Privacy and data protection are not just buzzwords. They are serious consumer concerns that are driven by an increasing number of data breaches and cybersecurity threats — which then compromise consumers’ personal information and erode consumer trust.
According to RSA’s Data Privacy and Security Survey, which surveyed 7,500 people across five countries, consumers report that they are paying more attention to online security breaches. And they are holding companies accountable when their information is stolen.
Here are two key findings from that survey:
- 73 percent of respondents are more aware of data breaches than five years ago.
- 62 percent said they would blame the company that lost their data before blaming the hackers.
Across the board, consumers are showing that they’re becoming more protective of their digital privacy. Remember, a breach of consumer data doesn’t have to entail premeditated theft or mass violation of private information. When a third party buys a company’s list of email subscribers then sends unsolicited emails to that list, that can also constitute a data breach.
None of those activities sit well with consumers, and those consumer sentiments are forcing companies to rethink how they protect consumer data online.
Those sentiments are also forcing governments to take a more active approach in regulating the protection of consumer information. Some governments are beginning to enact laws that give consumers more ownership of their data, no matter who stores that data.
One such regulation is the European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25, 2018. This data protection standard — designed to empower consumers so they can grant or withhold consent regarding who can access their data — presents serious challenges for eCommerce companies.
But it is a challenge that companies should welcome as an opportunity to forge better relationships with consumers.
If consumers are more likely to blame a company for data breaches, they may also be more likely to praise a company that works with them to protect their data. Therefore, organizations would be wise to show they want to protect their consumers by working swiftly for GDPR compliance.
The Scope of GDPR
The General Data Protection Regulation standardizes data protection laws across all 28 member states in the European Union. The key goal of the regulation is to create a more consistent protection of consumer data across EU nations.
The GDPR is a very comprehensive regulation, containing more than 200 pages and more than 90 articles. Nate Lord at Digital Guardian pinpoints some of the key requirements of GDPR that will have significant impact on businesses:
- Consent for data processing
- Anonymized and transparent data
- Notifications of data breaches
- Right to erasure
- Data protection officers
- Penalties for non-compliance
As MarTech Today notes, at its core GDPR protections enforce clear and concise processes and communications, which are done with explicit and affirmative consent of the consumers. To that end, GDPR protects any information that can be used to directly or indirectly identify an individual. This includes basic identifying information, web data, health data, ethnic data and political opinions.
To be GDPR compliant, companies must handle any data that is personal to consumers carefully and provide consumers with various ways to control, monitor and delete their information if they so choose.
The GDPR applies to two primary groups of entities:
- Firms located in the EU
- Firms not located in the EU that offer free or paid goods or services, or that monitor the behavior of EU residents
So, even for US-based eCommerce companies that sell primarily to US consumers, something as simple as an AdWords retargeting campaign could qualify as monitoring the behavior of EU residents.
For non-EU eCommerce companies, then, there are two options: Get GDPR compliant or completely lose access to the EU consumer market.
The second option would be cumbersome and shortsighted. Just think about how much work it would take to block EU citizens from window-shopping on your site.
Instead, the smart move is to get compliant with GDPR — and consequently to honor the demands of the consumers whom you’re marketing and selling to.
Why GDPR is Good for eCommerce
Kris Lahiri, co-founder and chief security officer at Egnyte, says the GDPR gives consumers significantly more control over the data they have entrusted to companies.
The key idea here is “trust”: GDPR intends to set new ground rules for business-to-consumer relationships, and in this new landscape direct-to-consumer sales success will depend on a retailer’s ability to demonstrate trustworthiness. As we’ve seen, nearly two-thirds of consumers argue that the responsibility for data protection falls on the company that collects it. By taking that responsibility as seriously as the law demands, online retailers can demonstrate their trustworthiness to consumers.
Again, GDPR isn’t simply a data-security measure. This is a progressive law that forces companies to honor EU consumers’ rights to ownership of their own data. This law says, among other things, that an EU citizen has the right not to be targeted by marketing messages without first opting into that conversation.
In industries such as eCommerce, where consumer loyalties must be earned over time, honoring a consumer’s right to privacy isn’t merely a good thing.
It’s a fundamental element of trust.
Crunching Numbers: The Business Case for Being Proactive About Compliance
The workload on businesses to become compliant is potentially heavy, depending on an organization’s current security structures and processes, and how divergent they are from GDPR. GDPR compliance also has the potential to be very costly for companies. According to a Propeller Insights survey from March 2018, 36 percent of companies plan to spend between $50,000 and $100,000 on GDPR compliance efforts. Another 24 percent will spend between $100,000 and $1 million.
But those monetary investments could pale in comparison to the loss of business if consumers lose their trust in an organization. Having their privacy protected online is paramount to consumers, and they have the power to harm companies that are not doing enough to protect them.
In making the efforts for GDPR compliance, organizations can turn regulation into sound business practices that they can use to build better relationships with consumers.
Also, from a business perspective, investing the time and money upfront for compliance can save companies money in the long run by preventing costly breaches. According to the 2017 Cost of Data Breach Study by the Ponemon Institute, the average cost of a data breach is $3.62 million. That’s a significant amount of money for a preventable cause.
By implementing the security requirements of GDPR, companies might be spending a five-figure sum now to avoid having to pay a seven-figure sum later.
How to Prepare for GDPR Compliance
Preparation for GDPR will vary by organization, but here are a few basic steps eCommerce companies can take to get moving in the right direction.
