By Ken Weldin
18 April 2018
The General Data Protection Regulation (GDPR) law will be enforced from 25 May 2018. Failure to comply with any of the GDPR requirements may result in significant financial loss, disruption or reputational damage to an organisation.
What’s the big deal?
If you think data protection and data breaches only affect smaller organisations as their infrastructure is not sophisticated to withstand hackers, think again! For example, Facebook's privacy practices have come under fire after Cambridge Analytica, a political consulting firm affiliated with President Donald Trump's 2016 election campaign, got data inappropriately. Closer to home, Svizter Australia breached the notifiable data breach scheme which was introduced on 22 February 2018.
These are only a couple of examples that have been in the media as recent as March 2018. Organisations, big or small need to start thinking of Data Breach Response Plans that clearly sets out the procedure to be followed by the organisation in the event that a data breach has, or is suspected to have occurred.
So, what is it?
The GDPR is a law introduced by the European Union (EU). The purpose of this new law is to prevent misuse of an individual’s personal information, as well as to better protect a person’s freedoms and rights about how their information is used by an organisation. Failure to comply can result in penalties as much as 4% of the organisation’s annual worldwide turnover or €20 million (over $30 million AUD), which is enough to put most growing companies out of business!
Who does this affect?
The GDPR will affect every business regardless of size. As long as your organisation collects and stores personal information you will be bound by the rules.
Does it affect companies in Australia?
Yes! As the GDPR states, any company that has access to personal data related to citizens of the EU, irrespective of the fact it is domiciled in EU countries or not, must comply with this new system. Therefore, organisations in Australia, which offer goods or services to residents of the EU will be affected by GDPR. These organisations may include businesses exporting goods to the EU, providing financial services, have direct clients in the EU or are subsidiaries of their EU counterparts.
Are you ready?
One of the first tasks in preparing for GDPR is to identify all of your organisation’s personal data. Do you know all the locations where your data resides? It might be embedded in supplier records, websites, excel files, emails and HR records. But are there more? Missing one location can prove fatal!
Identifying all the relevant data is only part of the solution. Organisations must have a risk-based methodology in place to manage their privacy and should implement effective policies and strategies surrounding data privacy. They also need to identify the channels through which they are accumulating and sharing the data. Additionally, does your organisation have a dedicated data protection officer who is responsible for overlooking data protection strategies? This individual can be vital in the process and ensure that your business is GDPR ready.
What can you do?
Preparing for GDPR is likely to be a major challenge for businesses. It’s similar to the new mandatory breach notification scheme which mandates Australian Government agencies and various organisations with obligations to secure personal information under the Privacy Act 1988.
Let PKF get closer to your GDPR requirements and assist you on this journey. We can assess how well your data security and usage controls compare to the GDPR requirements and identify areas for improvement. Our experts can provide guidance on gap analysis, updating policies and procedures, and staff training.
For further information please contact Ken Weldin on +61 3 9679 2310 or Milind Sheth +61 3 9679 2331.