Read Time: 4 Minutes
Do you know what people mean when they talk about “pseudonymization?”
Have you measured the resilience of your CRM (customer relationship management) lately?
How do you know if your files have been stolen?
CEOs haven’t had to worry much about these things in the past. But this is about to change. The new EU General Data Protection Regulation is bringing these questions to the attention of all businesses operating within the EU. European companies now have a little over two years to update how they protect their systems and secure their customer databases in accordance with the new regulations.
Even under current laws, the largest penalties companies face from privacy issues come from having insufficient security measures. The new regulations are going to make these penalties much more severe. Fines will now be up to 10 000 000 Euros, or 2% of your company’s global revenue. It makes sense to protect yourself in advance to avoid them.
But money will not be the biggest problem.
Under the new regulations, companies won’t be able to cover up breaches of their customer data systems or HR files. The new regulations require companies to notify the data protection authority for their country within 72 hours of discovering a breach, and possibly their customers as well. Hence, security incidents are no longer “just” security issues. They’re now tightly linked to the reputation of your company and brand.
Are you willing to endanger the reputation and business of your company?
Why the change
Times have changed, and in the heavily digitalized 21st century, the EU has decided that everyone needs to start acting accordingly.
The old EU privacy framework – created in 1995 – was clearly becoming obsolete. Also, the fact that all EU member states interpreted the rules in their own way didn’t actually help European companies make the most out of the presumed “single European market.” When the European Commission set out to update the legislation and (ostensibly) lessen the burden on companies, their efforts coincided with phenomena like the emergence of global Internet giants (Facebook, Google), seemingly excessive data collection practices, an increase in personal data breaches, and the Snowden revelations.
The combination of these factors emphasized the need for new privacy safeguards, and the new law attempts to update and harmonize the rules on processing customer/employee data everywhere in the European Union. In practice, this means that your company now has to re-verify and document that you have a legally valid basis for handling customer data. It also means you will need to prepare your CRM in a way that ensures data that doesn’t meet certain criteria can be removed or suspended while you dispute whether you can store that piece of data.
Furthermore, companies must be prepared to give back the data collected from customers. The first steps in any customer profiling must become more transparent, and collected personal data must be assessed and secured according to the risk it carries for customers.
Should I be concerned?
This might seem like fearmongering, but this is only to emphasize that personal data is more of a responsibility than a free value article for your company. At F-Secure, we’ve seen how much room for improvement there is in the way that companies safeguard their crown jewels. Most companies’ data is too easily available for attackers – the bad guys that everyone’s worried about.
The world of big data has ushered in a dogma of ‘collect everything’ – whether it’s relevant or not. Core values related to personal privacy have been shoved aside in favor of this approach.
Accuracy, relevancy, timeliness, and erasure of obsolete data are all norms being brought about by the Regulation, and now need to be carefully considered when handling any data. Companies should appreciate these simple privacy-centric principles, as they work for company data just as well as they work for customers. Particularly the point about deleting obsolete data, as it removes unnecessary clutter and makes information easier to manage.
This also helps in mitigating your risk – data that’s been deleted cannot be misused, stolen or lost.
What to do?
You can start by looking at your company’s IT security with critical eyes. Choose your partners carefully. Make sure they are up to date, not only in line with the regulations, but also with what the bad guys are doing. Make sure they use the latest technology and have privacy on their agenda.
After all, this might be the most business critical decision you’re making for the future of your company.
In who’s hands are you willing to leave your reputation, your brand, and your customers?
-Written by Hannes Saarinen, Manager, Intellectual Property and Privacy, F-Secure
[Image by Paxson Woelber | via Flickr]