In recent years, advances in technology have altered the way businesses operate. In fact, the majority of businesses now gather and process at least some sensitive personal data during their usual operations. But, with growing awareness about the impact of data breaches, customers are increasingly protective of their privacy, so it is more critical than ever to ensure that information is being managed safely.
A business that wants to maintain its customers’ trust must invest in cybersecurity solutions to safeguard its data. But first, it’s essential to have a good understanding of what constitutes sensitive data and the scope of your responsibilities. So, without further ado, here are 10 Facts All Business Owners Need To Know About Protecting Your Data.
1. Data protection is a legal obligation
Data privacy is a legal obligation with stringent restrictions and consequences. The laws that apply to your business are determined by the geography of your customers as well as the type of data you collect. The current legislation protecting data is the General Data Protection Regulation (GDPR), but the scheduled arrival of UK SOx in late 2022 will bring additional regulations you may need to consider.
What is GDPR?
The General Data Protection Regulation (GDPR) is a data protection law that the European Union passed in May 2018. This law applies to any person or corporation that handles the personal data of site visitors within the EU. On leaving the EU, the UK created the UK GDPR, a near-identical version of the original. The main difference is that instead of data breach cases being heard by the European Data Protection Board, they fall under the remit of the Information Commissioner’s Office (ICO).
What is UK SOx?
The unofficial moniker for the UK’s new corporate governance, UK SOx will bring the UK system of compliance more in line with the Sarbanes-Oxley laws in the United States. Designed to help protect investors from fraud, the new governance is expected to cover reforms highlighted in the Brydon Report, an independent review of the effectiveness and quality of auditing in the UK. Among the many improvements that UK SOx will aim to make will be the need “to help establish and maintain deserved confidence in a company, in its directors and in the information for which they have responsibility to report, including the financial statements.” The scope of UK SOx will include reducing risk factors across your organisation, not least of which is data breaches.
2. GDPR follows the user
One of the most detrimental misconceptions that businesses have is that the GDPR regulations do not apply to them if they are not situated in the EU. That’s simply not true. The location of your head office and your website’s geographic domain have no bearing on GDPR.
Both UK GDPR and EU GDPR were created to protect those within their respective regions and apply to companies anywhere in the world. For example, UK GDPR is a protection for individuals within the UK, so the regulation applies to any UK-based users of your website, regardless of where your company is located. Importantly, GDPR isn’t citizenship based, so it also applies to foreign nationals who are accessing your site from within the UK.
When determining whether GDPR applies, the individual’s current location takes precedence over their citizenship. In the same way that a foreign national is protected by GDPR while they are within the UK or EU, when an EU/UK citizen travels outside those areas, they are subject to the laws of the respective nation. As a result, GDPR does not apply to EU or UK citizens while they are living or vacationing abroad.
3. Data breaches result in financial repercussions
Businesses are required by law to protect important personal data from unauthorised access. Failure to meet cybersecurity standards sufficiently is deemed noncompliance and is punishable by hefty penalties and fines with short grace periods. Following a cyber-attack on your company, you may face stringent regulatory scrutiny, including regular audits.
A data breach can result in several lawsuits with potentially large payout amounts. For example, a cyber-attack on the US retailer Target in 2014 revealed the data records of around 70 million customers. As a result, the organisation faced over 140 class action lawsuits, with settlements totalling more than $10 million.
And don’t forget, the obvious financial implications are only one facet of how a data breach can affect your business. The loss of confidence felt by customers, investors and business partners can have an even more significant impact, with studies showing that 60% of small firms go out of business within six months of a data breach.
4. Data protection is an ethical responsibility
While data privacy is governed by law, businesses shouldn’t forget that it is an ethical responsibility too. In fact, the right to data protection is included in the EU Charter of Fundamental Rights, the Treaty on the Functioning of the European Union and the UK Human Rights Act 1998, all of which give individuals the right to privacy by giving them control over how information about them is gathered and used.
When a customer divulges their personal details, be it their full name, date of birth or banking information, they are taking a leap of faith. Your customers trust you to protect their privacy and safeguard it as much as technologically possible.
The power of data might be alluring, but it’s essential to use personally identifiable information (PII) with caution. Remember that behind your data points are real people – their identities and livelihoods could be jeopardised if their data falls into the wrong hands.
