Messente avatar logo

Burden on businesses with new EU data security law

Raili Liiva

12 Sep 2017 -

5 min read

Raili Liiva

12 Sep 2017


2 min read

Over four years in the making, it was finally completed in April 2016.

As technology became more integrated into our lives, personal data, security, and privacy have been a hot topic. Last January, the long process of creating and agreeing on new legislation designed to reform the legal framework for ensuring the rights of EU citizens to a private life was completed, and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) was born.

What does this mean?

Simply put, organizations must keep records of all personal data, prove that consent was given to collect that data, show where the data is going, the purpose of its use, and how it is being protected. Enforcement begins on May 25th, 2018. That’s much less than a year away.

What’s next?

Now that the final text of the GDPR is known, the next step for organizations is to identify how this new legislation will impact them, and begin making the appropriate technological changes, as there are significant fines for organizations that are breached and found not to be GDPR compliant (20 million euros or 4% of annual revenue, whichever is greater.) This penalty has the potential to sink businesses.

If you are reading this from a non-EU nation, this law still applies to you. Any organization that collects and stores the personal data of EU citizens falls under the long-arm of this new law. Continue reading, as the reality of GDPR is that almost every website and app in the world will be required to comply with GDPR in one way or another.

The good, the bad, the ugly

On one hand, the benefits are obvious. GDPR requires organizations to take a more sophisticated, considerable approach to capturing data about their customers, and ensure it is processed correctly. It also gives citizens and residents more rights –    

On the other hand, this forces organizations to accept a long list of responsibilities. If the organization processes data, it must:

Notify authorities within 72 hours of a breach?

This is a headline grabber. GDPR requires that organizations report all breaches to authorities, including the breached data and people affected, within 72 hours.

Damage to brand reputation could be tremendous. Based on a survey conducted by OnePoll, nearly 87% of respondents stated that they would likely not do business with an organization that suffered a data breach. That’s on top of all regulatory penalties.

To protect your business from financial and social disaster, it’s better to be prepared and do everything in your power to avoid a breach. Take a moment –is your firm able to demonstrate that it took all reasonable steps to protect personal data from threats?

Complexity is the enemy of security

For most organizations, passwords are the weak link –more specifically, how people use passwords.

Over the years, protocol has called for more complicated passwords as stronger authentication. Today, average users not only struggle to create a “strong password,” but they also have no hope in remembering the password.

How do users attempt to make a “strong password?” It’s a habit for many people to write down passwords, or worse, reuse passwords across multiple services for convenience. Password reuse makes it easier for cybercriminals to hijack accounts to get their hands on sensitive and personally identifiable data –and not only the data of the person whose account was hacked.

Even though GDPR does not mandate two-factor and multifactor authentication solutions per se, a careful review of the law leaves no doubt that if static passwords are left in place, and a breach occurs, auditors come knocking on the door.

Why wait until a breach before implementing 2FA?

Two-factor authentication is simple to implement and affordable. It’s a security measure that mitigates most hacks, and it does not require much user training, or a group of consultants to implement. It’s low-cost, with a high impact.  

Start now

Don’t wait until the law takes effect in May 2018 to prepare, secure users, and provide authentication. With stolen credentials being the leading cause of breaches, finding ways to combat risk and reduce the threat landscape will help strengthen an organization’s overall security posture and avoid penalties.

Whitepaper: Impact of Two-Factor Authentication on data breaches

Raili Liiva

Sales Researcher

Raili leads Messente's 2-factor authentication solution and takes care of our SMS API clients. She is passionate about online security and is helping businesses protect their user accounts against hijackings.  

We're here to help you connect with your customers. Let's start talking.

Email again:

Further reading

Consider this in the bidding process - Part 2

16 Jan 2018

Continuing last week’s discussion around things that companies must consider when selecting a global SMS messaging...

Marcus Kallavus

2 min read

Consider this in the bidding process - Part 1

09 Jan 2018

Selecting an SMS provider from a pool of many can be daunting task. What should be considered when...

Marcus Kallavus

2 min read

Personalized support and why there is no way around it

02 Jan 2018

We often see client support packaged into software products, whether it includes general support tickets, to live chat,...

Uku Tomikas

2 min read

SMS boosts CRM services and it can't be overlooked

19 Dec 2017

SMS messaging has become an expected feature in customer engagement platforms, which involves communicating information to people. Even...

Marcus Kallavus

2 min read