While the implementation of General Data Protection Regulation (GDPR) might feel a lifetime ago, it is still very much relevant. We all heard about the ICO issued heavy penalties to companies including Facebook, which received warning of a £500,000 fine for its part in the Cambridge Analytica scandal, and you might’ve lost count of the number of e-mails you’ve received pleading for you to opt in. It’s all very confusing, and still isn’t entirely clear what GDPR is asking, or what businesses should ask of their customers. However, the email opt-in overload is just the tip of the iceberg. It is the underside of GDPR that businesses should be wary of, and the external threats to the sensitive data they possess on their networks. If businesses have out of data network security, they run the risk of a serious attack to that network, resulting in a breach of data.
But when the law gets involved in data protection none of us really has a choice — we either comply or risk serious consequences. And these consequences are not merely legal: if you suffer a data breach the Information Commissioner’s Office (ICO: the body responsible for enforcing GDPR) will not be the only entity to respond and dent your balance sheet. Once your customers and potential customers get wind of the problem, your reputation will inevitably be damaged and that is likely to mean loss of business and a poor public profile. What’s more, businesses will face up-to 20 million Euros or 4 per cent of their annual global turnover in fines, depending which is higher.
Although GDPR has only been enforceable by the authorities since May 2018, it has been clear for some time that businesses have assumed it won’t impact them. However, it affects everyone that manages European consumer data, no matter where they are based or their business size. Businesses must prioritise data protection or face the wrath of GDPR. For example, some of the biggest names in the UK — Thomas Cook, Butlins, Ticketmaster UK, even the British Government — have experienced massive data breaches.
You’re only as strong as your weakest link
A business’ network is its weak spot, simply because that network is the portal to data. Therefore, European law has brought in GDPR and demands that businesses do everything they can to protect that data. As a business, your promises around data protection are not the point, it’s your behaviour that counts most. Data handling procedures and protocols must be compliant in practice, and your network secure from cyber-attacks.
But if big businesses can’t manage it, how can smaller ones protect themselves?
There isn’t a network in the world that is utterly and completely unbreachable, but that’s not what GDPR is asking. GDPR simply requires that you do all you can do to assure data security. So, alongside updated policies and procedures, you must have a network that you know and can prove is as secure as it can be.
SOHO is the answer
If you are a sole trader or running a small business, generally you require a small office/home office (SOHO) network. This is basically a local area network (LAN), configured to cater for both domestic and small business use. In particular, a dedicated SOHO network device and security is likely to include a greater level of security and encryption than most standard domestic routers, particularly older models, along with VPN provisioning and/or encryption.
This elevated standard of security matters when it comes to GDPR compliance, not least because many small business operators routinely carry out business transactions, such as online banking or accounting, that are vulnerable to human error, leaving them more vulnerable to cyber-attacks than they realise.
Now consider the type of data that you send back and forth across that network, and how often you do so. What would it mean for your business if that connection was exploited maliciously in the manner suffered by the NHS in 2017, when it was hit by a cyber-attack?
As businesses become more reliant on technology, the threat is increasing for those who still rely on an outdated, or even obsolete, domestic router to administer their business. That’s where GDPR comes in. If you are handling data, even if you do so in a GDPR-compliant way, but are using an insecure network, you are very vulnerable.
The more you move that data around or store it remotely, the more vulnerable you become. Because even though your GDPR-compliant protocols may mean your data is largely anonymised, and that data no longer required is promptly deleted, nonetheless you will have current and sensitive data on your system, even if that’s only your clients’ names and contact details.
Despite what people may think, GDPR is a much-needed protection, not an unreasonable piece of regulation. While implementation may have become caught up in confusion, it’s not that much of a challenge for small businesses to comply as long as they remember that their real vulnerability lies not in failing to send out e-mails, but in failing to protect networks. To protect against external threats, businesses should be looking to adopt security that is up to date – in fact, some network providers believe in this so strongly they have a trade in and trade up policy currently. External threats will continue to evolve, so it is imperative that networks are constantly ahead of the game.
Thorsten Kurpjuhn, European Market Development Manager, Zyxel
Image Credit: Docstockmedia / Shutterstock