Brace yourselves: winter is coming. And the European Union’s General Data Protection Regulation (GDPR), is here.
You’d think that those two capital letters (E and U) would be enough to deter concerns in an entirely separate hemisphere, yet the many conversations I am having with Experian customers indicates the fear of the unknown that the EU GDPR brings. Highlighting the importance of local businesses arming themselves for an onslaught of changes that – despite their geographically-removed origins – have myriad impacts for data protection, storage and processing down under.
What rolls out up North this month is sure to change the way we do things locally, and we need to ensure that we are able to adapt. What’s at stake? Who’s involved? And are we ready?
Businesses with global data presence to be most affected
Any Australian business that boasts an establishment in the EU, offers products/services to people in the EU, or monitors people in the EU may fall under the GDPR umbrella.
Given the system comes into effect following our own mandatory Notifiable Data Breach (NDB) Regime, many local enterprises are at least well-positioned to adapt, with a recently heightened awareness of data privacy. In fact, here at Experian, an increased number of recent inquiries on data protection shows that local businesses are much more aware of their obligations to notify affected individuals and the Australian Information Commissioner in the event of an eligible data breach – and are doing everything they can to prevent data breaches occurring in the first place.
There’s a new data dimension: the right to be “forgotten”
There are a few key differences between the EU GDPR and Australia’s existing Privacy Act 1988 (Privacy Act), including the 72-hour timeframe to make a data breach notification, the individual’s right to object to automated decision-making and the right to object to their data being processed for a particular purpose under the GDPR regulations. But one of the most significant differences being the individual’s “right to be forgotten”. While consumers in Australia have the right to access and view their personal information and it must be deleted or de-identified when no longer needed, consumers don’t possess the right to request that it be erased. Should an EU customer want their personal information removed, in certain circumstances the GDPR requires that data controllers delete that information. So, businesses will need to have tools engaged to enable them to extract and remove this information within the one-month timeframe.
This involves the design of appropriate data storage measures for applicable Australian businesses, with a renewed focus on data integrity, data retention plans and data pooling – fields that we often see neglected or outdated.
Data retention plans that address where data is housed, whether the data is up to date and accurate and how long it is archived for all need to be revisited, and are now essential considerations across the board.
How can we truly prepare?
Australian businesses should be taking steps to properly prepare for GDPR and protect themselves from hefty penalties of up to €20 million or 4% of annual global turnover, but similar to the Australian Privacy Act, personal fines are also set to infiltrate the reactive systems put in place.
So what steps can be taken to understand the high cost of compliance, mitigate the risk of fines, and avoid scaring SMBs away from selling and/or marketing in the EU?
- First, find out if you need to comply. If you don’t, do you at least have a clear view of what might trigger an obligation? Looking ahead and keeping on top of potential changes is key. To be clear on the new requirements and how to comply to the Australian and EU privacy laws, read the Australian Government’s Privacy business resource 21. Taking the necessary proactive steps is essential to ensure your organisation is not at risk of a data breach.
- If you do need to comply, understanding what parts of the business and what data segments are most at risk is imperative. Then, understanding ongoing obligations and putting processes in place can begin.
- Updating your data protection response plan and privacy policies then needs to be undertaken and you may need to appoint an authorised representative and a data protection officer. Visit ISACA to receive a free online GDPR assessment rates enterprise compliance.
Are we ready?
General consensus at the moment is that while major businesses with strong EU ties are aware of the GDPRs potential impact, consumers and smaller Australian businesses are most likely not.
The number of companies we’ve seen who still don’t have a data plan and don’t have a chief data officer (CDO) overseeing the regulatory changes ahead is staggering, with only 21 per cent of Australian businesses currently planning on taking the CDO-led path. Businesses have spent too long being reactive when it comes to protection of individual’s information.
GDPR is new and its impacts in Australia remain uncertain. However, consumer and company education is key to ensure compliance with both the GDPR and Australia’s own Privacy Act.