of having to respond to an incident while having to declare if personal data has been breached within 72 hours of the detection of the breach.

You need to declare a personal data breach if it impacts the ability of the data subject to be safe. For example, if you breach a username and password, that is probably not a reason to declare, but if there's a home address breached, and there's a risk to that user, you have to declare it.

The definition in the GDPR is for any data that can allow you to re-identify a data subject or person either directly or indirectly. The problem is the ‘indirectly’, which becomes complicated.

The classic definition of Private Information that most vendors will tell you is name, first name, address things like that. But when you look at the ability to re-identify a person, you have to take into account their images, hair colour, height stature, skin colour, things like that, and it goes all the way to if you are managing CCTV. That's all classed as personal data.

Two things incident response teams should do now

You need to produce a data map of how you as a business are managing personal data. If the response teams have access to that map, they can potentially see where there's going to be an issue, or where there's potential for personal data to be stored, where you might need to monitor a little more heavily.

One of the key aspects of the GDPR is accountability, so account for any aspects of what you're trying to do to prove that you can ensure that personal data is protected and as part of that, look at how you potentially respond to a personal data breach. If you are the target of an attack, you should know if, and make sure that, nothing's been changed or destroyed. That’s accountability and demonstrates that you’re taking this seriously and you're protecting the data.

With privacy there’s a connotation that you're not allowed to use the data, and you're not allowed to process that personal data. But that's not what the GDPR is about. The GDPR sets regulation so that you, as an organisation, understand what your responsibilities are on collecting that data, and that you use that data and process it in a secure manner. When you think of breach, the connotation is, ‘Oh we've lost data or data's been exported’.

But breach under the definitions of the GDPR is exfiltration or malicious destruction. For exfiltration, for example if you get ransomware, you will have to declare it if it's potentially got data that is sensitive. Malicious changes are, for example, if somebody outside of the normal processing activity changes the data, that's considered a breach. And there's one more - malicious deletion – that is, if you erase the data in any form.

Corporate responsibility and the GDPR

Under the GDPR, responsibility is at the highest corporate level - i.e. the board of directors - but liability depends on the type of violation, which articles you're in breach of, or you're not complying with, and it depends on the type of data that’s been violated.  

There are essentially are two brackets of fines.

For example, if you're managing what is deemed sensitive data, which includes things like political affiliation, trade union affiliation, criminal records, race and some other stuff, you will automatically be in the higher bracket of fines.

If you have done all your footwork, but are missing certain things, not complying with certain articles or you've done something wrong, that's more at the 2% level of fines… but there's a lot more, and it's a lot more complicated than that.

As for responsibility, the GDPR defines that it's the organisation and the board that's responsible, but there is also what they call a Data Protection Officer, or a DPO. The DPO’s responsibilities are to manage and coordinate all of the data protection activities, but also be the single point of contact in terms of breach notification, in terms of responding to the DPAs request, and in terms of responding to them eventually in the case where there are complaints from data subjects.

The DPOs responsibility is defined at the highest level in the GDPR.

Article by independent data protection advocate Thomas Fischer.

DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
Protecting organisations against internal fraud
Most companies tend to take a basic approach that focuses on numbers and compliance, without much room for grey areas or negotiation.
Telesmart to deliver Cloud Calling for Microsoft Teams
The integration will allow Telesmart’s Cloud Calling for Microsoft Teams to natively enable external voice connectivity from within Teams collaborative workflow environment.
Jade Software & Ambit take chatbots to next level of AI
“Conversation Agents present a huge opportunity to increase customer and employee engagement in a cost-effective manner."
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
GirlBoss wins 2018 YES Emerging Alumni of the Year Award
The people have spoken – GirlBoss CEO and founder Alexia Hilbertidou has been crowned this year’s Young Enterprise Scheme (YES) Emerging Alumni of the Year.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
IDC: Standalone VR headset shipments grow 428.6% in 3Q18
The VR headset market returned to growth in 3Q18 after four consecutive quarters of decline and now makes up 97% of the combined market.