Is Your Business Ready For GDPR?
Posted on May 04, 2018
A data breach, whether small or significant, can lead to massive damage to any business. Not just loss of credibility, clients, and revenue but it can impact your customer’s business as well. The concerned authorities, across the world, are coming up with measures and regulations to ensure that data is appropriately handled and not misused.
The upcoming General Data Protection Regulation (GDPR), which comes into force on May 25 this year, is a case in point. The regulation, to be implemented in the European Union (EU), imposes stringent obligations on enterprises on the way personal data of EU citizens is handled. GDPR involves a number of requirements about governance, profiling, and even data portability.
What exactly is GDPR?
The GDPR replaces the previous 1995 Data Protection Directive and is believed to be the most significant change ever made to data protection laws. It is designed to safeguard the personal data of EU citizens as more and more organizations have access to Personally Identifiable Information (PII) for analytics and customer development. It lays out strict rules on how the PII of EU citizens is handled, processed and used.
Interestingly, it also includes the provision of the controversial `right to be forgotten’ in the digital world. Further, it allows EU citizens to prevent profiling by any organization unless and until it is absolutely necessary for law enforcement.
It can be safely said that GDPR is unlike any other data protection regulation, and its impact is far reaching. So, any business, whether or not stationed in EU, that is in any which way handling the PII of EU citizens needs to be compliant with GDPR.
Non-compliance can be expensive
Australia has a healthy trade relations with the EU with two-way trade in goods and services worth around $95 billion. The Australian businesses will then need to transform their business processes to be compliant with GDPR.
So if you are conducting business in EU or are in any way handling data of citizens of countries part of EU, then your processes need to be compliant with GDPR. Significantly, GDPR takes data protection a step further and seeks to protect all individuals in the EU, which essentially means that if your customers use your service while in the EU territory, GDPR will apply.
Another aspect about GDPR is a high penalty for noncompliance. Depending on the severity of non-compliance, the penalty can range between €10 million (approximately AUD$15.7 million) or 2% of your annual turnover for the preceding financial year to €20 million (AUD$30.6 million) or 4% of the business worldwide annual turnover for the preceding financial year, whichever is greater.
How can you prepare for GDPR?
What makes it tough for the enterprises to be compliant with GDPR is the way data is traditionally handled in an organization. Information is typically processed across many systems including billing, digital portals, customer relationship management and more. Many times PII is also shared with third parties for various reasons, including a marketing campaign or outsourcing of a business process and so on. All this means that the businesses will need to transform their operations to meet the GDPR requirements. The regulation will drive changes in all aspects of business, from people to processes to technology.
First and foremost you need to find out what type of personal data your firm has access to, how it is sourced and processed. Your firm will also need to demonstrate that your processes are compliant with GDPR. Which means its a good time to audit assess, improve and then document data management practices across a whole business. This stretches right across the business from individual user level, through to the backups the organisation has, whether they are local or cloud-based. .
You would also need to have strong processes to ensure that data breach is discovered, investigated and reported at the earliest. As per the GDPR a company needs to report the breach to the authority within 72 hours of discovery. The firm would be responsible for breach from a third party as well. So, you will need to ensure that it is not just you but even the companies you outsource to are also GDPR compliant.
At the same time, GDPR is also an opportunity for Australian businesses to transform their data protection policies in keeping with the global standards, which in turn will help them to get clients from other regions.
Call to action: May 2018 is round the corner. Get in touch with us today to ensure your business processes are GDPR-compliant.