5. Personally identifiable information is complex
As a business owner, you’ll be aware that there are legislations around data protection, but did you know that personally identifiable information includes much more than just straightforward contact or financial details? Data protection covers all aspects of an individual’s personal data, inclusive of that which identifies them online, such as social media handles. Here are some of the types of personally identifiable information, including many you may not have previously considered:
- Name
- Address
- Phone number
- Email address
- Driver’s license number
- Passport number
- Social media handles
- Bank account number
- Credit or debit card number
- Fingerprint or other biometric data
- Health and genetic data
- Racial or ethnic data
- Political opinions
- Sexual orientation
- Web data – location, IP address, cookie data, and RFID tags
Don’t fall into the trap of assuming that a name and postcode aren’t as sensitive as a bank account number. While one may be a faster route to financial gain for a fraudulent hacker, the exposure of either can pose serious repercussions.
6. It’s easy to de-identify data
At the most basic level, any business owner knows that they need consent to collect personally identifiable information, but once you’re in possession of that data, it’s worth considering how much of it you need to hold on record.
The protection of GDPR applies to “any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”. In summary, if it can’t identify a person, it isn’t covered by GDPR.
For businesses that have collated information but have no need to store personally identifying details, a great way to protect the remaining data is to de-identify it. De-identifying data occurs when you remove the PII from a dataset, leaving only the elements that are needed. For example, if you’re tracking spending habits across different demographics, you can remove the personally identifiable information and leave only the demographic and purchase history. Remember, the more data you have in your possession, the bigger the risk.
7. It can also be easy to re-identify data
While de-identifying data is relatively straightforward, it can also be surprisingly easy for someone with the will and patience to re-identify it. When de-identifying data, you need to think critically about how easy it would be to reverse engineer the remaining information to identify the person in question.
With so much information available online, data that is usually considered fairly innocuous, like your gender, date of birth and postcode, can be used to pinpoint specific individuals. In fact, studies in the US have shown that over 80% of people are completely unique based on those three attributes alone. In the UK, where our postcodes are even more geographically specific, this figure could be even higher.
8. Data protection laws cover multiple facets
In accordance with GDPR, consumers have eight basic rights in terms of personal data and data protection. To comply with GDPR, your company must respect the following rights or face severe penalties:
The right to access: Individuals have the right to request access to their personal data. They may also inquire as to how their data is utilised, processed, stored, or transferred to third parties. If requested, you must provide a free electronic copy of the personal data.
The right to be informed: Individuals must be informed and provide consent (not implied) before their data is collected and used.
The right to data portability: Individuals may transfer their data at any time from one service provider to another. The transfer must be in a widely accepted and machine-readable format.
The right to object: If a user objects to your usage or processing of personal data, they can request that you stop. When the user makes this request, all processing must come to a halt, with no exceptions.
The right to restrict processing: Individuals can request that you stop processing their data or a specific type of processing. If they like, their data can remain in place.
The right to be notified: Individuals are entitled to be notified if their personal data is compromised as a result of a data breach. This must occur within 72 hours of your organisation discovering the incident.
The right to rectification: Users may request you update, complete, or amend their personal information.
The right to be forgotten: Users have the right to data erasure if they are no longer customers or if they withdraw their permission to use their personal data.
These rights offer individuals significant control over their data. They now have a plethora of tools at their disposal to limit and prohibit organisations from exploiting their personal information.
9. Data breaches must be reported promptly
One of the rights that GDPR gives users deserves more thorough discussion because it’s a point many businesses fail to take into account during a cybersecurity breach. The Right To Be Notified states that a user must be made aware if their personal data is compromised as a result of a data breach within 72 hours of your organisation discovering the incident.
While a security breach may have you fighting fires in-house, there must be systems in place to communicate with affected users as quickly as possible. This could be one of the most substantial changes in practice for firms in the United States, where timelines aren’t as tight.
10. External cybersecurity services can help
Complying with data protection regulations can be an overwhelming task for a business of any size. Many companies are either muddling through, hoping for the best, or are so afraid of falling foul of a breach that they avoid collecting data, missing out on many potential benefits.
Whether your firm has grown quickly and you are trying to get your security framework in place or you’d like an expert to cast their eyes over your existing processes, cybersecurity consultants can help.
At Loopli, we provide digital security and compliance protection to businesses of all sizes. Tailoring solutions to meet your needs, we get to know your company, industry and current security framework before creating a system that can evolve with you.
If you have doubts about your compliance with GDPR or want support getting your business ready for UK SOx regulations, we can help. Get in touch today to speak to a member of our team.