Providing Free WiFi
Whether you are providing free WiFi (wireless internet access) in a café or a large 5-star hotel, there are some legal considerations to think about before you allow the public access to your internet connection.
“In an ideal world there would be free WiFi everywhere, but it is not as simple as that” G5 Technologies Director, Steve Brand explains; “Someone needs to pay for the internet connection and the related hardware and maintenance of your system. Not only can poor WiFi provision be the cause of many customer complaints but there are also various laws and regulations that apply to the operation of public WiFi.
The regulations are a bit of a grey area, so to avoid a hefty fine of up to £50,000 for customers or staff downloading copyrighted material, you need an effective managed WiFi system in place that can manage your bandwidth, users and provide the following functions”:
Discourage illegal downloading
A case was reported recently where a pub owner allegedly received an £8000 fine because a user had downloaded copyrighted material over his open WiFi hotspot. Whether he was fined in the end is unclear, but it is a good reason not to allow the public unmanaged internet access. If you are unable to block peer to peer traffic with your current infrastructure, then it is time to upgrade. This will also ensure that one individual is not hogging the bandwidth and affecting internet access for other legitimate users.
Discourage criminal activity
Under the Anti-Terrorism, Crime and Security Act 2001 you need to be able to identify who is using your network. Authorities worldwide track illegal activities by tracing suspicious internet traffic back through the ISP (internet service provider). This is very difficult to do without the proper infrastructure in place. Anyone can install a wireless access point on their network and say they provide WiFi, but this is insufficient and could potentially allow users access to your own data.
Data Protection
Under the Data Protection act 1998, private information must not be systematically and unnecessarily recorded and any user of internet access services in a public place is entitled to request, at any time, details of his/her personal information. Failure to securely maintain and make available data is an offence and may lead to hefty fines. Again, you need more than just a basic wireless access point to ensure you can do this.
GDPR Compliance
GDPR came into effect on the 25th May 2018 and regardless of Brexit, the UK must comply. If you provide free WiFi to your customers you will have to ask for consent to collect and store their personal data before they can use the service. Penalties related to data breaches start at €10 million and rising to as much as €20 million or 4% of a business’s annual turnover, depending on which is higher. This could be devastating to most businesses.
The terms & conditions for your WiFi service need to be very clear on what data you are collecting, the reasons why, your intended usage of such data and the ability for the public to opt-in for any marketing, as well as providing them clear instructions on how they can opt-out at any time.
Our managed WiFi service G5Zone™ can help you with this by offering branded login pages with GDPR and legal compliance built in.
G5 ensured all our clients were compliant with the General Data Protection Regulation before the May 2018 deadline. If you have G5Zone™ managed WiFi, our standard T&Cs are in line with the new GDPR framework.
Many WiFi networks still not GDPR compliant
Steve Brand, Managing Director of G5 Technologies goes on to say: “WiFi networks, particularly within the hospitality sector, are a cybercriminals’ dream due to the desirable data available, however most businesses have been slow to react.
If you have inadequate data protection policies and practices in place, your staff may unwittingly be giving cybercriminals easy access to guest names, addresses, mobile numbers, card details, passports, driving licences, car registration plates, hotel room numbers and more.
If guests need to provide personal details to access your WiFi, their email address and password could also be at risk.
But what are the consequences? By accessing personal guest information, a cybercriminal can gather everything they need to clone someone’s identity, access their financial details and even physically access their home – making hospitality a hot spot for cybercriminals.
The hospitality sector is not alone and is just one example of why the EU General Data Protection Regulation (GDPR) has been developed – to ensure that adequate data protection is incorporated into the process of collecting and maintaining personal data regardless of your sector.
If it’s going to be compliant, your WiFi solution must have data protection built in. Failure to do so, could result in fines of up to 4% of turnover if you suffer a data breach.
Where do I start?
The best place to start is with a security audit of your business to review all current practices and ensure they are in line with GDPR regulations. The following checklist will help get you thinking about whether your WiFi is compliant or not:
• Regularly change passwords for admin logins and ensure any default passwords are changed immediately. Cybercriminals will exploit common passwords like “PASSWORD” so make complex passwords standard procedure. Avoiding basic security errors will help avoid a data breach.
• Up to date antivirus is a bare minimum for all PCs, we recommend you have anti-malware too. Windows 10 comes with this as standard.
