Bridging the data trust gap

Technology has enabled businesses to respond quickly to the global pandemic. Still, at the same time, new data privacy concerns have emerged as organisations increasingly rely on user data and employees access sensitive information from home.

In Australia, it’s estimated that cyber-related attacks could cost the economy about $29 billion per year, or 1.9% of the nation’s GDP. These figures highlight the urgency for organisations to strengthen their data privacy policies not to fall prey to these cyber risks.

Three years have passed since the introduction of the General Data Protection Regulation (GDPR), the European data protection legal framework. Now is the time to rethink how we look at data privacy and protection — especially in the age of remote working and the post-pandemic era — and if the world’s toughest privacy law is still applicable.

An alternative approach

At a time when data security and sovereignty play a crucial factor for organisations to innovate and remain competitive in the global market, a new approach is necessary to build the next generation of cloud computing to ensure safe and secure data infrastructure.

Organisations are already prioritising cybersecurity, with spending in Australia to reach $5.1 billion this year, according to Gartner. Security services, including consulting, hardware support, implementation and outsourced services, is the largest category at $3.2 billion. The smallest but fastest-growing segment market is cloud security, expected to increase 38% from last year to $20 million. The strong growth rate reflects continuing demand for remote work, cloud solutions and security.

Compared to the American–Chinese duopoly, Europe’s approach to digital governance in data privacy sets a precedent for regulatory regimes globally. Currently, the current US regulation appears structurally irreconcilable with European GDPR principles, while non-GDPR compliance applies to Chinese extraterritorial rules. Since 2016, the new data regulations in the US and the EU have significantly impacted cloud computing. With the EU–US Privacy Shield framework dissolving after the 2020 ruling, data stored with European data centres from US providers is at risk of being subjected to US extraterritorial laws, making any potential data transfer non-GDPR compliant.

Following the ‘Schrems II’ judgement of the European Court of Justice, transferring European personal data outside the EU in countries like the US, that do not ensure a level of protection equivalent to European privacy standards, is much more complicated than before due to the necessity to reinforce technical and organisational measures in order to restrict the possibility to access personal information. The same applies for any non-European country which, like the US, does not comply with European privacy standards.

In addition, Europe is taking the next step towards establishing a sovereign digital ecosystem for its cloud providers and users through the GAIA-X project. This initiative is designed to comply with the GDPR principles and European data laws by providing organisations with a standard set of guidelines and requirements for data storage and data transfer for cloud services.

Bridging the trust gap

While GDPR has marked a global shift in data protection and privacy across various industries over the last couple of years, what businesses in the region may not know is that they may still need to comply with GDPR despite being physically based in Europe. Furthermore, it is important to remember that GDPR targets European-based companies and companies that provide services to European customers or obtain and transfer sensitive personal information of an EU citizen outside of Europe.

In Australia, there is a significant trust gap in the market, with bold unilateral decisions by tech giants shifting the goalposts for tracking and retargeting across the web. These changes have kept privacy and trust centre stage locally, with the Office of the Australian Information Commissioner (OAIC) finding that consumers are uncomfortable with how Australian businesses use their data, with seven in 10 respondents nominating privacy as a significant concern for them.

The same research revealed that 84% of consumers believe they should have the right to ask a business to delete their personal information and 77% the right to object to certain data practices while still being able to access and use the service.

With the whole region progressively moving towards compliance with the GDPR and data privacy requirements, Australian businesses need to ensure that they stay ahead of their competitors regarding their data protection standards, especially if their competitors are operating in Europe. Additionally, it will be critical for organisations to find the balance between protecting personal data while enabling the innovative use of such data.

A new standard

In Australia, data collection and privacy laws are looming larger than ever in the public consciousness. As a priority, the local government needs to define its own course in safeguarding personal information against potential overreach by governments and corporations.

Three years after GDPR came into effect, there is no doubt that it has become a reference point and the ‘gold standard’ for data protection worldwide. With data protection being a competitive factor that is key to building consumer trust, businesses in Australia need to steer towards a GDPR standard to ensure the highest level of data protection possible.

*Lionel Legros is General Manager Asia Pacific at OVHcloud.

Image credit: ©stock.adobe.com/au/md3d