Story image

Small businesses don't ignore the GDPR; it matters now

22 Jun 2018
Twitter
Facebook

Impact on SMEs

The GDPR is a set of legislative conditions on how you can collect, process and manage personal data and one of the key aspects to it is the addition of subject access rights.

It applies to global entities, whether you're based in Europe or not.

Any company that's doing business in Europe will be subject to the GDPR. This includes companies based in a foreign country, even if they do not have an office in Europe, if they provide services to, or they collect personal data from, an EU citizen.

While GDPR has been in effect since May 2016, enforcement began in May 2018. A lot of talk around this regulation is about a significant increase in fines. The fines, at the minimum, are a 10 million Euros or 2% of your global gross revenue, or if it's a really bad data breach, or if the data breach contains sensitive or large amounts of personal data, 20 million Euros or 4% of your global gross revenue.

Yet GDPR is a cultural shift, not simply fines

GDPR is not a matter of compliance. It’s an exercise of accountability and risk management at minimum, and it’s a cultural shift. There is the simple aspect of having to respond to an incident while having to declare if personal data has been breached within 72 hours of the detection of the breach.

You need to declare a personal data breach if it impacts the ability of the data subject to be safe. For example, if you breach a username and password, that is probably not a reason to declare, but if there's a home address breached, and there's a risk to that user, you have to declare it.

The definition in the GDPR is for any data that can allow you to re-identify a data subject or person either directly or indirectly. The problem is the ‘indirectly’, which becomes complicated.

The classic definition of Private Information that most vendors will tell you is name, first name, address things like that. But when you look at the ability to re-identify a person, you have to take into account their images, hair colour, height stature, skin colour, things like that, and it goes all the way to if you are managing CCTV. That's all classed as personal data.

Two things incident response teams should do now

You need to produce a data map of how you as a business are managing personal data. If the response teams have access to that map, they can potentially see where there's going to be an issue, or where there's potential for personal data to be stored, where you might need to monitor a little more heavily.

One of the key aspects of the GDPR is accountability, so account for any aspects of what you're trying to do to prove that you can ensure that personal data is protected and as part of that, look at how you potentially respond to a personal data breach. If you are the target of an attack, you should know if, and make sure that, nothing's been changed or destroyed. That’s accountability and demonstrates that you’re taking this seriously and you're protecting the data.

With privacy there’s a connotation that you're not allowed to use the data, and you're not allowed to process that personal data. But that's not what the GDPR is about. The GDPR sets regulation so that you, as an organisation, understand what your responsibilities are on collecting that data, and that you use that data and process it in a secure manner. When you think of breach, the connotation is, ‘Oh we've lost data or data's been exported’.

But breach under the definitions of the GDPR is exfiltration or malicious destruction. For exfiltration, for example if you get ransomware, you will have to declare it if it's potentially got data that is sensitive. Malicious changes are, for example, if somebody outside of the normal processing activity changes the data, that's considered a breach. And there's one more - malicious deletion – that is, if you erase the data in any form.

Corporate responsibility and the GDPR

Under the GDPR, responsibility is at the highest corporate level - i.e. the board of directors - but liability depends on the type of violation, which articles you're in breach of, or you're not complying with, and it depends on the type of data that’s been violated.  

There are essentially are two brackets of fines.

For example, if you're managing what is deemed sensitive data, which includes things like political affiliation, trade union affiliation, criminal records, race and some other stuff, you will automatically be in the higher bracket of fines.

If you have done all your footwork, but are missing certain things, not complying with certain articles or you've done something wrong, that's more at the 2% level of fines… but there's a lot more, and it's a lot more complicated than that.

As for responsibility, the GDPR defines that it's the organisation and the board that's responsible, but there is also what they call a Data Protection Officer, or a DPO. The DPO’s responsibilities are to manage and coordinate all of the data protection activities, but also be the single point of contact in terms of breach notification, in terms of responding to the DPAs request, and in terms of responding to them eventually in the case where there are complaints from data subjects.

The DPOs responsibility is defined at the highest level in the GDPR.

Article by independent data protection advocate Thomas Fischer.

Story image
26 Nov
Black Friday alert: Financial botnets targeting e-commerce apparel sites
Black Friday is arguably the most anticipated retail sales period in the world, when brands offer consumers the largest discounts and promotional offers.More
Story image
04 Dec
Spare space in the car? Kiwis can now make a little money by shipping stuff
Lonelyseat is a new service that connects drivers with people who need parcels or objects shipped around the country.More
Story image
26 Nov
TablePlus prepares to launch database management app for Linux
TablePlus, a creator of GUI tools for relational databases, has provided a sneak peek of its new Linux app, due for release at the end of November.More
Story image
14 Nov
Lack of PCI DSS compliance putting payment security at risk
Organisations across Asia Pacific are demonstrating stronger payments security compliance compared to other parts of the world, however global trends indicate that payments security compliance has dropped for the second year in a row.More
Story image
27 Nov
Interview: Microsoft's Diana Kelley talks talent gaps and D&I
Kelley recently spoke at Microsoft Asia’s new Experience Center, where she talked through her experience as a security CTO, as well as IoT security, what’s ahead in 2020, and diversity and inclusion both in the cybersecurity sector, and in technology.More
Story image
02 Dec
APT groups conducting more targeted intrusions – Accenture
Analysts now see an emergence of malware executed through web browsers focused on targeting online merchants and retailers specifically.More