Article by Alban Schmutz, OVH vice president
Failure to comply with the EU’s General Data Protection Regulation (GDPR) can result in significant penalties for data breaches when it comes into effect. The likelihood that Australian companies are leaving themselves exposed to the consequences of non-compliance is a true and present danger.
From May 2018, the GDPR takes over from existing laws. It sets new, more stringent personal data protection laws that not only apply to European companies but must be abided by any organisation that handles the personal data of a European citizen.
To effectively mitigate risk, the onus to meet compliance criteria shouldn’t be underestimated. To date, most have only had to consider local privacy laws, however, as Australian organisations engage in the global economy, they must consider global approaches to their operations and meet customer expectations in the countries in which they operate.
To protect its citizens from privacy and data breaches in an increasingly data-driven world, the GDPR mandates the use of appropriate data protection standards. This applies to all industries, which means no one is immune.
The GDPR ultimately seeks to ensure the protection of individuals with regard to the processing of personal data and the free movement of such data. So, while the process of compliance may be arduous, the outcome is a virtuous one.
The GDPR provides unprecedented privacy protections that strengthen the rights individuals have to control their own data. So, if you look at the virtues of data protection, providing your customers with assurances around how their personal data is handled is a favourable outcome.
This level of transparency will deliver a level of trust that will build positive relationships because your customer knows their personal information is protected. As such, compliance promises to add value by delivering best practice customer service, which is ultimately good for business and the bottom-line.
First, you should read the GDPR, and the additional guidelines published by European Data Protection Authorities. Once you have a better understanding of what it is, you will be better placed to identify whether it is an issue for you or not. Get an understanding of where your potential risks reside and investigate to what extent you are required to comply.
Also, understand that the GDPR is still a work in progress so getting an early working knowledge of its framework will greatly assist the process of compliance down the track. Working with professionals who already have the knowledge or tools to take you down the correct path could also be of great assistance.
A good place to start is by beginning to undertake mapping of your internal processes in relation to handling customer data. This will allow you to identify potential points of exposure and where compliance needs to be implemented.
Once you’ve evaluated your risk, the path to compliance requires defining a workable plan to implement the required changes. Mapping gives you the ability to critically determine potential exposure points and whether vulnerabilities are yours, your suppliers or from external providers.
If for example, you are working with a cloud provider, ask them if they comply. The CISPE association (Cloud Infrastructure Services Providers in Europe) has been working with the EU to develop the CISPE Data Protection Code of Conduct to ensure Cloud Infrastructure offerings are compliant with the GDPR requirements. Ask your supplier whether they’ve met the criteria set out in the Code of Conduct.
A breach is a breach. So, if someone in your external network or “value chain”, like a cloud/SaaS provider breaches the GDPR, liability could come back to you. You should be asking your cloud provider to demonstrate your compliance with the GDPR.
The jurisprudence will probably set better and/or more precise rules. Keep in mind the financial fine could be up to 4% of the worldwide turnover (limited to 20 million euros).
The GDPR states that Personal Data has to be protected by design, through the implementation of technical and organisational measures including pseudonymisation or data minimisation. Therefore, basic cybersecurity measures won’t be enough to ensure data protection.
Each process or platform needs to be (re)designed taking those principles into account. You need to look beyond technology and adopt the appropriate processes to meet the evolving regulatory and threat landscape.