29 May 2018
Data Protection: The New GDPR Law Affecting Australian Businesses
Hot on the heels of Australia’s own data protection laws, the European Union has implemented its own, very stringent legislation on May 25th. Think the European Union General Data Protection Regulation (GDPR) doesn’t affect businesses on the opposite side of the world? Think again. The GDPR has the power to reach around the world and back again. Any Australian business or IT leader needs to be aware of the responsibilities and substantial risks involved.
Who is affected?
You don’t have to be located in the EU to be impacted by the GDPR. From small businesses to major corporations, compliance may be a requirement if you have any branch office, warehouse or other establishment within the EU. Those businesses offering goods and services in the EU, or conducting research involving EU citizens, should also be aware of their obligations and the potential penalties involved.
If you are a customer of any EU business, or buy from the global names, you’ll probably have had an inbox full of announcements about updated user agreements. That is because the eBAYs and Amazons of the world are avoiding getting tangled in EU requirements. Their fine print can be impossibly lengthy, but if you have the patience for scrutiny, you’ll get an insight into how they are handling GDPR. The legalese, though, is best left to the experts.
What are the GDPR requirements?
Standing out from Australian regulations, the GDPR includes individuals’ right to be forgotten – in other words, if an individual asks that their data is not retained, the business must have a process to erase such data.
At first thought, forgetting data might seem easy. Just delete the file and you’re good, right? Well, not really. What about the backups, and the credit card transactions? In order to forget data, it is worth rethinking how it is gathered. If you’re handling a visa payment, do you really need to store the information in the first place?
If you may be affected by the GDPR, now might be a good time to audit the way you gather, store and delete data about individuals. Legislation aside, it is good practice to review such matters – between Australian and European laws, the penalties can be massive, and the loss or reputation even more costly.
The first priority for those seeking to safeguard data is to know what you capture, how, why, when and where. Any IT professional will know that is harder than it sounds, given the complexity of today’s hybrid environments, and the variety of endpoints involved.
Back to the data audit. We find when we work with customers to assess their current situation, most are surprised by the result. When the finance manager has taken a customer database to work from home, or a marketing assistant uses an oh-so-handy cloud-based app to do user surveys, your data protection can be compromised.
Reviewing overall security measures is, of course, imperative to any organisation. Cyber-crime is ever-more sophisticated, so scheduling a regular, independent security health-check is essential. Good IT partners will likely offer a formal process – and this should be designed to check many GDPR boxes. Demonstrating that significant effort is put into protecting information is an important step.
Go above and beyond
While Australian legislation and the GDPR are acting as a prompt, there are many good reasons to take data protection seriously, and go beyond doing the minimum. In a world of ransomware, hacking and phishing, showing individuals that you can be trusted has a value hard to measure.