Not enough American companies are ready for the GDPR—the General Data Protection Regulation, adopted last year in the European Union and set to go into effect in May of 2018. According to research from Spiceworks, only 5% of US companies are currently preparing for these data protection regulations. On the face of it, this seems like a reasonable thing not to be prepared for—after all, the regulation only affects companies that do business with data from EU citizens.
Here’s the thing, however: Does your company have a website? If so, is that website currently accessible to citizens from the EU?
As long as an EU citizen could potentially visit your website, if you provide products or services to EU companies, or if you have an EU branch office, you are subject to the GDPR.
A lot of companies might think that if they’re following commonsense security practices, they can just give their CIO a second hat as a “data protection officer” and call it good. However, this is a great way to get hit by fines that are projected to increase 79x over levels of previous regulations.
Many people are familiar with the broad strokes of the GDPR, but not many people are familiar with the edge cases. Most IT professionals, when asked about the GDPR, will mention things like “the right to be forgotten.” Fewer of them will be familiar with things like, for example, WiFi monitoring.
Wait, WiFi Monitoring Is Covered Under the GDPR?
Yes. WiFi is mentioned in two ways. The first way has to do with consumer privacy. Under the GDPR, companies will no longer be able to provide free WiFi to consumers in exchange for their browsing data. Collecting browsing data is a fairly common practice for retailers, hotels, coffee shops and other customer-facing businesses. Providing free WiFi costs money, so businesses defray the cost by selling the browsing data they collect to advertisers. Under the GDPR, this practice will be banned.
Does this mean that free WiFi in Europe is going the way of the dodo? Not necessarily. Customers will need to affirmatively agree to share data, or WiFi providers might switch to ways of providing access that don’t require them to store customer data.
The GDPR also mentions WiFi indirectly, stating that organizations must “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” of the service they’re providing. In other words, businesses must start implementing best practices around securing publicly available WiFi, including:
- Using WPA-TKIP to authenticate users
- Regularly changing the administrator password for WiFi access points
- Monitoring the environment for attempts to divert customers to so-called “evil twin” networks to steal personal information
These are commonsense security procedures, but they’re not in wide use. For example, up to 50% of publicly available WiFi access points in the US are either completely unsecured, or secured using out-of-date encryption protocols such as WEP.
Do We Really Have to Care About How We Provide WiFi Under the GDPR?
Many of you may dismiss out of hand the prospect that you need to change the way they provide WiFi based on the GDPR. But it’ll affect some American companies more than others. Here are some industries that may need to be on the lookout:
- Any US-based coffee shops, restaurants or hotels with branches in the UK or the EU
- Any US-based companies that provide WiFi to EU establishments as a third-party service (for example, in the way that Google provides WiFi for Starbucks coffee shops)
- Any US-based airline that flies to destinations inside the EU and offers in-flight WiFi
There are almost certainly more examples, but this covers a large swath of organizations—some of whom are statistically unprepared for the GDPR to take effect. For companies that might be even vaguely affected by the GDPR, it is definitely better to be safe than sorry. No amount of overreaction is unnecessary when the stakes of the GDPR—and the fines—are so high.
Whether you’re affected by the GDPR or not, make your WiFi network performance a priority—it is important to both the security and the productivity of your company.