GDPR is in Full Force – Are You Compliant?

Joe Robinson

By Joe Robinson . 15 June 2022

VPN Expert

Many small businesses widely misunderstand the European General Data Protection Regulation. It’s one of those topics that many people have some idea about and are keen to talk loudly about while frequently missing the point, although few understand it.

At its core, GDPR governs how businesses must protect EU citizens’ data and sets out specific obligations for those who control or process personal data.

The regulation came into force on May 25th, 2018, and replaced the 1995 EU data protection directive, which allowed each EU member state to govern their own rules, leading to a disparity in the way data protection was enforced across the EU.

GDPR created a standard set of rules across the continent and enforced penalties for misuse and data loss.

Related: GDPR fines list
Related: GDPR compliance
Related: Peoples’ rights under GDPR

Despite what many marketers believe, GDPR is not a marketing issue. Sure, some marketing processes are affected, but at its core, GDPR isn’t concerned with marketing but rather how companies obtain, store, and process personal data.

The point of GDPR is not to catch small businesses but to protect EU citizens’ digital information and set a standard for data privacy that leads the world.

Identity fraud is growing year on year. For this reason, data protection should be a massive concern for any company that processes personally identifiable information (PII).

GDPR adds protection through a legal framework that all companies controlling or processing European citizens’ data must abide by.

GDPR requires organizations to notify the Information Commissioner’s Office (ICO) of a personal data breach and allows citizens to complain against any organization they think is wrongfully collecting or processing their data.

The text of the GDPR can be read at https://www.privacy-regulation.eu/.

Spike in breach notifications and complaints since GDPR

google-fined-gdpr

Since May 25th, 2018, breach notifications and data protection complaints across Europe have increased significantly.

According to the European Commission, Between May 25th and December 31st, 2018, there were 95,180 GDPR complaints from individuals. DLA Piper reports that in the eight months since the regulations came into force, there were over 59,000 data breach notifications and 91 fines.

The largest fine isn’t connected to a data breach but non-compliance regarding data collection and was handed to Google.

Google fined €50m

In January 2019, the French data regulator, CNIL, fined Google €50m for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.”

CNIL decided that Google had “no valid legal basis for processing the personal data of the users of its services, particularly for ads personalization purposes.”

According to CNIL, Google had not obtained explicit consent to process data because “Users cannot fully understand the extent of the processing operations carried out by Google” as essential information was “excessively disseminated across several documents.”

So, where did Google fall foul of the law?

While Google claims they do obtain the User’s consent to process data for ads personalization, the committee decided that the license is not valid for two reasons:

First:
“User’s consent is not sufficiently informed. “The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent.”

Second:

“Collected consent is neither specific nor unambiguous. “The user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked… consent is “unambiguous” only with a clear affirmative action from the User.

Finally, before creating an account, the User is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy » to create the account.

Therefore, the User gives their consent in full for all the processing operations carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if given distinctly for each purpose.”

Now, having a pre-ticked box is just asking for trouble as it’s specifically against the terms of GDPR. The part I find most interesting is that even though users agreed to process their information, the consent is not considered valid. Users had to tick a single agreement box to consent to all Google’s data processing. Therefore not unambiguous.

This decision may have set a precedent that will likely have significant implications for Google and any company that collects user data as part of its business model.

Types of personally identifiable information

biometric eye scan
Any data you store about a person is personal data. Certain types are personally identifiable information (PII) in that they can be used alongside other pieces to identify an individual.

The sheer amount of PII floating around is more than most people realise.

The obvious ones are name, date, place of birth, social security, tax ID numbers, vehicle registration, etc. Still, PII also includes racial or ethnic origin, biometric data such as iris and retinal scans and fingerprints, and digital information such as email address and IP address.

Allowing unauthorized access to these pieces of data can be highly damaging to the individuals concerned. While losing a single part of PII is unlikely to harm a person, when several elements are combined, they can be used to open fraudulent credit card accounts, falsify police reports, and even take out a mortgage.

We’d hope that the bank or other organization would help clear up the situation. Still, these types of identity theft can impact a person’s financial and mental well-being for many years.

Why companies get fined

There are three ways to get into trouble with GDPR.

  • Collect data without abiding by the regulations, leading to a user making a complaint.
  • Don’t take necessary precautions to protect the data, suffer a breach, or lose the data.
  • Not be able to demonstrate compliance when an investigator requests it.

It is identifying personal data and conscious of how your organization keeps it protected in its three central states – in use, rest, and motion.

From this, you can establish a framework for securing PII and GDPR compliance that can be demonstrated during an inspection.

Avoiding a breach

data breach

The lengths you go to regarding cyber security depend on which data you collect. For many small businesses that don’t directly manage or control their customers’ data, the services they use often provide protection.

