Europe's data protection rules pose challenges for SMEs

LESS than a month into the full effect of the General Data Protection Regulation (GDPR), Premier League football club Arsenal FC have already been accused of being in breach of new legislation, putting both fans' data and their bottom-line at risk. Meanwhile, UK-based electrical and telecommunications retailer Dixons Carphone became the first organisation to report a major data breach which, under GDPR rules, could cost the company as much as £400 million (S$716.7 million).

The GDPR, replacing the Data Protection Directive, grants the European Commission a powerful enforcement tool in the shape of potentially hefty fines for non-compliance. For small medium-sized enterprises (SMEs) in particular, this means even the smallest error could spell ruin for the business.

However, prior to the advent of the GDPR, data from the UK's Federation of Small Businesses suggested that fewer than one in 10 SMEs were ready for the changes. Meanwhile, closer to home, a poll by EY revealed that, as at February 2018, only 10 per cent of companies in Singapore had made plans to comply compared to an average third of businesses globally.

SMEs in Singapore may think they are far from the threat, but in this globalised world of interconnection, the reality is that not only has collected personal data been restricted in its use, the geographical scope in terms of data and companies affected has also increased. Meaning, the regulation holds the potential to have global implications - that's for all of us. We are players in this game where the rules have changed and to stay in the game, we must adapt.

AFFECTED, OR NOT?

To begin, the player must ascertain if the rules apply to them, that is, is your company affected by the GDPR? The key criterion to this is whether you show "intention" to deal with EU residents or companies. It doesn't take much to demonstrate this "intent" - as long as your website offers local language translation into EU languages (apart from English), offers currency conversion into EU currencies or targets the EU with adverts, the intention is implicit and compliance is mandatory.

Additionally, all people, including travellers heading to the EU, are protected by the GDPR. For example, if a Singaporean goes to London on vacation and uses a made-for-Singapore app on their phone which collects profiling data (eg location tracking, wellness monitoring etc), the GDPR applies and the company behind the app must (in theory) comply.

Per the GDPR, data processors are now jointly liable with data controllers in cases of non-compliance. For clarity, the company serves as the data controller if it decides "why" and "how" data is processed, while its sub-contractors or external partners who help to process the data under the instructions of the company are data processors. All existing contracts, as well as new, must comply with GDPR requirements.

To ensure compliance, a company should have a full understanding as to which contractors, channel partners and vendors are processing their customer data, and review all contracts from the perspective of both parties as either side can now be held accountable for any breach in data security.

HOW CAN DATA BE USED?

For many SMEs, the temptation is to take an "any data is precious data" stance - like spare change kept in your back pocket, you never know when it could come in handy. Unfortunately, with the GDPR in effect, the more unused data you store, the more your company runs the risk of non-compliance. Pressure is at an all-time high on SMEs to change the way they process data.

The six lawful reasons for processing personal data as extracted from the GDPR are consent, contract, legal obligation, vital interests, public task and legitimate interest. Of the six, consent and contract will be the most relevant for the vast majority of companies outside the EU.

Once the relevant personal information you have stored within your organisation is identified, a check must be carried out on the lawful basis for having this data, otherwise, you must stop asking for personal data you don't need.

Before that lies the challenge in where to seek out stored and unused data, especially since the increased use in cloud computing, BYO devices in the workspace and general copying and proliferation of files represent a substantial problem. It's worth investigating the following areas:

  • Cloud apps, including shadow applications not approved by the organisation;
  • Cloud storage;
  • Online file-sharing services;
  • Removeable media such as USB drives;
  • Physical storage (file cabinets);
  • Temporary files and other unstructured data;
  • Sandbox/test systems;
  • Backup systems;
  • Employee devices;
  • Third-parties - including contractors, supply chain providers and channel partners.

While each one of these areas is relatively easy to map out on their own, the real problem for many organisations lies in combinations: Individual business units may use cloud providers without the knowledge of the IT department; they may have deployed multiple test systems on these cloud platforms - many of them no longer in use but still in existence - and they may have backups of these test systems both online and on USB sticks.

This would not really pose a problem until it is paired with the fact than many developers break protocol and use real data in test systems.

The ramifications of non-compliance can result in insurmountable reputational and financial damage for all businesses. This is especially so for SMEs, who, without heavy reserves, will find weathering through the storm an almost impossible feat.

We're not yet sure how the law would be enforced in the case of a non-compliant company without a nominal legal or economical presence within the EU. However, even the potential of a devastating punishment should compel any company that has a reason to believe they are affected by the GDPR to act to ensure compliance.

As in the case of Dixons Carphone, which is currently under investigation, you certainly don't want to be the first one to find out.

  • The writer is principal analyst, Digital Transformation & Cloud Computing, Ecosystm