1. Get All Stakeholders Involved
The first thing to do is to set up a GDPR task force that includes team members from every level of the organization. Any group within the company that collects, analyzes, processes or otherwise interacts with consumer data should be included. These team members can easily share any information that can be helpful to implementing the necessary changes for GDPR compliance, as well as deal with the impact to their respective teams.
To motivate the task force, Peter Beshar at Marsh & McLennan encourages companies to set a tone of awareness and urgency at the executive level that trickles down through the organization and promotes the importance of compliance.
Personalize the regulation for more impact. Nobody wants their private information compromised. Use that angle when stressing the importance of compliance. By making it personal, your team members will better understand the value of the work needed to be done to make the organization compliant.
The GDPR is extensive. All stakeholders need to be trained on GDPR requirements, which involves developing training sessions, providing informational resources and consulting with employees on an regular basis, explains David Lat, founding editor of Above the Law. It’s crucial that the information be presented in a way that everyone can understand and digest the materials, so visuals such as posters and videos can be great tools to explain the intricacies of GDPR.
2. Implement a SIEM Tool
GDPR requires controllers to track and record all processing activities under their responsibilities, and most organizations utilize a Security Information and Event Management (SIEM) tool to do this, notes Javvad Malik, security advocate at information security company AlienVault.
A SIEM tool collects data from a network of hardware and software systems and analyzes the data in real time to correlate events and spot anomalies or patterns of behavior that can indicate a security breach, technology writer Paul Rubens explains in a report for eSecurity Planet. SIEM tools manage security logs across various devices, spotting threats, preventing and detecting breaches, and providing forensic evidence to determine how a security event occurred and its potential impact, Rubens notes.
Before implementing a SIEM tool, be sure to create an inventory of all critical assets that have access to consumers’ personal information, suggests Malik. And don’t forget to include mobile devices in the inventory. A survey by mobile security company Lookout, Inc. shows that 63 percent of enterprise employees access customer, partner and employee data while on a mobile device.
Knowing this information ensures all necessary systems are included for data collection by a SIEM system.
3. Conduct Risk Assessments
In a very broad sense, GDPR regulations require companies to implement security measures that are appropriate to risks facing their systems. The regulations purposely do not define risk, leaving it up to the organization to determine how best to approach risk and achieve GDPR compliance.
A thorough risk assessment includes both identifying risks and creating mitigation plans to combat those identified risks. Matt Middleton-Leal, EMEA general manager at cybersecurity and compliance company Netwrix, suggests a few steps for businesses in their efforts to conduct risk assessments:
- Review alternative compliance standards for inspiration (e.g. PCI, DSS).
- Classify data so that everyone knows and understands all data points and their sensitivity.
- Identify specific risks and weigh them on a risk/benefit ratio.
- Assess continuously.
It’s best to consult with your legal team throughout the entire GDPR compliance process, but this step in particular is one where legal can be a crucial partner. Legal can help steer your risk assessment, help with ongoing planning and continually check in on your compliance.
4. Implement Threat-Detection Controls
The GDPR requires companies to report security breaches within 72 hours. In order to meet this demand, organizations must have the proper threat detection controls to trigger immediate alerts when a breach occurs. The controls must be sufficient to allow for response within that small window of time.
Sara Pan at data security company Imperva suggests asking questions such as:
- “Who is accessing the data?”
- “Is the access appropriate for the user?”
- “How do we achieve the fastest incidence response?”
Threat detection isn’t a set-it-and-forget-it process. It requires continuous monitoring for internal and external threats, so it is important for companies to also set up processes for continual assessments and have a detailed incident response plan. The response plan needs to focus on investigating the incident to determine the source and the process for containing it.
By regularly testing these processes and plans, companies are better positioned to respond to threats and attacks in a GDPR-compliant manner.
This is a Chance to Champion Consumer Data Protection
The GDPR plans to impose monetary penalties on companies that are non-compliant starting on May 25, 2018. There are two levels of fines that organizations need to be aware of, and are explained in more detail on GDPREU.org.
- Lower Level: Up to €10 million or 2 percent of the worldwide annual revenue of the prior financial year, whichever is higher.
- Upper Level: Up to €20 million or 4 percent of the worldwide annual revenue of the prior financial year, whichever is higher.
Though the fines are hefty, the focus for companies needs to be more on implementing the appropriate processes to ensure data protection and privacy, not taking shortcuts just to avoid penalties. By attempting to circumvent processes just to avoid fines, organizations risk the ire of not only regulatory agencies, but of the consumers who keep them in business. The GDPR was not passed to punish businesses, but to protect consumers.
With that goal in mind, organizations should be motivated to show consumers that they care about protecting private information and are willing to put security measures in place that have the consumers’ best interests at heart. All of the energy and resources spent on compliance will pay off when consumers are more willing to do business with the companies they trust.
But it will take a dedicated efforts by companies. With the May 25 deadline looming, organizations need to be actively pursuing GDPR compliance.
Disclaimer: This publication does not constitute any kind of legal advice and should not prevent you from obtaining your own legal advice from a qualified attorney. Additionally, this article is not a legally-binding document and is not for execution. The content provided in this article is subject to change and does not reflect in its entirety the requirements under applicable legislation. In providing this publication, Scalefast makes no representation that it will execute any legally binding document and reserves the right to withdraw from discussions without incurring any kind of liability at any time.
Images by: Comfreak, rawpixel.com, Free-Photos