Data Privacy Day 2023: How to protect the privacy of your small business? Learn from our experts
Data privacy – the buzzword of buzzwords
Data privacy has become one of the most talked about topics across newsrooms, board rooms and living rooms. And rightly so. After all, data is the new oil.
So, what is Data Privacy? In simpler terms, it can be defined as the practice of preservation of personal data that complies with data protection laws and regulations. This means only you own your own data, and only you determine who it’s shared with. This is true for both individuals and organisations. Unfortunately, data privacy breaches happen regularly in large and small businesses.
A report by Statista indicates that during the third quarter of 2022, around 15 million data records were exposed worldwide through data breaches. Leakage of sensitive data (personal and organisational) such as emails, passwords, debit/credit card details can be considered a data breach. This poses a serious threat for businesses across the globe. Acc. to IBM, the global average total cost of a data breach stands at USD 4.35 million. The company also states that for 83% of organisations, it’s not if a data breach will happen, but when it will happen.
Data privacy and small businesses
Running a small business is no small feat. But while raising capital, fulfilling the orders and customer experience are paramount, being data compliant should always be a priority for entrepreneurs. A study by Kaspersky has highlighted that data breaches are becoming more frequent for SMEs than large scale enterprises. In the first quarter of 2022, the Kaspersky team detected almost 35,400,000 internet attacks on small businesses (~9% higher than 2021).
We are here to help
At Tide, we take data privacy very seriously. Therefore, we reached out to expert Tideans based in our Bulgaria, India and the UK offices, to share insights on how small businesses and freelancers can take care of their data privacy requirements.
Meet Hristiyan Dimov, our Privacy Legal Counsel; Rupali Bali, our Information Security Analyst; and Hanish Patel, our Information Security Auditor.
Let’s get started.
Prateek: Hello Hristiyan, Rupali and Hanish, welcome and thank you for being part of this initiative.
Let’s start with you, Hristiyan. Why should data protection compliance matter for small business and sole traders?
Hristiyan: It’s a very common mistake for small businesses and sole traders to start investing in privacy and data protection only after they’ve scaled their business. At this point it becomes quite costly for them to put their operations in order.
I think this approach is wrong for two reasons. First of all, if data protection steps are taken early on, businesses could potentially save significant costs down the line. This is one of the main benefits of the “privacy-by-design” principle. And secondly, data protection compliance is a very effective way to win the trust of your customers.
When you are an up and coming business without a well-established brand and image, you should leverage every possible way to win the trust of your customers. For example – if you showcase a data privacy notice on your website, you’ll send a very clear message to customers that you’ve invested in regulatory compliance, that you care about long-term customer loyalty and that you won’t disappear tomorrow with your customer’s funds.
Having said that, we cannot be agnostic to the fact that small businesses have limited resources and it may be a difficult decision for a founder to open up their warchest and to spend it on compliance. The good news is that you don’t have to. There are many “quick wins” that can be achieved without incurring heavy expenditure and that will have an immediate positive effect on your data protection compliance posture.
Prateek: Interesting. Could you also please throw some light on what the first steps are for small businesses and sole traders when embarking on their data protection compliance journey?
Hristiyan: A good example is, as I’ve already mentioned earlier, the establishment of a privacy notice informing your customers who you are, what you’ll do with their data, what rights they have and how they can exercise them vis-a-vis your organisation.
Preparing a privacy notice should not take more than a few hours and can be a valuable exercise in getting to know the data side of your business (which can also be a great start for unlocking the commercial potential of that data). It will be a true game changer for winning the trust of your customers and particularly if you are a business operating through distance contracts or if you handle sensitive customer details (e.g. home addresses, dietary requirements, religious beliefs, etc.).
For Members in the UK, I’d highly recommend the UK Information Commissioners’ Office (ICO) guidance on the preparation of a privacy notice which can be found on their website. The ICO have produced incredibly useful materials for small businesses and sole traders in their SME Hub section and have fleshed out those “quick wins” mentioned above. Similar materials can be found on the websites of supervisory authorities in other jurisdictions as well, e.g. the French CNIL, the Irish DPC, etc.