A business collecting email newsletter signups on their website, for example, will generally have all data encrypted by their email list integration, such as customer.io or Mailchimp, and use HTTPS to protect the data in transit between the user and the website.

However, getting proper consent is still extremely important irrespective of which tools a business uses to store and process customer data.

Any business that collects, controls, or processes any personal data of EU citizens must take careful steps to avoid a data breach.

Even without substantial GDPR fines, a data breach is terrible PR and leads to decreased trust in an organization, as the extramarital dating site Ashley Madison discovered in 2015 when attackers leaked the personal data of 37 million users 2015.

GDPR doesn’t specify how organizations should integrate technology to meet the requirements because cyber security is constantly evolving and requires frequent updating.

Each organization is free to implement its security as they please, so long as it keeps user data safe per the requirements of GDPR.

So what should small businesses do to comply with GDPR and avoid data breaches?

Strong passwords

Ensuring all employees use strong passwords is essential to any organization. Tools such as Lastpass have become very popular for a good reason. Enterprise-level password managers allow businesses to easily integrate and enforce strong passwords throughout their IT systems at a low cost.

This allows the passwords to be encrypted, so they never need to be vulnerable.

Email protection

One of the most common ways for company networks to become infected is through viruses spread via email. An enterprise-level email scanning solution significantly reduces the risk of email-borne threats by implementing layered security that checks elements of all incoming emails, such as identity validation and authentication, AntiSpam lists, attachments, and images.

Cloud storage

Instead of storing customer data or any other PII on local machines that are entirely the responsibility of the business, consider moving everything to a secure cloud-based storage system such as AWS.

These solutions are provided by large companies that invest a considerable amount of money into their security systems so your customers can benefit from the increased privacy and you’ll stay on the right side of the law.

Education

Employee training is one of the most effective methods of keeping your company’s data safe, especially where social engineering attacks are concerned. Even introductory cybersecurity courses help foster a culture of data protection, raise awareness of risk, and help keep employees diligent.

Even the most advanced technological security systems can’t protect a business against employees making judgemental errors, so ensure everyone is on the same page.

Principles of least privilege

Not everyone at an organization needs to access all company information. Just as most employees won’t have access to payroll details or bank accounts, personal information needs to be segmented so that only essential elements of someone’s job are accessible.

Beware of BYOD

Bring your device has quickly become a staple within startups and enterprises alike and has many benefits such as time and cost savings and increased productivity. The danger of BYOD policies is that employees can unintentionally create a situation where standard security policies are ineffective and may increase the risk of a breach.

Some concerns regarding BYOD are physical theft of devices that have access to PII, malware, and data interception – if a compromised machine sends data, it could be a GDPR liability.

If you must allow BYOD, there are a few ways to mitigate the risks:

  • Encourage staff to keep Bluetooth turned whenever not specifically being used. Bluetooth is very insecure.
  • Make everyone aware of the importance of strong passwords.
  • Make sure people know the dangers of connecting to untrusted WiFi networks, and encourage the use of a VPN on mobile devices where appropriate.
  • Ban rooted or jailbroken devices as they open the door to various attacks.

Social engineering

Social engineering is the biggest threat to data confidentiality today. As we’ve seen repeatedly, even large enterprises with solid cybersecurity frameworks are frequently hit by attacks.

One of the ways this is possible is through social engineering or tricking someone into giving you information.

Social engineering is often the entry point for a larger technical attack.

Technical exploits are complicated to pull off without being detected if a business has decent security. Still, a social engineering attack could be as simple as claiming to be a technician who needs to access a logged-in computer to run some quick tests or updates.

The classic social engineering attack is the phishing email that is so enticing that an employee or manager can’t resist opening it and opening an attachment.

Now, companies will often already have safeguards to minimize the chances of this happening, such as email scanning. Still, all too, someone will see an interesting-looking email in their spam folder and decide to open the attachment.

Website security

Having done a fair bit of SEO and online marketing work, I’m astounded by the number of people asking if they should implement HTTPS and whether it’s worth doing it as a “ranking factor” for SEO.

I always point them to this excellent article and mention that securing your website is not an SEO issue but rather an important security measure for any website.

An SSL certificate doesn’t just provide security to people entering information on your website but also authenticates that your users are experiencing the website as you intended, and not a modified version of it, and that the data isn’t being intercepted or altered in transit.

Since GDPR doesn’t specifically require encryption to be used, an SSL certificate isn’t mandatory. Still, it is strongly recommended since any data your users input on your website is your responsibility under GDPR (and it’s good for SEO too).

In the event of a breach

What exactly do you have to do if disaster strikes and you discover personal data you control has been breached?

Act immediately!

