The Good, the Bad, and the Ugly: What is the GDPR and What Does it Mean for Small Businesses?
The digital age has ushered new ways to think about privacy issues and any business that uses information and communications technologies (ICTs) and the internet to process, store, communicate, and share data can no longer ignore the risk of data breaches, privacy violations, hacking and other cybersecurity concerns. Indeed, cyber risks affect all industries and markets and can represent an existential threat, especially to smaller companies that have limited resources and have built their business around one line of products or services. In response to the growing number of damaging data breaches in recent years, the European Union (EU) has updated older data protection 21, raising the standards - and the stakes - of personal data privacy and strengthening the rules of the road for businesses that handle large amounts of personal information. Recent events like the Facebook-Cambridge Analytica data leak scandal are among the reasons why stricter data 21, such as the EU General Data Protection Regulation (GDRP), are needed to prevent future large security breaches, give users more access to and control over their own data, and ultimately penalize those who fail to protect that data they collect and profit from.
The GDRP- adopted by the European Parliament on 24 April 2016 and entering into force on 25 May 2018 -will require organizations to implement substantial changes to their data protection compliance programs, business processes, and IT infrastructure to demonstrate due care, custody, control, and protection of data originating in the EU, as well as protection of individuals' right to privacy. The GDPR aims primarily to give control to EU citizens and residents over their personal data and to simplify the regulatory environment for entities operating in the EU. This new privacy regulation will reach out across geographical and industry-lines and will apply to anyone with a presence in the EU, or who handles, collects, stores, transfers or disseminates data on EU citizens including businesses and other legal entities.
The GDPR strengthens existing data protections for individuals inside the EU and sets forth regulations on exporting data outside of the EU, including:
Distinguishing and clarifying the different roles and responsibilities between those who control data (individual/company that makes decisions about data processing activities, the "controller") and those who process data (individuals/companies who are contracted by the controller to handle and collect data, the "processor").
Expanding the scope of what is understood to be personal data, including names, ID numbers and locations, as well as IP addresses, cookies and other digital fingerprints.
Streamlining enforcement authority to one supervisor per member state, and mandating companies to notify consumers of a data breach and report it to the appropriate supervisory authority within 72 hours from its discovery.
Giving users the right to access previously released information, ask to receive such information back in a clearly written and easily transferable format, and have the functionality to be transferred to another data controller.
Leveraging penalties for non-compliance to increase corporate data protection practices and responsibility for entities that capture and use customer data. Fines can be up to:
-10 million euros ($12 million) or 2% of a company's global annual turnover (whichever is greater) for breaches; and
-20 million euros ($24 million) or 4% of a company's global annual turnover (whichever is greater) for very serious breaches.
One of the many pending questions that remains is: how will the GDRP affect small businesses?
Many organizations and even privacy experts are wondering whether the regulation is more about legal verbiage than transparency and clarity about what constitutes personal data, while business owners - especially those with smaller operations - are still asking how they can prepare and budget for the changes required by the new legislation. Reporting requirements, for example, could result in high volume of responses that may not be handled promptly by a small business with limited resources, and controllers could be held accountable for violations caused by their third-party vendors. Complying with this new regulation may also delay the development of new technologies and products, since most organizations will need to invest additional budget/effort to comply with the consent, data mapping, and cross-border data transfer requirements under the GDPR. This may require shifting important resources away from research and development into compliance efforts.
Although it could be argued that this regulation was not realistic to security expectations and that it was drafted by the EU Parliament as a reaction to the increasing scale, scope, and volume of data breaches and violations of privacy rather than by IT and cybersecurity experts who understand data security, these are now the requirements that businesses will have to comply with if they want to continue doing business in Europe.
Small and mid-size businesses are far from ready for the impending GDPR, and may have difficulties implementing it, especially if a company lacks the money and expertise needed to create a detailed security and privacy program. A quick look at most informational blogs and public forums regarding the GDPR shows that many small and medium-size organizations lack a clear understanding about this regulation and are still wondering whether the GDPR even applies to them (for example, see the conversation about the GDPR on the linkfluence blog). All companies that hold personal data on EU consumers must soon be able to demonstrate that they have updated their privacy policies and terms of service in order to comply with the GDPR or be ready to face hefty penalties.
The Silver Lining:
Despite the imperfections and the possible problems with implementing the GDPR for some, leaders in the SMB community can improve their security programs and stay under budget by being proactive and realistic about their capabilities. First and foremost, every organization should know what kind of data (e.g., PII, PHI, PCI, etc.) it stores, collect or process, where it is located, who has access to it, and how it is being protected. Second, organizations should understand the risks they are exposed to; assess their security measures and policies - including their incident response and business continuity plan(s); allocate appropriate human and financial resources to minimize cyber risks; and ensure that all their employees are trained and up-to-date about the GDPR and how to report a breach if it occurs. Third, they should be able to demonstrate due-diligence on their supply chain and certify all suppliers and contractors are also compliant with the GDPR to avoid setbacks. Lastly, a simple rule of thumb may be: if you do not need to store sensitive personal data related to EU consumers for legitimate business reasons, just erase it.
One of the positive outcomes of this regulation is the potential for the GDPR to be a revolutionary standard for data protection and privacy rights, that other countries around the world may decide to follow in the future.
For more tips and information on cybersecurity best practices, see: Understanding Cyber Threats - Lessons for the Executive Team.
Francesca Spidalieri is the Senior Fellow for Cyber Leadership at the Pell Center for International Relations and Public Policy at Salve Regina University, where she leads the Cyber Leadership research project and the Rhode Island Corporate Cybersecurity Initiative (RICCI). Francesca is also an Associate at Hathaway Global Strategies LLC, and serves as Co-Principal Investigator for the Cyber Readiness Index project at the Potomac Institute for Policy Studies, and as a Distinguished Fellow at the Ponemon Institute. Her academic research and publications have focused on cyber leadership development, cyber risk management, comparative organization analysis, and national cyber preparedness and resilience. She lectures regularly at cyber-related events nationwide and contributes to journal articles and other publications on cybersecurity matters affecting countries and organizations worldwide. She holds an M.A. in International Affairs and Security Studies from the Fletcher School at Tufts University, a B.A. in Political Science and International Relations, summa cum laude, from the University of Milan, and has completed additional cybersecurity coursework at the U.S. Naval War College's Center for Cyber Conflict Studies.