Burden on businesses with new EU data security law

Raili Liiva

12 Sep 2017 -

5 min read

Raili Liiva

12 Sep 2017


2 min read

Over four years in the making, it was finally completed in April 2016.

As technology became more integrated into our lives, personal data, security, and privacy have been a hot topic. Last January, the long process of creating and agreeing on new legislation designed to reform the legal framework for ensuring the rights of EU citizens to a private life was completed, and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) was born.

What does this mean?

Simply put, organizations must keep records of all personal data, prove that consent was given to collect that data, show where the data is going, the purpose of its use, and how it is being protected. Enforcement begins on May 25th, 2018. That’s much less than a year away.

What’s next?

Now that the final text of the GDPR is known, the next step for organizations is to identify how this new legislation will impact them, and begin making the appropriate technological changes, as there are significant fines for organizations that are breached and found not to be GDPR compliant (20 million euros or 4% of annual revenue, whichever is greater.) This penalty has the potential to sink businesses.

If you are reading this from a non-EU nation, this law still applies to you. Any organization that collects and stores the personal data of EU citizens falls under the long-arm of this new law. Continue reading, as the reality of GDPR is that almost every website and app in the world will be required to comply with GDPR in one way or another.

The good, the bad, the ugly

On one hand, the benefits are obvious. GDPR requires organizations to take a more sophisticated, considerable approach to capturing data about their customers, and ensure it is processed correctly. It also gives citizens and residents more rights –    

On the other hand, this forces organizations to accept a long list of responsibilities. If the organization processes data, it must:

Notify authorities within 72 hours of a breach?

This is a headline grabber. GDPR requires that organizations report all breaches to authorities, including the breached data and people affected, within 72 hours.

Damage to brand reputation could be tremendous. Based on a survey conducted by OnePoll, nearly 87% of respondents stated that they would likely not do business with an organization that suffered a data breach. That’s on top of all regulatory penalties.

To protect your business from financial and social disaster, it’s better to be prepared and do everything in your power to avoid a breach. Take a moment –is your firm able to demonstrate that it took all reasonable steps to protect personal data from threats?

Complexity is the enemy of security

For most organizations, passwords are the weak link –more specifically, how people use passwords.

Over the years, protocol has called for more complicated passwords as stronger authentication. Today, average users not only struggle to create a “strong password,” but they also have no hope in remembering the password.

How do users attempt to make a “strong password?” It’s a habit for many people to write down passwords, or worse, reuse passwords across multiple services for convenience. Password reuse makes it easier for cybercriminals to hijack accounts to get their hands on sensitive and personally identifiable data –and not only the data of the person whose account was hacked.

Even though GDPR does not mandate two-factor and multifactor authentication solutions per se, a careful review of the law leaves no doubt that if static passwords are left in place, and a breach occurs, auditors come knocking on the door.

Why wait until a breach before implementing 2FA?

Two-factor authentication is simple to implement and affordable. It’s a security measure that mitigates most hacks, and it does not require much user training, or a group of consultants to implement. It’s low-cost, with a high impact.  

Start now

Don’t wait until the law takes effect in May 2018 to prepare, secure users, and provide authentication. With stolen credentials being the leading cause of breaches, finding ways to combat risk and reduce the threat landscape will help strengthen an organization’s overall security posture and avoid penalties.

What's SMS service quality?

Raili Liiva

Sales Researcher

Raili leads Messente's 2-factor authentication solution and takes care of our SMS API clients. She is passionate about online security and is helping businesses protect their user accounts against hijackings.  

We're here to help you connect with your customers. Let's start talking.

Email again:

Further reading

A note on keeping things real

17 Apr 2018

Over the years, I've had the good fortune of talking to and doing business with many entrepreneurs and...

Lauri Kinkar

2 min read

Next-generation Omnichannel API is well underway

10 Apr 2018

Over the last few months we’ve been setting the direction of our Omnichannel messaging API and our development...

Uku Loskit

2 min read

You're protected from the pitfalls of grey routes

03 Apr 2018

“Grey routes” is a loosely used term in the telecommunications industry. Frankly, the industry-specific meaning of grey routes...

Joosep Pintsaar

2 min read

Announcing preliminary plans for the Dashboard!

27 Mar 2018

Our development team is always hunkered down, working on our APIs to create better communication and verification products...

Jaanus Rõõmus

2 min read