We’re a few months into the official launch of the GDPR (General Data Protection Regulation) that went into effect May 25, 2018. If you’re still struggling to get complaint, you’re not alone. In fact, Gartner predicts more than 50% of companies affected by GDPR still won’t be in full compliance by the end of 2018. It’s not surprising since this 99-article regulation is a lot to bite off and most organization simply don’t know all the steps required to comply.
What is the GDPR
GDPR is a broad-reaching regulation designed to protect the private data of Europeans in IT systems. It covers a broad range of topics, from how and when to notify regulators about data breaches to user transparency about what data is being collected and why.
You’re asking the wrong question
Most companies are still asking, “Does the GDPR apply to us?” From a purely technical standpoint, here are a few of the criteria that determine who’s impacted:
- You have customers, employees or contractors who are EU citizens or based in EU countries (and, yes, the United Kingdom counts)
- You do business in Europe, even if your business is located elsewhere
- You have an online presence (including your website) that’s available for Europeans to use
Spending your resources on trying to exclude your company from GDPR isn’t the best use of your time. And, there are other considerations that extend beyond regulations and fines, reaching all the way to your bottom line:
- You deal with business partners that want to be GDPR compliant (and if you aren’t, they won’t want to contaminate their compliant databases with your non-compliant data)
- You don’t focus on doing business in EU, but can’t stop EU citizens from visiting your website and leaving their personally identifiable information behind
- Trust is everything online and, if your website collects or processes user data, even via signup or contact forms, visitors expect you to keep their information secure and protected
A better question is, “How do we get compliant?”, since a majority of the GDPR requirements are best practices that most companies should have been doing all along. If that’s not incentive enough, let’s look at the consequences of not meeting these requirements.
Non-Compliance Can Be Crushing
Suffer a single data breach and you’re looking at a fine of €20 million or up to 4% of your annual turnover, whichever is greater. Just to put this into perspective, this would equate to $7 billion for Amazon, more than two years of profit. Plus, you may face additional fines based on the type of breach, data exposed, notification, remediation and response. And, this doesn’t include irreparable damage to your reputation or costs associated with insurance, legal fees and settlements.
SSL is an Essential Part of GDPR Compliance
Though the GDPR doesn’t contain any specific section on the use of SSL certificates, it includes clear requirements that can only be addressed through digital certificates. Article 32 of the regulation (“Security”) begins this way:
… the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
Basically, GDPR states that, if your site collects and stores any information from your users, you have a responsibility, as a data controller or data processor, to keep this information secure and protected, including encrypting personal data and ensuring ongoing confidentiality. Verizon’s Data Breach Investigation Report cites lack of encryption and lack of security when handling confidential information among the top most common causes of breaches, so these requirements make perfect sense. And, alarmingly, only 4% of breaches reported were protected by encryption, rendering the data useless to cybercriminals. If you suffered a breach, wouldn’t you at least want to make sure your company and customer data couldn’t be decrypted by evil doers?
SSL certificates have been the de facto encryption and authentication standard for all confidential web communications for more than 30 years. Not having an SSL certificate increases your risk of a data breach. If you have an eCommerce website that takes user payment information such as bank account details, having an SSL is a necessity. But, even if your site is a static HTML page that doesn’t sell anything and has no contact us or signup forms, you still need an SSL certificate to avoid Not Secure browser warnings.
SSL Delivers Other Business Benefits
If you’re still on the fence about investing in an SSL certificate, consider the benefits to your business that go way beyond GDPR compliance.
Faster Website Performance— In this “I want it now” world, no one’s going to wait for your webpages to load. SSL certificates enable HTTP/2 to speed up page loads and deliver a great visitor experience.
Boost Search Engine Traffic— Google rewards websites that serve every page via an encrypted HTTPS connected with as much as a 5% boost in search engine rankings. That means more people clicking through to your site.
Optimize the Mobile Experience—The most in-demand mobile features, including geo-location, device orientation, full-screen, microphone and camera, are only enabled over sessions protected by SSL certificates.
Increase Conversions— According to Comodo’s DevOps June 2018 EV study, 50.2% of respondents are more likely to engage in financial transactions when an EV green address bar is present. And, testing has shown typical increases of around 10% more completed transactions.
Avoid Phishing Attacks—Cybercriminals might squeak by domain validation with a DV Certificate and fool visitors with “Secure” in the address bar, but the more in-depth process for Extended Validation (EV) SSL certificates process help ensure only legit sites are approved.
Check SSL Off Your GDPR Compliance To-do List
Making sure all your website pages use SSL certificates to authenticate and encrypt communications is a smart step toward meeting the GDPR requirements. And, even if you’re not technically impacted by the GDPR, you should be using digital certificates to protect your customers and maximize visitor confidence. Every day you go without SSL, you’re scaring away visitors with Not Secure warnings. Review your SSL options to make sure your website instantly builds trust and satisfies the GDPR’s requirements for encryption and confidentiality.