Everyone I know is totally inundated with email about new Privacy Notices, or Master Terms and Conditions for a website that they may have visited years ago. I am not sure about you, but my inbox gets at least a dozen through the spam filter every day. Why? What’s it all about? Should you be concerned?
If you are not in the social media and digital agency industry, you may be totally unaware that the European Union has a new law in effect that protects peoples privacy. It’s called the GDPR, or the General Data Protection Regulation, and it is the first piece of EU wide privacy legislation to go into effect since 1995. The GDPR went into effect Friday May 25. The first thing to note is that this is European Union legislation. Due to the impact of territorial scope, and the global nature of the internet, it can and likely does still impact you as a North American business person.
Let’s say that you run a collection agency, and a debtor in New Jersey, owes a creditor in the Netherlands a chunk of money. That creditor in the Netherlands will be protected by the GDPR. OK, so even though you don’t do business in the European Union – it could be that you will be impacted by the new legislation. Territorial Scope and the GDPR is enormous. We can simplify it for you.
With the recent Facebook/Cambridge Analytica scandal, and countless high profile data breaches, it would not surprise me to see the US and Canada follow with similar legislation. It would also not surprise me if Google starts looking at Privacy Statements for GDPR compliant language as a ranking factor.
What should you do, right now, in the face of all these privacy concerns?
- Know what you client or customer data you have, and why you have it
- Manage data in a structured way – don’t let it sit there
- Know who is responsible for it – someone needs to be responsible
- Encrypt what you wouldn’t want to be disclosed – or don’t be silly – encrypt everything just because its a smart thing to do
- Design a security aware culture
- Be prepared – expect the best but prepare for the worst
Know what client or customer data you have, and why you have it.
Let’s say that you are a Family Law attorney, and new clients complete an intake form. That form gets emailed to you, and to make sure nothing gets lost in the email, a copy of the form is kept on the web server. BOOM – you have customer data. Now, what if the person suing for divorce is in the UK, and the other party is in Florida? Territorial Scope – you could be impacted by the GDPR. You have client or prospect data, you must decide how long you need to keep it, why you have it, what you will do with it, where you will store it. Do you really still need that data 2 years later, when you have internal case files that aren’t on the internet?
Manage data in a structured way – don’t let it sit there
Know who is responsible for it – someone needs to be responsible
There’s a position in large enterprises called a “Data Steward”. It is the Data Steward’s job to make sure that the data in the organization is correct, and that it is being managed in a way that the leadership understands and approves of. THE BUCK STOPS with the Data Steward (internally, but not legally). Now most of my clients don’t have a Data Steward. Most of our clients fall between 20 and 100 employees. A Data Steward is overkill. Instead, rely on us to help you understand how the data that you have on the internet – even if it isn’t facing the public – should be used. Is it an email list – was there an explicit instruction from the person on the list that you can communicate with them via email, or text, or phone? How long will you keep them on your list, when are they no longer active? This is a discussion that should happen between a firms executive leadership and “someone” either in the firm, or outside the firm.
Encrypt what you wouldn’t want to be disclosed – or encrypt everything because its smart
In this day and age, to not have encrypted data, or an encrypted site is at best, reckless, that is assuming that you even know what an encrypted site is. We were just exhibitors are the NARCA/NCBA event where approximately 600 attorneys, representing over 400 firms attended. We took the attendee list, searched for, and found, almost every firm’s website. Roughly 80% were not encrypted. That’s crazy. Last year, Google made the clear and unambiguous statement that all other things being equal, an encrypted site will rank better than an unencrypted site. It is irresponsible of a webmaster to not offer their clients basic encryption for that reason alone. Add to that, we have clients that have web portals for their customers, payment gateways, information request forms, intake forms – all of this would be vulnerable if the site is not encrypted. If you are our client for website hosting – rest assured – your site is encrypted. In the old days, encryption was difficult – and costly. Today, it is relatively straight forward. The truth is Google Chrome will frequently not even let you onto a page that isn’t encrypted – it will give a big warning message that the site is not safe. Would you want that experience for a visitor to your site? Well, now if your site in anyway touches the EU, you have one more reason to engage in encryption.
Design a security aware culture
Almost all breaches of network data come from what is called “social engineering”. That is a human calls another human, they have a script that they follow, that literally cons a person into releasing some bit of information that helps the conman break into the system. In the old days, it was phone calls, today it’s phishing emails – emails that look like they came from a legitimate place, that ask for information that then exposes your personal or corporate data. We laugh about the scam about the Nigerian Bank that needs to deposit money in your account, just fill this in… but how often have you received an email that looks like it came from a bank asking you to confirm your identity, but you don’t ever remembering asking for a password reset. It can be even much simpler, is your email address on the website? If it is, you’ve just told the hacking world what your naming conventions are, and opened yourself up to a phishing breach. (Oh look, their email is firstname.lastname@example.org… let’s go to facebook or any number of other social media sites, and find all the people that work for company.com and start spamming them, or sending malicious email with a bug encoded in it that will gain us access….) Don’t give the keys to the crooks – your email addresses should not be visible on the front end – and should not be a part of a button that links to email – it should be buried in the database where hackers can’t see it. Have the discussion with your staff about not giving away any company information unnecessarily, and about opening email that they are unsure about, especially if it involves following links from an unknown source, or opening files both of which can invite malicious code into your network. Be prepared to prove that you have had these conversations with your employees.
Feel free to hope this is “just an EU thing”, but prepare for the worst
The GDPR is European Legislation, but we live in a Global Economy. Even our US based digital agency has clients in Israel, Jamaica, and Canada, and workers in Canada, Sri Lanka, and at times Nigeria and the Philippines. The butterfly effect sweeps the globe with astounding speed, and in the wake of all the Congressional hearings over Cambridge Analytica a British Company allegedly engaged by Russians to influence the US election assures us, yes we are in a global economy. That the GDPR comes rolling though the internet like a 800 pound gorilla, while the rest of the privacy concerns are rocking the news-cycles tells us it is clearly time to take the maturity level of the internet up a notch.
Frankly, all the advise above, while admittedly general, is rational and good advise, even if the whole world was not in the process of updating their security in the wake of breaches and scandals. It is good common sense to be respectful of our clients’, prospects’, and our own data. Not only does it make sense, but it just might end up having tremendous impact on your business if you ignore it, and stick your head in the proverbial sand. The internet is not going away, its time to be more professional when it comes to fire-walling out malicious intent, and being respectful of the data that we are stewards of.