GDPR and End of Life Software
Are you absolutely sure that you're fully complying with GDPR regulations and directives? You need to be certain of this, because if you don't comply there could be some serious pitfalls ahead. We all have responsibilities, so it's essential that we know exactly what is required of us.
In my position, I have a duty of care to advise you on best practices, and to ensure that your websites continue functioning 24/7/365 without grief! I can only do that with your cooperation in the event that your applications are approaching end of life. And since the implementation of GDPR in May 2018 the stakes have got a lot higher. Now it's not just me telling you, the European Union are saying it as well - and they're enforcing it to the letter.
Outdated software is always going to mean a jackpot for hackers, but there are some website owners who are seemingly willing to roll that dice! Unfortunately there's now another implication, and this one can do you more damage than any hacker is capable of doing. And that is failing to conform to GDPR compliance!
GDPR is about risk assessment and mitigation. If businesses use software that is EOL (End of Life) they are knowingly, or unknowingly, increasing their levels of risk and in breach of GDPR. If you fall into this category then you are likely to face the heaviest penalties if personal data is compromised.
That applies to everybody, irrespective of whether you're in the EU or not. For example, if you're in the US, the HIPAA Security Rules state that entities must “implement security measures sufficient to reduce risks and vulnerabilities". And if you're using unsupported or EOL software then you are in breach of this regulation.
So how does all this affect you and us?
In your case if you use outdated software and there is a data breach you face huge fines. In the first 9 months, 206,326 cases were reported!
The biggest so far is Google who had a €50 million fine levied in France, then the levels vary according to the severity of the breach. A Healthcare organisation in Germany had an €80K fine for exposing sensitive personal data, and even a small social site there got hit for €20K for storing user passwords in plain text.
In our case, we cannot provide you with EOL and outdated software. If we do, then we are in breach of GDPR regulations for using insecure applications to handle clients' data.
My ignorance or your ignorance doesn't cut it! We are all accountable, so we need to be aware of the possible ramifications of breaching GDPR regulations. Let me be absolutely clear here......the financial penalties in the event of a data breach are potentially crippling as you can see HERE!
I also suggest you review a summary of the regulations HERE......in particular the directive "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing".
What's caused this scenario?
It's down to the accumulation of data breaches over the last 25 years due to the casual attitudes of website owners, which also includes Government departments and large enterprises, who never took security seriously. Then throw in the massive corporations who've deliberately misappropriated users' personal data for both financial and political reasons.
This has now led to a situation where we're being monitored, and held to account, as if we're living in a world borrowed from the dystopian fiction novels of George Orwell!
To summarise.....I've always kept clients aware of the dangers of end of life software. However, I'll openly admit that in the past I have allowed a little bit of leeway for them to get their sites updated. Or if they choose to do so, move their accounts elsewhere and continue to take the risk. But I cannot do that any more......otherwise we'll all be breaching GDPR regulations. So if a client is approaching the point of EOL software on thir account, the situation needs to be addressed prior to expiry........not at some point after that date.
There may well be providers who will take this risk because they don't want to jeopardise their income stream. We won't do that.........the penalties for data breaches are too severe to leave anything to chance.
So we're all in the same boat here inasmuch as we have to ensure that we are in full compliance with GDPR regulations. Be aware that there's no "Get out of Jail" card on this one!