The European Union's (EU) General Data Protection Regulation, scheduled to come into force on May 25th, will affect all organisations that handle personal information from European citizens. So why are Australian organisations, many of whom have customers and employees in the EU, so unprepared for the General Data Protection Regulation (GDPR)?
It's the most comprehensive piece of privacy legislation developed by any jurisdiction to date and goes way beyond the requirements of Australia's current privacy regulations, an update to which comes into effect on 23 February, effectively forcing Australian organisations to report any data breaches to the Australian Information Commissioner.
While a lot of Australian companies will be focusing their attention on being compliant with the Australian legislation, many are unaware of the fact that any Australian company that holds, controls or processes personal data of any EU residents, whether they are customers or employees, needs to be compliant by the GDPR deadline in May.
Australian organisations that trade with the EU are grappling with the issue of how to ensure compliance with yet another privacy law and still maintain solid business processes. And the bad news for businesses is that yet another privacy regulation to be compliant with may become a new barrier to trade with the EU.
The good news though, for Australian consumers, is that both the GDPR and our own privacy legislation are serving as the impetus for companies to put consumer data protection top-of-mind.
It's definitely not to be ignored and assumed to be a problem for European companies only, penalties for non-compliance are steep, starting with fines of €20 million (AU$31.2 million) and going as high as four per cent of global revenue, as well as sanctions including the power to stop a company trading in the EU.
There will be statutory obligations that include implementing technical and organisational security measures and indirect stipulations, such as deploying a due diligence process when on‑boarding a supplier, as well as ongoing monitoring and exit management.
Every Australian company should be asking themselves what their data footprint is in the European Union and do they have visibility of and control over what personal data they collect? If the answer is yes, then how do they use it and who do they share it with?
At any time from May 25 onwards, any organisation could be asked to provide evidence of GDPR compliance to EU or Australian privacy regulators, so they need to be aware and fully prepared for that to happen. And while Australia is 14,000 kilometres from Europe, many organisations will be impacted by the EU's GDPR. While some companies may regard it as a straightforward regulatory compliance exercise, others will view the opportunity to demonstrate a competitive advantage in terms of the level of digital trust of personal information that a company is perceived as having.
Regulatory complexities of data privacy
In today's digital world, astute companies have recognised the enormous value that is associated with gathering huge swathes of customer data for analysis, segmentation and targeting purposes. As globalisation marches on and data flows easily across borders, so does the regulatory complexity associated with data protection and privacy.
Accordingly, risks associated with data protection and privacy will cease to be managed from a national regulatory standpoint alone. Australian companies now need to consider the protection of customer data from a global perspective. The Office of the Australian Information Commissioner (OAIC) recommends that organisations here start to evaluate their information handling processes and governance, looking for professional advice if they need it, to bring about the required changes in advance of the introduction of the EU GDPR.
Preparation for GDPR compliance
The GDPR law will impose a range of new rules that have not been introduced under the local Australian legislation. To be compliant by May 2018 requires significant preparation and an investment in skilled resources, particularly for non-EU entities. Some companies may find that they have difficult choices to make about their priorities moving forward and some may feel that the risk of trading with the EU when they are unsure if they are compliant, is greater than the potential reward.
For any companies that are unsure, it is advisable is to conduct a Security and Privacy Risk Readiness Assessment, which they can either do in-house if they have the skills or bring in a professional security testing specialist. The process of identifying and mitigating potential risks will ensure that Australian companies can define a roadmap for GDPR compliance and have enough time to test, refine and implement their breach-response plan, which meets GDPR's strict 72-hour notification requirement.
The risk assessment should include:
- Identify critical data collection sources
- Review appropriate safeguards to protect personal data privacy in collection, processing, and storage
- Review limits and conditions on collection and usage of personal data
- Review of authorisation rules for personal data usage and disclosures
Since non-compliance represents a significant financial and reputational risk, I would strongly suggest that achieving compliance with EU GDPR provides a significant opportunity for Australian organisations to be admired for their high level of digital trust of the personal information they hold on EU citizens.