GDPR is an opportunity not a threat
With the EU’s General Data Protection Regulation (GDPR) coming into effect on Friday, Australian organisations should be working overtime to ensure compliance.
The GDPR will introduce new rights for consumers to access and manage personal data being stored on them by organisations, request deletion of personal data in some circumstances and require organisations to report on data breaches with the potential to adversely impact user privacy within 72 hours.
The regulation applies to users rather than jurisdictions, so any company doing business within the EU and collecting data on EU customers will need to comply. This will include many Australian companies.
Gemalto’s latest Breach Level Index found that there was an 88% increase in data breaches worldwide during 2017 with a record 2 billion compromised records. In Australia, more than 50.3 million records have been breached since 2013.
This indicates that Australian companies could fall afoul of the new regulations and could face penalties. Organisations found to be intentionally or negligently violating the GDPR could be liable for fines of up to €20 million ($31.2 million) or 4% of their annual turnover, whichever is higher.
Jeff Paine, CEO and founder of behavioural analytics company ResponSight, said the impact on Australian organisations could be significant considering that companies have become too comfortable collecting too much data for too long.
“Now they risk a spotlight shining into the shadowy corners of their data collection and management practices. The reason many enterprises have collected data historically is simply because it could be collected, not because it was necessarily needed. This has resulted in a scenario in which many organisations don’t know what data they have, where it is stored or how to manage or delete data,” he said.
“The introduction of Australia’s Notifiable Data Breaches (NDB) scheme places further pressure on enterprises to rapidly mature their data acquisition and management practices.”
Despite the potential consequences of non-compliance, Gartner estimates that over 50% of organisations affected by the GDPR will still not be in full compliance with its requirements by the end of 2018.
But Mimecast’s Principal Technical Consultant on the GDPR, Garrett O’Hara, urged Australian organisations not to panic, noting that while most won’t be fully compliant by the deadline, there will be time to ease into compliance.
“Organisations should worry less about fines, as these aren’t expected to be seen until at least the end of the year, and instead focus on developing solid incident response processes,” O’Hara said.
He said working towards full compliance with the regulation should be completed in stages.
“The biggest challenge for organisations in the first year of the GDPR’s operations will be data subjects testing organisations’ processes around Subject Access Requests. Long term, organisations need to have a data governance strategy,” he said.
ResponSight’s Paine added that organisations need to establish clear policies and boundaries around the collection and storage of personal data.
“My message to all businesses is to not collect data you don’t need in the first place. Further, establish strong data deletion policies so you don’t keep unneeded data after the fact, and don’t use data without consent from the data subject,” he said.
“If your business operates globally, rather than doing one thing for each region and legislation, look at the GDPR as the benchmark and invest in solid privacy practices. Even in the absence of regulation, the notion of data control and distribution is a growing concern for consumers, and organisations need to be on top of it.”
Sophos Principal Research Scientist Chester Wisniewski noted that collecting less information from customers is simply good practice even if a company is not required to comply with the regulation.
“Your business saves money by having less data to protect and your customers gain the privacy that many desire in the process,” he said.
He noted that it is important for both organisations and individuals to put privacy principles into practice, but the challenge will be to develop clear guidelines and processes that emphasise privacy.
Forcepoint Regional VP for APAC George Chang said considering the stakes, investing in compliance is now essential for a sustainable business model.
“Pragmatic compliance does not need to be an expensive exercise,” he said. “Expenses are relatively low if implemented with a commonsense approach. Understanding the parameters of the applicable legislation is key to getting it right.”
Despite the anticipated impact on businesses, experts also expect the introduction of the regulation to be beneficial in the long term.
Forcepoint’s Chang said regulations like the GDPR and Australia’s own NDB scheme will create trust and foster good practices that will benefit both individuals and businesses.
“These laws collectively present a positive business opportunity, when approached in the right way. Compliance can drive operational efficiencies, cost savings and even fuel innovation,” he said.
“With strong data protection strategies in place, customers will place greater confidence in businesses, and businesses will minimise the all too common reputational and financial fallout of a breach.”
Trend Micro Country Director Ashley Watkins added that the regulations will serve to increase transparency between organisations and their customers or users.
“The EU and Australia are taking strides towards enabling better documentation of data breaches, providing knowledge that can benefit organisations and authorities worldwide in the constant battle against cyber threats.”
Talend ANZ Country Manager Steve Singer likewise said that the introduction of the GDPR will be an opportunity for industries such as the financial sector to re-establish trust with customers.
“Understanding where data is and that it is managed correctly is not only fundamental to complying with GDPR, but also to providing the highly personalised and predictive services which the modern customer expects. Therefore, GDPR should be viewed as an opportunity, rather than threat.”
IT professionals worldwide are adapting to the new era of remote work triggered by COVID-19 by...
Nearly all executives believe that software providers need to improve the security of their...
Organisations reported 446 data breaches to the Office of the Australian Information Commissioner...