This article is brought to you by CSC's Digital Brand Services. Visit their website HERE.
Currently, the acronym on the lips of many in-house lawyers around the world is GDPR, or General Data Protection Regulation. The regulation was passed in the European Union (EU), but it affects businesses with a physical presence in the EU as well as any company around the world dealing with personal data of EU residents, including targeting EU customers, employing EU residents or dealing with EU suppliers.
This includes online marketplaces, meaning that even the smallest of businesses based in Asia but selling products to a European consumer base on Alibaba or Amazon–as well as those with employees from the EU―will be required to comply as of 25 May 2018. However, research conducted last year revealed that nearly all APAC companies (93%) surveyed did not have a plan in place when GDPR becomes enforceable in May 2018.
In 2016, the EU’s second largest trading partner was China, recording close to €515 million in trade, while all APAC countries combined represented more than €1,000 billion worth of trade with the EU. This flow of business between the two regions suggests that many Asian companies will be impacted by GDPR.
Undoubtedly, Asia is no stranger to domestic data protection laws. Hong Kong has its Personal Data (Privacy) Ordinance law, with maximum fines up to HK$1million (€108,000) and imprisonment up to five years for non-compliance with an enforcement notice from the Privacy Commissioner, and Singapore with its Personal Data Protection Act with maximum fines up to SG$1million (€626,000) and imprisonment up to three years for failure to comply with the Act.
These financial penalties pale in comparison to the €20 million – or as much as 4% of their total global annual revenue (whichever is greater) – fines which could be imposed by the GDPR should a business fall victim to a cyber security attack, and a data breach occurs.
Cyber Security: A Driving Force Behind the Regulation
As organisations get up to speed with legal compliance, many may fail to consider one of the driving forces behind the regulation: increased cyber security at a foundational level to ward off data breaches – be they through hacking, phishing, or malware attacks–before they gain steam.
It’s important for businesses to understand the cyber security element of the GDPR, as well as the solutions to the issues they may face, and how to divide and conquer those issues by working closely with key departments like IT, legal, marketing, and security.
“While the risks of being non-compliant are significant, this is also an exciting opportunity for companies to really understand how they deal with data–what personal data they collect, what they do with it, and how long they hold it for–and to improve their processes,” said Salma Daneshmand, associate general counsel for CSC®, a global leader in digital asset management, online brand protection, and cyber security.
“Being able to demonstrate GDPR compliance will also enable companies to inspire trust amongst their customers, suppliers, and employees,” Daneshmand continued. “If you can show how you’re protecting your data from unauthorised access, people are going to want to work with you and trust you.”
Cyber Criminals Never Sleep
The digital landscape is littered with cyber criminals willing to jump at every chance to profit from your business. The Anti-Phishing Work Group, an international consortium that monitors businesses affected by phishing attacks, reported that phishing activity rose from 2015 to 2016 to a total of 1,220,523 attacks, a nearly 65% increase year over year. Phished logins and identities can be used to socially engineer access to the data you hold.
Cyber criminals and hacktivists also compromise systems by employing a variety of methods including DDoS attacks, malware, and even SQL injections to get what they want, leaving companies exposed and vulnerable. To help avoid such attacks and also to mitigate the risks against a significant fine and damage to your reputation and operations, it is worth employing what the GDPR describes as appropriate ‘technical and organisational measures’.
Solving the Problem Requires a Team Effort
Cyber security is no longer simply the responsibility of the IT department as it may have been 10 or 20 years ago. With every department, desktop, and mobile device a potential victim, it’s up to each company to unite the forces of IT, legal, marketing, and security to stop cyber criminals in their tracks.
The process may seem like a major undertaking, but it’s important to partner with expert providers that ensure data is protected and secure as part of data protection law compliance, which involves more than just a tick-box approach.
Figuring out exactly how many different digital assets your company maintains–and finding out where they’re located, if they’re secure, and who looks after them–requires a multipronged effort. There are four ways to begin the process:
- Consolidate and secure – Ideally, you want to set out all your digital assets in one comprehensive view, which should include domain names, DNS, SSL, and social media usernames. Check to make sure your digital IP resolves to relevant content and directs traffic to your sites, then ensure they’re properly safeguarded with security measures like SSL certificates, MultiLock, and two-factor authentication.
- Optimize and promote – Analyse which of your domains can be safely divested based on their relevance to your company and the business they conduct. Only then can you identify the gaps related to available domain names, including brand and social media usernames.
- Monitor and enforce – Search for GDPR infringements across your assets. Once you’ve identified them, prioritise violations by importance, so you can ensure compliance on a case-by-case basis.
You could have a belt-and-braces privacy policy, but if you or your data processing providers don’t abide by its provisions, you will be penalised by data protection authorities in the event of a security breach. Get out of your comfort zone and form your multidisciplinary team. It’s the best way to devise a defense plan and research which approach you want to take, including which third parties may be able to help you with compliance. GDPR may be a terrifying acronym, but embracing the change now will save you time, money, and quite possibly your brand’s reputation.
Mark Flegg, Global Product Director of Domains and Security, CSC
In his role at CSC, Mark is responsible for advising a global client base on digital risk and the preventative measures brands can take to safeguard their digital assets. During his 16-year career, Mark has acquired a wealth of experience in cyber security technology, focusing on DNS, SSL, and DDoS protection software. In order to further raise awareness of the digital threats that businesses are susceptible to, Mark regularly presents at leading industry events.