The essential measures needed for merchants to comply with the new European Union Data Protection Regulation of 2014 should be implemented now if SMEs want to truly protect their businesses.

The European legislative changes planned for 2014 will unify data protection practices across the EU, standardising requirements around public disclosure and the penalties if a breach should occur at a business that has failed to adequately protect its data.

For all organisations that store or process payment card transactions, the significant change that 2014 will bring is reclassification of payment card information as personal data, and therefore it will be legally treated as such. This means businesses will have to ensure security and compliance processes are up to scratch to meet the mandated requirements and avoid legal action.

What will this mean for Small- and Medium-sized Enterprises (SMEs)?

Smaller organisations are no less susceptible to data breaches than larger organisations and are increasingly seen as easier pickings. They often lack the necessary resources, such as a dedicated data controller or security officer. This means that the role of managing data security is often foisted onto the business owner or delegated to an untrained employee.

Fortunately, the existing Payment Card Industry Data Security Standards (PCI DSS), a set of best practise security guidelines set up by the credit card companies, form a good basis on which to protect both payment and non-payment data if correctly implemented and continually enforced.

There is however a counterpoint: A breach based upon a failure to correctly enforce PCI DSS exposes a merchant to therisk of penalties under both regulatory regimes.

As it stands today, when data is lost or stolen it’s only the government and the telecommunications industry that are required to formally declare a breach as having occurred. Once the EU regulation is in place, investigations by the relevant authorities will be standard across all sectors, as will the requirement to proactively notify victims and regulatory bodies alike.

If an organisation fails to adequately protect data, fines are posited to cost a business two per cent of global turnover, and the required forensic investigations are exceptionally disruptive for any organisation. Organisations of all sizes have a responsibility to safeguard the personal information of their employees—something still frequently overlooked within the SME sector. A breach on employee data can have as dramatic an effect as losing customer data, since it can easilyform the basis for identity theft.

Before 2014

Looking ahead to next year, we would advise SMEs to get up to speed on security and prepare for further regulation in their longer-term business plan. The introduction of legislative changes surrounding data protection is a clear message that Europe’s lawmakers are taking data protection seriously, and SMEs have no option but to find a way to implement appropriate processes or procedures or face the ignominy of a data breach.

Important factors to be considered now by SMEs are:

  • Taking time to fully understand all elements of data protection, including point-to-point encryption, data breach notifications, data transfer compliance, etc
  • Regular and consistent staff training on data protection
  • Building long-term relationships with qualified security vendors
  • Executing audits and privacy assessments
  • Supplier/partner audits, encryption, agreed service levels, data breach notifications, supplier due diligence.