So for Members who want to improve their data protection posture – I’d highly recommend the website of the concerned authorities in your country as the starting point of your compliance journey. And don’t forget – it’s all about stewardship and trust. If you collect it, you have to protect it.
Prateek: Thanks, Hristiyan. That’s useful information for entrepreneurs.
My next question is for you, Rupali. Why should businesses implement device use policies?
Rupali: Wide adoption of the work from home (WFH) model, across the globe, has made it crucial for businesses to protect their data and networks from breaches, and further ensure that employees use company-owned devices securely. This can be achieved reliably by establishing a thorough device-use policy.
A device-use policy defines the basic guidelines which primarily includes – keeping system applications updated, especially security applications such as anti-virus, restricting user’s access to unauthorised software, inappropriate websites, and sharing confidential information. Organisations can monitor where sensitive data is processed, and remotely wipe stolen devices, apply patches, or quarantine devices from a network as per the requirement.
This could help a company comply with industry regulations and protect it against legal liability. Moreover, proper security measures for devices and networks could be really helpful. Overall, a device-use policy minimises the risk of data breaches and ensures a responsible and productive usage of devices by employees.
Prateek: That’s very informative. How important is it to limit network and data access?
Rupali: Let me explain this with an example of a hospital. Would you want sensitive patient information, meant only for authorised doctors at a hospital, accessible to other staff members as well? In most cases, the answer would be no.
Data is a business asset that once generated, can be acquired, saved, and exchanged. With unrestricted data and network access, employees can access virtually any area of network or system.
Regulations make it critical for a company to achieve and maintain compliance wherever it does business and ensure secure collaborative working environments.
Access controls allow organisations to restrict the availability of resources to endpoint devices.
Data privileges are decided on the basis of the roles in an organisation and the risk impact. This could help to ensure that users have an appropriate level of access to only the information and systems needed for their respective business purposes. This is vital for storing and sharing confidential information. Limiting the access makes it easier to track and manage data, allowing organisations to more effectively leverage the information they have.
Prateek: Thank you for your insights Rupali.
Moving forward to you, Hanish. Why is it important to update the company’s software and apps regularly?
Hanish: Technology is such an important aspect for a modern company. The technological landscape is constantly changing and now, more than ever, businesses are turning to software and applications for solutions. However, this also comes with a risk; software and applications are regularly being updated, with new versions and new features popping up constantly. Many of these updates contain security aspects which combine identified vulnerabilities in applications and software.
If companies fail to update their software and applications when new versions are available, hackers may exploit vulnerabilities and gain entry into their company systems which may give them unauthorised access to a range of confidential information about their company operations, employees and customers.
Ultimately, a breach in company data could result in reputational damage as well as regulatory fines related to GDPR and other data protection regulations, which may be applicable. Updates to company software and applications can also provide users with new features which can boost usability and productivity.
Prateek: How important is multifactor authentication?
Hanish: First of all, I’ll explain what Multi Factor authentication (MFA) is. It is an electronic authentication method which provides a user access to a website or application after providing confirmation of 2 or more separate factors. This is usually in the form of something a user knows (a password), something they have (a mobile phone) or something more personal (for eg. biometric).
This technology essentially allows multiple steps of verification to be required before the access is granted, which ultimately reduces the chance of an account being compromised. MFA is an important layer of protection for a user’s accounts because even if a hacker was able to guess or extract the password via social engineering, they would still require either the user’s mobile phone and/or biometrics to gain access. This is especially important in a world of password cracking techniques such as Brute-force attacks, where attackers use automations to submit many common passwords for the accounts, in the hope that one of them would work.
MFA can really help companies control access to their systems by providing a layered security approach for user access.
Prateek: Thanks, Hanish. I am hopeful our members will benefit from these tips.
We hope you’ve found this post helpful, and if you haven’t already put some of the above measures into practice, we hope we’ve motivated you to do so!
Disclaimer: Please note that all the information contained in this post is provided for informational purposes only. It should not be considered as expert advice on any subject matter. You should not act, nor refrain from acting on the basis of the content provided in this post without first seeking professional advice.