In May 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) will come into effect. It’s the most comprehensive piece of privacy legislation developed by any jurisdiction to date and goes way beyond the requirements of Australia’s current privacy regulations.
What you may be wondering though is whether it affects Australian businesses? The short answer is that any Australian company that holds, controls or processes personal data of any EU residents, whether they are customers or employees, needs to be aware of it and be compliant by the May deadline.
The penalties for non-compliance are steep, starting with fines of €20 million (AU$31.2 million) and going as high as four per cent of global revenue, as well as sanctions including the power to stop a company trading in the EU.
There will be statutory obligations that include implementing technical and organisational security measures and indirect stipulations, such as deploying a due diligence process when on‑boarding a supplier, ongoing monitoring and exit management.
Something every Australian company needs to be asking themselves right now is what their data footprint is in the European Union and if they have visibility of and control over what personal data they collect? How do they use it and who do they share it with?
At any point after May, any organisation could be asked to provide evidence of GDPR compliance to EU or Australian privacy regulators, so they need to be aware and fully prepared for that to happen. And while Australia is 14,000 kilometres from Europe, many organisations will be impacted by the EU’s GDPR. While some companies may regard it as a straightforward regulatory compliance exercise, others will view the opportunity to demonstrate a competitive advantage in terms of the level of digital trust of personal information that a company is perceived as having.
Enhancing Digital Trust
In today’s digital world, astute companies have recognised the enormous value that is associated with gathering huge swathes of customer data for analysis, segmentation and targeting purposes. As globalisation marches on and data flows easily across borders, so does the regulatory complexity associated with data protection and privacy.
Consequently, risks associated with data protection and privacy will cease to be managed from a national regulatory standpoint alone. Australian companies now need to consider the protection of customer data from a global perspective. The Office of the Australian Information Commissioner (OAIC) recommends that organisations here start to evaluate their information handling processes and governance, looking for professional advice if they need it, to bring about the required changes in advance of the introduction of the EU GDPR.
Achieving GDPR compliance
The law will impose a range of new rules that have not been introduced under the local Australian legislation. To be compliant by 2018 requires significant preparation and an investment in skilled resources, particularly for non-EU entities. Some companies may find that they have difficult choices to make about their priorities moving forward and some may feel that the risk of trading with the EU when they are unsure if they are compliant, is greater than the potential reward.
Security and Privacy Risk Readiness Assessment
The best course of action is to conduct a Security and Privacy Risk Readiness Assessment, which companies can either do internally if they have the skills or bring in a professional security testing specialist. The process of identifying and mitigating potential risks will ensure that Australian companies define a roadmap for GDPR compliance and have enough time to test, refine and implement their breach-response plan, which meets GDPR’s 72-hour notification requirement.
That risk assessment should include:
- Identify critical data collection sources
- Review appropriate safeguards to protect personal data privacy in collection, processing, and storage
- Review limits and conditions on collection and usage of personal data
- Review of authorisation rules for personal data usage and disclosures
While non-compliance represents a significant financial and reputational risk, I would strongly suggest that achieving compliance with EU GDPR provides a significant opportunity for Australian organisations to be admired for their high level of digital trust of the personal information they hold on EU citizens.