With less than a year to go until the General Data Protection Regulation (GDPR) comes into effect, now is the time for small Australian businesses to prepare for compliance or face potentially crippling fines. You might not think it applies to you, however, if your business serves customers or individuals in the European Union, preparing for this new regulation should be a top priority.
The GDPR will come into effect on 25 May 2018 and is being introduced in response to concerns about data privacy. It requires responsibility and accountability for every business that processes the personal data of individuals in the European Union (EU).
In today’s global economy, these regulations will impact a large proportion of small and medium-sized businesses. There is some awareness locally, but there’s still a long way to go until Australian companies can confidently say they are ready. In fact, according to a recent study by the Ponemon Institute and Citrix, three quarters (73%) of ANZ businesses consider the GDPR a risk to their IT security infrastructure. However, over 55% haven’t started preparing and don’t have budget allocated for the GDPR*.
The GDPR will introduce new privacy and security regulations on how businesses collect, store and use the personal information of their customers and employees who are located in the EU. These measures aim to minimise the risk of breaches and uphold the protection of personal data, in particular across automated gathering and filing systems.
For instance, a Sydney-based retailer that sells clothes to EU customers via its website or accepts payment in Euro currency will need to adapt its data handling and data breach notification processes. Similarly, a Perth-based financial services firm with an office in the EU will also be impacted. Along this vein, a Melbourne-based design agency that employs a freelance designer based in the EU for ‘round the clock’ design projects, would also find themselves exposed.
While the expense and time associated with preparing to become GDPR ready can pose a challenge for many SMEs, the alternative will see a business faced with stiff penalties. In fact, a lack of compliance will result in fines of up to €20 million (AU$30 million), or 4 per cent of global annual revenue, whichever is greater.
Given the huge ramifications of non-compliance for SMEs, forward-thinking companies need to start becoming GPDR ready now.
How does the GDPR affect Australian SMEs and what can businesses do to prepare? Here are my three top tips to help organisations prepare so they’re not caught out:
1. Understand the GDPR regulation and what it requires:
- Increased accountability for SMEs – Businesses must implement appropriate technical and organisational measures that ensure and demonstrate that they comply. To manage this compliance, businesses with more than 250 employees are required by regulation to hire an enterprise security manager (Data Processing Officer). For smaller enterprises, we still recommend they seek external expert counsel.
- Additional rights given to individuals – Customers and employees now have the right to be informed about the use of their personal data, and the right to have access, edit, erase or transfer it. Personal data is defined quite broadly to include not only information provided by the individual, but also observed data such as online identifiers, browsing history or social media posts; data derived through straightforward processing such as previous transactional history; and data inferred through more complex processing. Given this, SMEs need to be extremely careful about the recording and handling of any data they collect in the event an individual requests access to their data (also known as a Subject Access Request).
- Faster incident notifications required – The 72-hour breach notification obligation now applies to any breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data must be disclosed within the mandated time period. Businesses must have records and audits, and the technology systems in place to protect customers’ personal data and quickly respond to data breaches.
- Heavy penalties will apply for non-compliance – A lack of compliance will result in fines of up to €20 million (AU$30 million), or 4 per cent of global annual revenue. Businesses should constantly evaluate and update their systems and processes to ensure they are always compliant to local and global regulations. With the boom in IoT and big data, and the focus moving away from a business owning someone’s data to the individual holding that power, risks are expanding.
2. Start now, define and implement a centralised IT framework: To address the challenges of international regulations without impeding productivity we recommend a centralised approach. This will give you the ability to better secure your data, know where it is at all times, give greater holistic view of your data, network and manage access to this critical information. Centralising can also make audit reporting simpler and faster.
- Whenever possible, centralise apps and data in the data centre or cloud so sensitive enterprise data is not stored on devices
- When sensitive data must be distributed, mobilised or used offline, ensure it is protected in a secure place
- Control access to resources with context-aware policies based on user, device, location, application and data sensitivity
- Provide visibility and management capabilities that unite your IT infrastructure to deliver application and data-specific security
3. See this as an opportunity to enhance customer trust: At its core, the GDPR is about trust. It is about companies handling the personal data of their customers, partners and employees with care and respect. GDPR is an opportunity to reinforce relationships with these stakeholders by securing all data, and working with the community to support, implement and manage positive GDPR compliance programs.
The introduction of the GDPR is shaping up to be the most disruptive data compliance regulations in history, so it is important Australian SMEs have a strong strategy in place to avoid putting the business at risk, or ruin.
Interestingly Australian SMEs that don’t fall under the GDPR scope at the moment, could find themselves at a competitive disadvantage if they choose not to implement compliant measures as a precaution. For instance, suppliers may rate a non-compliant SME as high risk and choose not to partner with them in an effort to fulfil their data protection responsibilities and customer expectations.
About the author
Les Williamson, Area Vice President, Sales & Services, Citrix ANZ, which has produced a white paper, titled Achieve GDPR Readiness with Secure App and Data Delivery. You can drop him a line at firstname.lastname@example.org