How not to get swallowed up by regulation: A small business tackles data security
Think of the General Data Protection Regulation (GDPR) as a kraken. Legend has it that this enormous squid-beast set upon offending ships and dragged them down to the dark depths of the ocean, forever condemned to dwell at the bottom of the sea, in Davy Jones’ locker. Small businesses are the ships in this maritime tale, sailing across the seven seas plying their trade, seeking fame and fortune, hoping to make their way unnoticed and unmolested under the eternally watchful eye of the insuppressible leviathan that is the GDPR.
GDPR 101 (tl;dr version)
In short, the GDPR is a European Union (EU) legislation that has broad territorial reach (just like a giant octopus!), requiring all businesses that offer services to EU residents or provide services to companies that do to comply, no matter where in the world they are physically located. Whether your company is a goliath, or a tiny ship sailing in the ocean, the GDPR is a force to be reckoned with.
Why should I care?
While you were watching cat videos online, your lawyer friends may have gotten their hands on the GDPR document, combing it from start to finish and engaging in intellectual discussions with each other about what it all means. Weighing in at 99 articles across 11 chapters and spread over 88 pages, the GDPR isn’t easy to navigate. For the rest of us non-lawyers, it’s quite a slog to get through. For a quick explanation of the GDPR’s impact, let’s stick to memes shall we?
So let’s jump straight to the most important (and scary) part: the hefty fines. With potential fines of up to €20,000,000 (SGD 31.6 million) or 4% of an organisation’s global (!) turnover, non-compliance with the GDPR can possibly mean GAME OVER for your business, big or small. By way of comparison, Singapore’s Personal Data Protection Act (PDPA) allows for penalties of an amount not exceeding SGD 1 million.
Here are a few things you should consider as a small business gearing up for the post-GDPR world:
Thinking of throwing that piece of paper in the trash? Think again.
It’s actually surprising to some people, but we use more paper than we think we do. Although we are already in a digital age, small businesses may not have extremely advanced digital documentation systems. I mean let’s be honest, don’t we still print out our meeting agendas when we’re going for a client meeting? Often, the contents of physical documents contain confidential information that we don’t want others to see – personal or commercially sensitive information that could land in the hands of your competitors if you don’t dispose of it securely.
Information thieves are getting more and more creative these days and will resort to any number of devious methods to retrieve personal data. If they find a list of NRIC numbers in a dumpster, they are going to get that list and use it to do things – steal your identity, your credit card numbers, and eventually your life.
“Hello! I’d like to talk to you about your personal data protection processes.”
These are very real possible repercussions of your actions. Fortunately, one of our clients is an expert in secure data disposal, so we had professional help in setting up our processes and procedures, as well as access to secure consoles to dispose of our physical data. Not everyone is so fortunate however. If you need help, don’t be shy about asking for it. The stakes are too high not to.
Get some new (strong) passwords
If you can guess your colleagues’ passwords (Hint: prgurl94), chances are, they’re not safe at all. Our email accounts are filled with lots of confidential information, from client documents to pay slips. Easy-to-guess passwords are a gift for hackers who can gain access to all the information that we don’t want them to have.
A strong password is one that is easy for you to remember and hard for anyone else to guess. While in the past experts recommended using a mix of letters, numbers and symbols, the most recent consensus is to use passphrases. Basically, instead using one word, you use a sentence such as a quote from your favourite book or TV show or a simple phrase such as “H4rryP0tt3r1sK1ng”. Besides for being easier to remember and harder to guess, passphrases are also harder for hackers to crack using brute force because there are so many more characters to go through.
Creating a strong password isn’t that difficult to do and once we do, we can definitely protect our organisation’s data from being stolen. Just make sure not to write it down and leave it lying around the office.
Under the sorting hat: Choosing your DPO is a crucial decision
Appointing a Data Protection Officer (DPO) is compulsory under the PDPA and will help your organisation comply with the GDPR too. However, with so much work needing to be done, who has time to be a DPO? The truth is that your DPO will become one of the most important people in your organisation. That special person will be responsible for your organisation’s data, ensuring that your company practices good data security practices and helping your organisation enforce secure collection, processing, storage and destruction of all data.
It helps if your DPO is someone quite persuasive. They will need to work closely with colleagues at all levels of your organisation and across all functions to implement the processes and procedures required to protect your data. Over time, your DPO’s persistence will pay off as your organisation will be able to comply with the GDPR. This protects your company from facing severe penalties and going out of business.
So go ahead and place each of your employees under the sorting hat, and get the right person for the job of DPO. (P.S. Just don’t pick a Slytherin).
There you have it! A few tips your small business can use to tackle data security. Now I’m just going to get back to watching my cat videos, and pretend I never gave you this advice #IANAL.