The essential measures needed for merchants to comply with the new European Union Data Protection Regulations of 2014 should be implemented now if those same merchants want to truly protect their businesses.
Though these regulations will not take effect for another year, the processes involved coupled with the scale of change to be implemented mean that savvy businesses will begin the journey now instead of waiting and risking the ramifications of being unprepared.
So what’s changing?
UK organisations should implement practices and procedures in accordance with the UK Data Protection Act (UKDPA), which is intended to ultimately protect personal and commercial data held by organisations from compromise or theft.
While other countries currently set their own data protection guidelines, the European legislative changes planned for 2014 will unify data protection practices across the EU, standardising requirements around public disclosure and the penalties to be incurred if a breach should occur at a business that has failed to adequately protect its data.
Larger organisations are more typically cognisant of their obligations under the existing UK DPA requirements and aware of how to future-proof systems and processes to meet the changing regulatory road map, but what will all this mean for SMEs?
No less susceptible to data breaches
Smaller organisations are no less susceptible to data breaches and are increasingly seen as easier pickings than larger enterprise targets. They often lack resources like a dedicated data controller or chief security officer, so the ‘policing’ role is often foisted upon the business owner or simply delegated to an employee.
The introduction of legislative changes surrounding data protection is a clear message that Europe’s lawmakers are taking data protection seriously, and SMEs have no option but to find a way to implement appropriate processes or procedures. Otherwise, they may well face the ignominy of a data breach.
For organisations that store or process payment card transactions, the significant change that 2014 will bring is classification of payment card information as personal data, and therefore legally treated as such. This means businesses will have to ensure security and compliance processes are up to scratch to meet the mandated requirements and avoid legal action.
Fortunately, the Payment Card Industry Data Security Standard (PCI DSS) – a set of Best Practice security guidelines set up by the credit card companies – provides the necessary rigour and form a good basis on which to protect both payment and non-payment data if correctly implemented and continually enforced.
However, there’s a counterpoint here: a breach based upon a failure to correctly enforce PCI DSS exposes a merchant to the risk of penalties under both regulatory regimes.
Formally declaring a data breach
As things stands today, when data is lost or stolen it’s only the Government and the telecommunications industry who are required to formally declare a breach as having occurred. Once the EU regulation is in place, though, investigations by the relevant authorities will be standard across all sectors.
So too will be the requirement to proactively notify victims and regulatory bodies alike.
If an organisation fails to adequately protect data, fines are posited to cost a business 2% of global turnover. On top of that, the required forensic investigations are exceptionally disruptive for any organisation.
SMEs will be the sector most likely to suffer the after-effects of lost trading time following a breach, and obviously lack the public relations mechanisms and responses available to larger enterprise organisations.
If a data breach occurs, it will also become mandatory for an organisation to inform all affected parties, in turn further eroding customer confidence when businesses can ill afford such a scenario.
Organisations of all sizes also have a responsibility to safeguard the personal information of their employees. This is something that’s frequently overlooked within the SME sector, but which can have as dramatic an effect as losing customer data since employee data might also easily form the basis for identity theft.
Working with third parties
Under data protection guidelines, an organisation remains responsible and liable for its own compliance (including any relationships it has with suppliers or other third parties).
It’s recommended that merchants factor regular supplier and partner audits into relationships such that they may remain informed about security activities.
Audits of this nature should include an investigation into the relevance of end-to-end encryption, for example. Deployment of encryption is advisable where particularly sensitive data is transported on portable devices such as laptops or sent by e-mail.
Data protection law also requires that service level agreements – or SLAs – are in place with suppliers who have access to personal information. This needs to be regularly checked, as failure to have these measures employed is viewed in a very dim light by regulators should a data breach occur.
What to do before 2014?
Before next year, SMEs would be wise to get themselves up-to-speed on security and prepare for further regulation.
Good practices today will put SMEs in a more stable position with consumers, employees and European regulators. Establishing a reliable supplier network will also help relieve the strain of complex data protection issues, paying off for merchants in the long term.
Important factors to be considered now by SMEs are:
- regular and consistent staff training on data protection
- building long-term relationships with qualified security vendors
- executing audits and privacy assessments
- taking time to fully understand all the elements of data protection, including point-to-point encryption, data breach notifications and data transfer compliance, etc
- supplier/partner audits, encryption, agreed service levels, data breach notifications and supplier due diligence
What will happen if SMEs fail to act before 2014?
Security breaches are an unfortunate but regular occurrence in the UK. Currently, such incidents remain widely unreported as there’s no legal demand to do so outside of the telecoms and public sectors.
That scenario is set to change and businesses that aren’t prepared will be operating outside of a legal requirement.
Enterprises and corporations that suffer security breaches have the scale, legal support and policy procedures to deal with incidents swiftly and minimise their impact, but small businesses lack these resources and remain exposed to the ramifications of a potentially crippling data breach incident.
With upcoming regulations increasing the consequences of a data breach, SMEs that do not have procedures in place – or the in-house expertise to be able to cope with the damage of any such breach – may well struggle.
Bill Farmer is CEO at Mako Networks
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
