Getting GDPR Compliance To The SMB Sector

Anyone who works with the SMB sector on GDPR compliance will know it’s a tough audience to reach.

The best way to engage someone is to demonstrate how they, personally, may be at risk. Once they realise we are all data subjects and the protections of the GDPR are there for us all, the conversation about business compliance becomes easier.

But exactly how do we do that?

Have you ever heard of a guy called Troy Hunt? He’s an Australian web security expert and a bit of a legend in the data breach world.

He’s authored popular security-related courses on Pluralsight and created ASafaWeb, a tool that performs automated security analysis on ASP.NET websites. Starting in 2011, Hunt was named a Microsoft Most Valuable Professional (MVP) in Developer Security, recognized as a Microsoft MVP of the Year in 2011 and then named Microsoft Regional Director in 2016.

Most pertinently, he created Have I Been Pwned? (HIBP), a data breach search website that allows individuals to see if their personal information has been compromised.

Quite often I’ll encourage people to use the tool to check on their own digital security . Users search to see if their email or password has been breached. Out of about 50 people I know have used it, only one search has returned breach free. Just one. In most cases users find out they’ve been breached multiple times over the last few years.

But before you start hitting the searches please read on!

It’s important for us professionals to check the privacy measures of the breach tool itself. They are explained further in the website’s Privacy Notice.

The tool allows you to search any email address without logging in and some will question the ethics of this. Troy addresses this in this blog and it makes for an interesting read. When the Ashley Madison security breach happened in 2015, Troy had to rethink this approach. They introduced a concept of more sensitive breaches which you can only view if you have logged in and verified your email address.

Troy’s argument is that If we make it too difficult for users to find out if they’ve been breached, they simply won’t do it. And, if people aren’t informed, how will they be able to take action to protect themselves?

A tool like this is so quick and simple to use. You pop in your email address and can immediately see accounts (you’ll recognise) that have been breached. It’s even more concerning when you pop a standard, ritualistic password in only to find it’s been compromised. When you watch someone process this information for the first time you can almost see the light bulb switch on in their minds. That little bit of knowledge goes a long way to motivate people to take further action.

The HIBP website isn’t strictly GDPR compliant, at the very least it’s Privacy Notice is lacking some key information for European users. However, the tool is technically sound, built with privacy in mind and the data is processed securely.

It may be a little controversial for privacy professionals to use a tool that is not strictly GDPR compliant but it’s probably the most effective tool I’ve found to help educate people. And isn’t that the irony of privacy and data protection in 2020?

Now you know the good, bad and ugly will you try the tool? Check in on your digital security and start 2020 on the right digital foot:

Check if your email address has been breached here:

And your password here:

If a password has been breached, consider where else you’ve used that password. Always be mindful of priority accounts i.e. the email addresses you have banking accounts linked to.

The tool is free to use but we can and probably should donate to help keep HIBP in operation.