The General Data Protection Regulation (GDPR) was passed in the European Union (EU) in 2016 and requires all businesses to protect an updated definition of personal and private data of EU citizens for transactions occurring within EU member states. The directive establishes data privacy rules that provide transparency and expanded privacy rights for EU citizens.
What is the updated privacy definition?
The basic definition of personal data is any information relating to an identified or identifiable natural person (data subject).
Examples of private data covered by GDPR include:
- Name and surname
- Email address
- Phone number
- Home address
- Date of birth
- Genetic markers or identified pre-dispositions
- Religious Affiliation
- Political opinions
- Credit card numbers
- Data held by a hospital or doctor
- Photograph where an individual is identifiable
- Identification card number
- A cookie ID
- Internet Protocol (IP) address
- Location data (for example, the location data from a mobile phone)
- The advertising identifier of your phone
When a data breach has been detected, companies are now required by GDPR to notify all affected persons and the supervising authorities within 72 hours. GDPR regulations apply to all privacy data created for EU residents regardless of whether or not they are citizens of EU countries.
GDPR defines penalties for noncompliance. Failure to comply with GDPR prescriptions can result in fines ranging from 10 million euros to four percent of the company’s annual global turnover.
Under GDPR, companies can’t legally process any person’s personally identifiable information (PII) without meeting at least one of the following six conditions:
- Express consent of the user; or processing privacy data is necessary:
- for the performance of a contract with the user or to take steps to enter a contract; or
- for compliance with a legal obligation; or
- to protect the vital interests of a user or another person; or
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights, or freedoms of the user.
In addition, companies that conduct data processing or monitor data subjects on a large scale must designate a data protection officer (DPO). The DPO is the figurehead responsible for data governance and ensuring the company complies with GDRP. This person is responsible for ensuring appropriate data protection principles are applied to the maintenance of personal data.
What does this mean for an SMB?
Businesses that operate outside of the EU and do not process private data on EU data subjects, as outlined in the list above, need not worry about GDPR itself. However, similar legislation is in place throughout most of the world, so businesses should instead focus on examining their local country’s data privacy rights. Once you understand your legal obligations in your own home country, you’ll want to develop a breach notification plan.
The importance of a Breach Notification Plan
It’s very important to have a plan to notify any users and applicable agencies involved in a data breach. The time to work out how to notify and what the applicable home country laws and requirements are is not during a breach but before one. In the US exists a patchwork quilt of data privacy laws by individual states. There is no federal law in effect. In preparing your breach notification process, make sure you seek outside counsel and expertise to help you comply with each state you may have data on (or country as the case may be).
Data Privacy Regulations by Country (a Sample):
- European Union’s General Data Protection Regulation (GDPR)
- California Consumer Protection Act (2018)
- Australia’s Privacy Amendment (Notifiable Data Breaches) Act of 2017
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Germany’s Data Privacy Law Compared to GDPR (BDSG)
CyberHoot recommends you know the laws affecting your company and you prepare a Breach Notification process document reflecting those laws. Don’t forget to test the process annually as well.
The best Defense against Data Breach Fines is no Breach at All
Beyond establishing a breach notification process, there are many other actions your company can take to reduce the risk of a breach. CyberHoot recommends the following basic breach counter-measures:
- Train and test employees on how to spot and avoid phishing, smishing, and vishing attacks;
- Govern employees with a set of cybersecurity policies that establish company cybersecurity requirements;
- Employ the principle of least privilege by taking away admin rights from user desktops and laptops;
- Adopt a password manager to improve employee password hygiene;
- Enable two-factor authentication on all critical accounts (email, bank, etc.); and
- Authenticate callers into your business when they are making high-value requests (asking for information, changing bookings, charging a credit card etc). Companies with access to client mobile phone numbers should text an authentication code to each change requestor.