Messente avatar logo

Burden on businesses with new EU data security law

Raili Liiva

12 Sep 2017 -

5 min read

Raili Liiva

12 Sep 2017


2 min read

Over four years in the making, it was finally completed in April 2016.

As technology became more integrated into our lives, personal data, security, and privacy have been a hot topic. Last January, the long process of creating and agreeing on new legislation designed to reform the legal framework for ensuring the rights of EU citizens to a private life was completed, and the General Data Protection Regulation (GDPR – Regulation (EU) 2016/679) was born.

What does this mean?

Simply put, organizations must keep records of all personal data, prove that consent was given to collect that data, show where the data is going, the purpose of its use, and how it is being protected. Enforcement begins on May 25th, 2018. That’s much less than a year away.

What’s next?

Now that the final text of the GDPR is known, the next step for organizations is to identify how this new legislation will impact them, and begin making the appropriate technological changes, as there are significant fines for organizations that are breached and found not to be GDPR compliant (20 million euros or 4% of annual revenue, whichever is greater.) This penalty has the potential to sink businesses.

If you are reading this from a non-EU nation, this law still applies to you. Any organization that collects and stores the personal data of EU citizens falls under the long-arm of this new law. Continue reading, as the reality of GDPR is that almost every website and app in the world will be required to comply with GDPR in one way or another.

The good, the bad, the ugly

On one hand, the benefits are obvious. GDPR requires organizations to take a more sophisticated, considerable approach to capturing data about their customers, and ensure it is processed correctly. It also gives citizens and residents more rights –    

On the other hand, this forces organizations to accept a long list of responsibilities. If the organization processes data, it must:

Notify authorities within 72 hours of a breach?

This is a headline grabber. GDPR requires that organizations report all breaches to authorities, including the breached data and people affected, within 72 hours.

Damage to brand reputation could be tremendous. Based on a survey conducted by OnePoll, nearly 87% of respondents stated that they would likely not do business with an organization that suffered a data breach. That’s on top of all regulatory penalties.

To protect your business from financial and social disaster, it’s better to be prepared and do everything in your power to avoid a breach. Take a moment –is your firm able to demonstrate that it took all reasonable steps to protect personal data from threats?

Complexity is the enemy of security

For most organizations, passwords are the weak link –more specifically, how people use passwords.

Over the years, protocol has called for more complicated passwords as stronger authentication. Today, average users not only struggle to create a “strong password,” but they also have no hope in remembering the password.

How do users attempt to make a “strong password?” It’s a habit for many people to write down passwords, or worse, reuse passwords across multiple services for convenience. Password reuse makes it easier for cybercriminals to hijack accounts to get their hands on sensitive and personally identifiable data –and not only the data of the person whose account was hacked.

Even though GDPR does not mandate two-factor and multifactor authentication solutions per se, a careful review of the law leaves no doubt that if static passwords are left in place, and a breach occurs, auditors come knocking on the door.

Why wait until a breach before implementing 2FA?

Two-factor authentication is simple to implement and affordable. It’s a security measure that mitigates most hacks, and it does not require much user training, or a group of consultants to implement. It’s low-cost, with a high impact.  

Start now

Don’t wait until the law takes effect in May 2018 to prepare, secure users, and provide authentication. With stolen credentials being the leading cause of breaches, finding ways to combat risk and reduce the threat landscape will help strengthen an organization’s overall security posture and avoid penalties.

The second Payment Services Directive (PSD2) impact: Read the full report.

Raili Liiva

Sales Researcher

Raili leads Messente's 2-factor authentication solution and takes care of our SMS API clients. She is passionate about online security and is helping businesses protect their user accounts against hijackings.  

We're here to help you connect with your customers. Let's start talking.

Email again:

Further reading

How we do it: Supporting a culture of growth

14 Nov 2017

Recently, I’ve had several discussions about company culture. And here’s a common question: How do you build a...

Lauri Kinkar

2 min read

This is an opportunity. Take advantage of it.

07 Nov 2017

In today’s world, it feels like the technology changes faster than we can keep up. As technology becomes...

Raili Liiva

2 min read

Scrub customer databases and make SMS more effective

31 Oct 2017

It’s often that we are asked, “what is your average delivery rate in (fill in the blank) country?”...

Margus Sütt

2 min read

Startup Conferences: What’s the point? (Slush 2017)

25 Oct 2017

With Slush coming up in about a month, it’s a good time ponder the purpose of...

Yuriy Mikitchenko

2 min read