Modern life revolves around the internet. From work, to entertainment, to shopping, consumers are attached to their online devices to fulfill their needs and keep them connected to the wider world. But as the internet as grown and matured, cybersecurity threats have evolved and now occur more frequently than ever. Anytime you’re online, there is a chance your data observed or stolen.
From a business point of view, global industries could not operate without the 24/7 exchange of information provided by the internet. Few companies, large or small, operate without a website. And with more and more emphasis being placed on data privacy, organizations now have the responsibility to protect their users and customers.
Governments have decided to enforce this responsibility through legislation, with the European Union’s General Data Protection Regulation (GDPR) being one of the first major initiatives worldwide. The question becomes what specifically does the GDPR mean for your business?
Background of GDPR
Since 2012, the European Commission had been working on a policy structure to protect European Union residents’ data and safeguard the continent for the digital age. The impetus for this was a rising interest in online privacy concerns and almost daily data breaches suffered by huge companies that put millions of records at risk either through negligence by the operating company or an outside intrusion by a hacker.
The effort culminated in May of 2018 when the General Data Protection Regulation officially went into effect. GDPR functions as a legislative framework designed to give citizens more control and visibility over how their personal data is used online.
In order to provide this control, GDPR dictates certain rules that online businesses must follow in order to stay compliant. If these standards are not met, the organization at fault may face fines or other penalties. SERIOUS penalties up to 4% of annual revenue. This isn’t ironclad protection for online users, as hackers still pose a major threat, but GDPR does offer some assurance that companies that collect and store personal data about customers must take more care than they did before GDPR.
The True Global Impact
For companies based somewhere other than Europe, they might hear about the GDPR regulations and assume that they will not be affected. However, the opposite is actually the case and has significant ramifications for businesses around the globe.
GDPR legislation is applicable to any organization that has an operation within the EU or caters to internet users from that region. Specifically, the new regulations stipulate that if your company collects any form of user data or behavioral information about citizens of EU nations, that you are liable for following the rules set out in GDPR.
For example, let’s say you run a photo-sharing website from an office based in the United States that also supports a mobile application for iOS and Android. It does not matter where your actual web servers are hosted in the cloud. If your service is available to European users or if the mobile app can be downloaded from EU stores, then GDPR applies to how you manage customer data.
Because of this wide scope of GDPR, you have probably begun to see more data privacy notifications as you browse the web. To be as safe as possible, companies are providing disclaimers to all of their users, regardless of their home base, to indicate their compliance with GDPR.
How to Stay Compliant
One of the primary focuses of the GDPR legislation is to issue mandates on how data breaches are handled by organizations. A data breach can either come about due to an external intrusion or by an accidental leak. GDPR addresses both types of data breaches as the same.
GDPR requires that companies continuously monitor their servers, databases, and networks for evidence of a potential data breach. Simply ignoring these incidents, looking the other way, or waiting years to acknowledge the incident is no longer acceptable protocol.
Breaches: When an organization detects a data breach, they must take swift action to notify affected users and mitigate any lingering threats. Specifically, GDPR requires an immediate reaction for any breach that has a strong likelihood to impact the right to privacy of individuals using the website or mobile application.
The most common form of data breach involves an outside intruder or hacker finding a vulnerability in an organization’s computer network. This could take the form of a direct hack into a central database or by phishing an employee’s credentials and getting into the system that way.
Cybercriminals typically look to steal any sort of personal information, including names, email addresses, passwords, or phone numbers. The most damaging incidents often involve credit cards, social security numbers, or medical information.
Web Hosting GDPR & Breaches
Looking at multiple web hosting providers who only act as a data processor to avoid responsibility of any hosted content is another issue to keep in mind. While some hosting vendors have completed DPA (Data Processing Addendum) requirements they are acting only as data processors and have secured their Privacy Shield certificates to reflect this.
According to GDPR rules about web hosting, “You need to inform your visitors from European Union and take the permission that you process their personal data, how you do it and why you do it. And you need to do it in a clear and plain language.”
This applies to you if you are engaged in any of the following (source):
- You have an email subscription form (and you collect emails, names etc);
- Your website has comment section (and thus visitors leave their names, email addresses, website URLs, comments etc);
- Even if you think you don’t collect any data, there may be plugins that do it (for example, plugins recording your visitors’ IPs or cookies data).
- And there’s one more thing – there are logs stored on your hosting which contain personal data such as IPs of your visitors. Yes, you may be unaware of it, but it is so. If you have a website, then you do collect personal data of your visitors even if you don’t want to or are not aware of. And this data is stored on your hosting.
This is something SMB need to keep aware of when trying to stay GDPR compliant. Discount web hosting solutions require a more thorough examination of their policies. Third party review websites like Hosting Australia provide specific GDPR information on cheap hosts. Please make sure to thoroughly research your vendor before opting for a lower tier solution.
Notifications: GDPR rules require that a company issue breach notifications as soon as possible during the aftermath of an incident, typically within three days. This notification cannot be simply a social media post or a press release to the media. Instead, the communication must occur to each and every individual whose information was included in the breach. The notification message should detail what specific pieces of data were stolen.
In addition, websites and mobile apps must explicitly give users the ability to easily opt-out of data sharing and other services that could invade their privacy. Even if your business uses customer information to enhance user experience, this opt-out ability still has to be readily available.
Penalties for Non-Compliance
When it comes to issuing breach notifications, a company must report the incident to the appropriate governmental department within 72 hours of detection. Individual users should be notified as soon as possible after that point. If this standard is not met, the organization responsible faces the possibility of a fine.
Fines for GDPR non-compliance can range up to 4% of the company’s annual revenue. The exact figure depends on the severity of the breach and whether the organization had proper security systems and processes in place to defend against attack.
Organizations should nominate a compliance officer within the information technology team to oversee all GDPR-related matters. In addition, some companies have opted to invest in cyber insurance that covers certain financial damages in case of a GDPR fine.
Emerging Hacking Threats
The purpose of the GDPR legislation is to make the internet safer for European citizens while making it harder for cybercriminals to steal personal information. However, in a comically brilliant move, some hackers now use the new regulations to craft attacks that exploit user data in new ways.
One such permutation is known as reverse ransomware. With this, a hacker infiltrates the systems of a company that is held to the standards of GDPR. Once they have stolen user data, they turn around and demand that the company pay a “fee” in exchange for not having the breach made public and creating a GDPR non-compliance incident.
Another new trend inspired by GDPR is a rise in compliance-related phishing scams. Companies and customers are likely seeing more emails in their inboxes that claim to have tips for meeting GDPR regulations. However, the messages actually contain rogue links that aim to steal passwords or other information.
What Comes Next
The EU’s decision to create GDPR is just the first step in a growing movement to secure personal data for online users. Government bodies in other jurisdictions have used GDPR as a template to draft their own legislation that will accomplish a similar purpose.
California is one that has put similar consumer privacy protections into place. The California Consumer Privacy Act (CCPA) was signed into law by Governor Jerry Brown in June 2018 and set to take full effect January 1, 2020. The law requires online organizations to be open about data storage policies and allow users to decline to have their information sold to third parties. The CCPA has a similar penalty structure to the GDPR’s, although fine amounts are lower.
Final Thoughts on Privacy
Staying private and anonymous online is a near impossible task these days. Hackers represent a constant threat, and meanwhile businesses struggle to maintain security over their own increasingly assaulted networks. The EU’s GDPR has fundamentally changed how companies across the globe operate when it comes to collecting, handling, and storing user data. The hope is that the number of data breaches will significantly drop in future years and consumers find themselves navigating a kindler, gentler, and safer internet.