Defending data in the GDPR era

Whether you’re well aware of the EU’s General Data Protection Regulation (GDPR) or only know it as an odd acronym that’s a big deal in Europe, it’s very important to businesses in Australia. In May this year the GDPR came into effect with implications for Europe, Australia and beyond.

The GDPR affects any business that offers goods or services to EU citizens or handles their personal data. Given the globalised nature of commerce, many businesses across Australia fall into that category.

Penalties as hefty as those included under the GDPR can’t be dismissed by any business, in any country. Enterprises may be fined up to €20 million or 4% of their annual global revenues for violating the new rules, which seek to create a standardised data privacy regime for EU citizens.

Why it should be a C-suite issue

The onus is on enterprises to interpret what the GDPR means for them. The principles set out in GDPR are prescribed at a fairly high level. Each organisation must do its own risk assessment and analysis.

A company that doesn’t process a lot of personal data may decide a ‘silver’ level upgrade of current policies will cover them on the off-chance they’re targeted by regulators.

Another firm in the same space may go for a ‘gold’ upgrade because the reputational and financial risks are just too great.

All areas of the business must be taken into account, yet a company’s supply chain is particularly key and must be considered in the risk assessment. GDPR demands that companies must have a handle on data protection measures throughout their digital supply chains — something that’s costly and difficult for smaller businesses to consider.

This is the case whether the company in question relies on cloud-based applications as part of its IT infrastructure or more traditional vendor relationships, such as outsourcing payroll or customer care and service capabilities.

A holistic approach needs to be driven from the top down, across the entire company.

Encryption, access and response

GDPR extends far more transparency and accountability around data security parameters than previous regulations and raises the stakes for non-compliance. Ensuring your IT infrastructure meets requirements, addressing customer requests for data privacy assurances and having an efficient reporting system in place are key to upholding the best practice standards that GDPR demands.

Yet enterprises must identify the solutions that suit their business and understand the implications of implementing or foregoing various data protection measures.

A good place to start is a (personal) data mapping exercise and an encryption audit to identify what personal data you’ve got encrypted and where it is. Similarly, a review of access controls — who has access to what, where, when and with what controls — will be a key benchmark to establish.

If the worst-case scenario does occur and personal data is breached, an effective and efficient incident response process will help to keep damage to a minimum. Responding to breaches is one of the more prescriptive GDPR requirements where a 72-hour timeframe to make certain notifications is mandated.

Expertise can help keep your compliance strategy stay on track. Data centres can help you implement data encryption, access controls and incident response processes in ways that ensure compliance without burdening your business. Partnerships with those that can offer advice regarding how to engage with cloud service providers and other members of your network to fulfil GDPR requirements will safeguard against possible slips.

In addition, physical security is an integral part of data security. Establishing the security of servers containing customer data will be a major factor in ensuring data is protected to the high standards required by the GDPR.

Keeping data in proximity

While GDPR itself does not mandate that personal data stay close to its users or forbid the transfer of personal data, it’s easier to assure customers their data is safe when it’s close by. Partnering with a data centre that has a global footprint, providing touchpoints in more places, is important for businesses to get closer to more users across more locations and reduce their GDPR compliance burdens.

It’s become increasingly difficult to track an individual’s personal data in the era of cloud computing and the Internet of Things, when data is constantly flowing from one global location to another in an instant. For the same reason, doing so is now more important than ever.

The GDPR can be looked at as a cloud with a silver lining. While the regulations mean there is work to be done on data protection, getting it right can help foster better relationships if customers understand your priority is meeting the highest possible safety standards when handling their data.

Image credit: ©iStockphoto.com/violetkaipa

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.