What SMBs need to know about the new EU cybersecurity regulations

Europe

With a continued rise in cybercrime, the EU has been drafting new legislation that will have an impact on every business. The General Data Protection Regulation (GDPR), and the Network and Information Security (NIS) Directive, will require companies to comply with, or act in regard to, certain cybersecurity requirements. What do they mean for small businesses and how they manage their security?

In essence the new regulations aim to deliver a more security-conscious business community. The legal framework that currently applies to all forms of digital data that your business might hold about customers or commercial partners will now need to be strengthened. Your business may have already dealt with the so-called 'cookie law' which now governs opt-ins to your website and how personal information is used. The GDPR goes much further.

Adam Palmer, director of international government relations at FireEye explained: "The NIS Directive is focused purely on security while the GDPR is focused on data privacy. They each have different rules and scope. The GDPR applies to any entity that processes the personal data of EU residents related to the offering of goods or services or to monitor their behaviour.

"The NIS Directive applies more narrowly to 'operators of essential services' and digital service providers with 50 or more employees. The NIS Directive requires that entities within the scope of the NIS Directive implement 'state of the art' security measures that 'guarantee a level of security appropriate to the risk'."

The changes that Brussels wants to make in essence make all information that relates to a consumer or business partner 'personal' and as such it needs to have strong security applied to it. With so much personal information shared across the EU every second, it's hoped that the new regulations will make that information much more secure.

The GDPR regulations apply to medium-sized businesses with 250 employees or more. And the stated penalties look set to be high at €20 million (around £15.8 million, or $23.2 million) or 4% of annual turnover, whichever is the higher.

Big data

Entire industries are being transformed by using data to create personalised products and services

Advantages of a proactive approach

Says Jason du Preez, CEO of Privitar: "Our global economy is dependent on data driven decision-making. Entire industries are being transformed by using data to create personalised products and services in every sector imaginable. The GDPR represents a sea change in how big data analytics investments can be designed, delivered and leveraged.

"Organisations have two years to comply with GDPR, but those that are proactive can gain competitive advantage by winning customer trust. The more customers understand how their data is being used and for what purpose, the less likely they are to opt out simply because they do not understand the arrangement in place."

For most organisations that fall under the scope of the new regulations, a new post of Data Protection Officer (DPO) will be needed if your business processes require the storage and manipulation of certain categories of data.

Andy Green, senior technical content specialist, Varonis, explains: "The GDPR is a huge, complex law. And the writers of the regulations were aware that teeny or small businesses would not be able to deal with all of it.

"They made some exceptions to the more burdensome requirements, and they also gave the DPAs (Digital Protection Authorities), for example, the power to take into account the size of the business in terms of applying the law – proportionality, in their words.

"For example, SMBs are generally relieved of the requirement of hiring a data DPO. There are also exceptions made for DPIAs (Data Protection Impact Assessments), which is a new requirement for documenting the effects of collecting very sensitive data. Other documentation requirements are also lessened for SMBs.

"My overall feeling is that if a small/medium business follows the ideas of 'Privacy By Design', which is referred to a lot in the GDPR, they'll be fine – especially the principles of minimising data collection of personal data and keeping consumer records longer than need be."