The rules regarding this are pretty straightforward. You must notify the supervisory authority within 72 hours “unless the breach is unlikely to result in a risk to rights and freedoms of natural persons.”

This is a massive case for encryption as attackers can’t do much with encrypted data.

This means companies need to carry out an investigation as soon as they become aware of a breach and be able to report on the specific nature of the breach, including identifying precisely what has been accessed and when, as well as affected users and perform an assessment of the potential impact on those users.

In addition, it’s necessary to detail specific measures in place to protect the data, forensic details of how the breach occurred, and a remediation plan.

In addition to notifying the appropriate governing body, the company must also inform the affected users, which is likely to cause a PR nightmare.

Accountability and inspections

GDPR inspection

GDPR doesn’t only apply in the event of a data breach. All organizations that process EU citizens’ data must be able to provide documentation that demonstrates compliance.

All data processing operations must be checked for compliance, and a record of the checks must be kept. A data protection impact assessment (DPIA) must be completed for any high-risk operations such as processing sensitive or special categories of data (i.e., medical records or ethnic origin), systematic monitoring such as CCTV, or employee internet activity.

Inspections are carried out by the European Data Protection Authority, which checks and verifies compliance with regulations and recommends areas for improvement. Organizations are usually informed four weeks in advance, although certain documents may be requested immediately.

Is encryption necessary?

Encryption is recommended by the EU as a GDPR safeguard but isn’t legally required. Although, just because something isn’t mandatory doesn’t necessarily mean it shouldn’t be done.

Encryption protects your customers, users, employees, and anyone else whose data you possess.

Article 32; Security of processing, states that “the controller and processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk,” including, as appropriate, “pseudonymization and encryption of personal data.”

So again, while encryption is not mandatory, it can be considered a standard tool to help achieve the security required under GDPR.

A breach of encrypted data will most likely result in an embarrassment for the company, whereas losing unencrypted personal data will lead to serious questions and potentially massive fines.

As Google discovered, protecting data isn’t enough because GDPR is particularly interested in transparency and consent. However, a system of solid encryption will undoubtedly help in the event of a data breach.

GDPR fundamentals

GDPR explanation

GDPR clarifies the responsibilities of organizations that control or process the personal data of EU citizens.

The main focus of GDPR is to protect the public by stopping unscrupulous companies from collecting vast amounts of data on individuals that can violate their right to privacy or be stolen by hackers and put individuals at risk of long-term financial or other damage.

Data protection by design and by default

Something that cybersecurity professionals have been saying for years – security should never be an afterthought but, instead, built into the very fabric of technology. The old mantra “security should be baked in, not sprayed on” has finally become the law.

This isn’t to say that the regulation forces companies to adopt certain privacy technologies, as it’s not the process of protecting data that’s important but the result.

Data minimisation

At the core of , Article 25: Data protection by design is the principle of data minimization – limiting the amount of stored personal data to the minimum required. This means companies must stop collecting personal data just because they can.

It will make companies think twice and start to use the data for the purpose they worked so hard to collect it for, and these are often things that are good for the receiver like email segmentation or personalization. If they don’t use it, they have to delete it.

The result is that even after a breach, the effects are minimized if redundant data was never collected in the first place.

Consent and the 8 GDPR rights

Under GDPR, specific conditions for consent must be met. The organization must demonstrate that consent has been freely given through a clear, informed, and unambiguous affirmative action particular to the use of the data.

Silence, pre-ticked boxes, or another inactivity cannot be considered consent. Consent must be verifiable and can be withdrawn at any time.

Every email and newsletter, like companies, send with commercial email marketing software has to include an easy way to opt-out and withdraw your consent. These opt-out pages can’t be obstructed by log-ins or ask for the subscriber to type in their email address. It doesn’t matter if it is a big corporation or email marketing for your blog, we are all bound to the same regulations. 


In most cases, collecting personal data that reveals the racial or ethnic origin, political opinions, religious beliefs, trade union membership, and genetic and biometric data is prohibited.

There are specific situations where this does not apply. Still, again, these safeguards are in place to protect citizens, and breaches of these data types can carry much more significant penalties.

All European citizens are now protected by the 8 GDPR rights that must be upheld by the organization controlling or processing the data. Companies must put systems in place that make it possible for data subjects to exercise their rights or risk fines for non-compliance.

Summary

The full scope of GDPR and an organization’s full responsibilities can’t possibly paraphrase into a single article. This piece intends not to provide a definitive guide or legal advice.

It is imperative to consider how your organization handles data and whether it complies with GDPR in a documented and verifiable way should you face a data breach, complaint, or inspection.

GDPR aims to protect the data of European citizens through enforced regulations when cybercrime is on the rise massively. Even though it may seem inconvenient to implement compliance, the laws protect the public and set an example for the rest of the world to follow.

Leave a Comment