• You MUST have a separate guest WiFi network to your own work network, if you don’t, change this immediately. It is easy for a hacker masquerading as a guest to access your business sensitive information as well as your guests’ private data.
• Ensure your guest WiFi users are segmented from any other network using Vlans and enable client isolation so client devices cannot see each other
• Apply software updates to all internet devices as soon as they become available, this helps protect against vulnerabilities in software that cybercriminals exploit
• Article 32 of the GDPR specifically addresses the requirement for businesses to provide robust data security, to enable secure access and secure processing of data. “processing”, in relation to information or data means obtaining, recording or holding the information. You may not think you are a data processor by providing WiFi, but all routers store information about your guests including IP address, device name and MAC address.
• Businesses, across all sectors, must have a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring top-level data security. To comply, a high standard of network security must be implemented which will ultimately protect its integrity from the increasingly frequent and sophisticated malware attacks on networks and devices around the world. If you haven’t already thought about Cyber Essentials certification for your business, then now is the time to do it (link to cyber essentials)
• Explicit consent from individuals must be obtained to collect their personal data – guests must therefore be presented with a clear option to opt-in to any marketing you may be thinking of sending them.
• The reason for data collection must be clearly specified and communicated to guests so they are aware of how their data will be used, before agreeing to consent.
• Any personal data processed must be profiled and segmented lawfully, fairly and in a transparent manner. This process covers the collection and manipulation of data to gain insights and produce meaningful information. Processing should not take place for reasons outside of the initial purpose specified.
• Any data held must be kept up to date and regularly reviewed for accuracy.
• Data should only be kept for as long as it is needed, for the reason it has been collected for. While, there is no specific minimum or maximum periods for retaining personal data the ICO states: “Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
In practice, this means that you will need to:
• Review the length of time you keep any personal data, this could be employee data, suppliers’ information or customer marketing records
• Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
• Securely delete information that is no longer needed for this purpose or these purposes
• Update, archive or securely delete information if it goes out of date
• If individuals exercise their right to be forgotten, they must have visibility of the data stored about them or have any stored data updated by means of a clear process. Any requests by individuals to update their data, be forgotten or for disclosure of what is held about them, must be handled within one month of the request.
Data is at the core of most businesses and will continue to be for the foreseeable future, but just because data is stored electronically, it doesn’t mean it is safe and secure. With company and guest data constantly at risk, data protection requires an effective strategy to ensure data is protected. Whether it be hard drive failure, loss from natural disasters or malicious cyber-attacks, data protection and the GDPR should be taken seriously. Data loss or incidents have the potential to jeopardise your business and your customers in seconds, so don’t ignore it.
What about consent?
According to itgovernance.gov, organisations that continue to provide WiFi , will still need a legitimate reason to process data however, this doesn’t necessarily mean gaining consent. There are six lawful bases for collecting data, and consent is the least preferable because it can be hard to obtain and maintain. However, in this instance many organisations will find themselves having to rely on it.
G5 have updated the consent policy on all log in pages and created a user account system that allows business owners to log in to rectify and erase any data they no longer want to share.
All organisations that rely on consent will need a system similar to this however there is another option. Shane Buckley, CEO of WiFi company Xirrus, says organisations may choose to implement federated identity management (FIM) technology or in simple terms, social media sign-ins.
He said: “There is no need to store any customer data with FIM, which makes it an attractive route for public WiFi providers seeking cost-effective GDPR compliance.
“Many people already use the process regularly when using their Facebook profile to access a third-party website or app. Similarly, a secure federated login replaces the collection of personal data to allow customers to auto-connect to public WiFi networks.
So, as you can see, having a compliant guest WiFi network is even more important since the GDPR came into effect in May 2018. Therefore, for any businesses that hold data (and let’s face it, we all do) the benefits of a fully managed WiFi network like G5Zone™ with increased cyber security and data compliance make it a worthwhile investment. Because we can also link it to your social media accounts via G5Zone™ Social WiFi, you can also achieve a return on your investment.
Based in Westhill, Aberdeenshire, G5 Technologies Ltd are a leading provider of high speed, secure, public WiFi with 24/7 support and free installation. If you have any queries about compliance or the security of your existing WiFi network please contact Steve Brand on 01224 443 896 or at info@g5tech.com
