[BreachExchange] GDPR – emerging risks for SMEs
Audrey McNeil
audrey at riskbasedsecurity.com
Thu Jul 12 19:37:30 EDT 2018
https://www.globalbankingandfinance.com/gdpr-emergingrisks-for-smes/
It’s been around six weeks since GDPR became law, and already the first
breach has been recorded with the Information Commissioner’s Office (ICO).
Attributed to the use of out-of-date software and the failure to take basic
precautions, Carphone Warehouse is a reminder for larger companies that
non-compliance with the regulation can be disastrous. For reputations as
well as bank balances.
A catalyst because it is forcing SMEs to embrace new digital marketing
techniques and update the way they interact with their pre-existing
customers and sales pipeline. A hazard because the legislation increases
risks to companies beyond data breaches and non-compliance by exposing SMEs
to the threats of customer identity theft, and forces companies to reassess
aspects of their international operations.
The profound change that GDPR is having on UK SME’s is only now beginning
to be felt, and new risks outside data breaches are beginning to emerge.
Welcome to the GDPaRty
It’s time for SMEs to look beyond the successes of implementation and
assess what a post-GDPR world looks like for customer identity security,
and how SMEs are taking advantage of the legislation.
The most prominent effect of GDPR for SMEs will be how businesses develop
their sales pipelines. Long characterised by “zombie emails”, mass
advertising and PR stunts, the way that small businesses engage with the
public is overdue a digital upgrade.We have already seen larger companies
move away from conventional marketing and towards paid advertising on
social media – now smaller firms, accelerated by GDPR, are following suit.
But for the thousands of small businesses who depend on tools like email
marketing to generate custom and new sales leads, the new regulation is
only going to make their hard job more difficult. For a start, questions
remain about responsibility for social channels and, in firms with few
employees, their relative benefits.
Alongside changes to their sales pipelines, SMEs should also consider the
international effects. By protecting the group’s citizens from the abuses
of data, the EU has set the tone that virtually every other country will
now begin to seek equivalence. Improving customers’ power to control the
information retained on them, as well as who delivers that information to
them, will increasingly become a prerequisite not only in EU satellites,
but across the world.
While this gives UK SMEs a head-start on other countries, which will surely
update their data protection legislation in the years ahead,there are
numerous implications for companies that export to international markets,
from unclear legal obligations for businesses with international offices to
the status of intellectual property rights. These have the potential to
create undue export barriers and make business in different geographies
more difficult, at least in the short term.
Aside from the pre-existing threats of data breaches and non-compliance,
the very regulation intended to give customers new powers to demand privacy
are also undermining their own security, in turn increasing the threat for
SMEs. This comes through the abuse of Subject Access Requests (SARs) and
the ‘right to be forgotten.’
Faced with a SAR, companies may well be quick to respond – eager to stay on
the right side of the Information Commissioner’s Office. But the
fabrication of SARs may be easier than expected, and a company’s eagerness
to help a customer – with the presumption that they can be retained – may
in fact aid in identity theft.
Individuals can use any datagiven by companies to help them commit identity
fraud, then – using the ‘right to be forgotten’ – simply cover their
digital tracks. Additionally, this same deletion can hinder the signs of
fraudulent activity on their accounts – nullifying data analysis and making
cooperation with the victim and authorities more difficult.
Lessons to be learnt
Protecting customer privacy is a timely but complex issue, and for
SMEs ‘Ignorantialegisneminemexcusat’
– Latin for ‘ignorance of the law cannot be used as an excuse’. Firms need
to be aware not only about how their own business models will be affected,
but the wider implications for their customers, sales pipelines and
international operations.
In short, while GDPR fines seem to be intended for larger companies, SMEs
should not be complacent, but should continue to adapt. This will be
essential not only to ensure your sales pipeline remains healthy and
facilitate continued international growth, but to maintain trust with your
existing and future customers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180712/48cb55d3/attachment.html>
More information about the BreachExchange
mailing list