This is the 2nd blog on GDPR – where we now focus on GDPR and the business. Our first blog, the personal perspective, can be found here.
Since May 25th 2018, if you process EU citizens data, you must to comply with GDPR, which means:
- Be transparent regarding how the personal data will be used and only use it upon customer’s consent,
- Ensure data security in the processing of personal data,
- Report breaches within 72 hours incident,
- Rectify, delete, and give access to personal data upon users request.
A key point to note here is that GDPR applies globally (anywhere a EU citizens data is processed), not just in Europe – which makes it very different to other country specific regulations. Brazil is following a similar format with LGPD.
Non-compliance with GDPR can result in fines up to 4% of annual global revenue or a fine of €20 million, whichever is greater. In the first 12 months of GDPR, 281,088 cases were logged by supervisory authorities. According to the European Data Protection Board 144,376 were related to complaints and 89,271 were related to data breach notifications by data controllers. No one is exempt, even Google have experienced what it’s like to be on that list. British Airways and Marriot are also well known organisations that got fined. The amount raised with GDPR fines, by the way, goes to the member state government.
While the potential for a fine exists, GDPR should not be seen as an enemy, as it is very relevant in a world where personal data can be out of control. Here are some tips for you not to lose track:
- Map the data: document where the customer’s data comes from and where it is stored
- Clean it up: make sure you only keep what is relevant for your business, according to the GDPR rules
- Review: double check if your privacy statement and the way you use data is adjusted to GDPR
- Establish procedures: make you sure you know how to process requests to erase, change or provide personal data
- Add security measures: implement tools and infrastructure that can prevent data breaches
Any employee can put data at risk
The truth is that the security of the data stored in your company does not only depend on how your IT department handles it. Sometimes, one employee with low security awareness is enough to compromise the entire company. For example, if someone uses the same password for their personal email as they do for some company applications, if their personal email gets compromised, then it leaves the company (in most cases) unknowingly exposed. According to Verizon, 81% of breaches are due to poor credential hygiene.
Obviously, people don’t use poor passwords because they want to put any information at risk. They do so because it is hard to remember so many complex credentials, and it is quicker to keep reusing what is easy to remember. This type of behaviour is not ideal – if the password gets compromised, then there is potential for all associated accounts to get hacked.
Putting the right tools at the fingertips of employees makes all the difference. Implementing SSO and Enterprise Password Management (EPM), can transform how your business uses and perceives passwords. SSO removes the need for multiple passwords across specific applications, and for everything else, there is EPM.
Small businesses are not a target, right?
The common misconception is that smaller businesses are not a target. Nothing could be further from the truth; they are just as much a target as any large business. Good cyber security doesn’t need to add significant overheads to the business as there are solutions available for all types of companies and budgets. Getting the fundamentals (better known as the boring stuff!) right is the same across all businesses regardless of size or industry; how they are addressed may be different. Securing the identity and associated access points of people who add value to your business goes a long way to getting the fundamentals right.
Here are a few items that should rank close to the top of your fundamentals list:
- Get credentials under control
- Reduce the number of passwords in your business
- Use MFA – particularly if your staff are mobile a lot of the time.
Depending on the solutions you choose, business impact and risk reduction can be measured and reported to stakeholders, demonstrating that the investment is working.
Trial LastPass Identity free today and cross the above 3 fundamentals off your list!