Have you heard of the European Union General Data Protection Regulation (GDPR) and its effect from 25 May 2018 onward?
There have been many headlines about the EU GDPR and how it will affect many organisations in the EU. But what a lot of organisations may not realise is that this regulation will have a global impact, including Australian organisations like health insurers, other insurers and potentially government agencies who collect and store any personal data or monitor individual behaviours of EU citizens – regardless on whether or not they provide goods or services to the EU.
The financial penalties for data violations could be up to €20 million or up to 4% of the annual global turnover.
What is EU GDPR?
The EU GDPR is replacing the Data Protection Directive 95/46/EC and is designed to reshape how organisations manage personal data as well as protection and empowerment of EU citizens’ data.
The EU GDPR and the Australian Privacy Act 1988 share a few common requirements including; adoption of transparent information handling practices and the ability to demonstrate compliance with privacy principles and obligations.
There are also some notable differences where GDPR makes it very clear which identifiers classify as ‘personal data’ this includes; name, an identification number, location data, online identifier i.e. IP addresses, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
According to research by Gartner Inc. It is predicted that more than 50% of companies impacted by GDPR will not be compliant by the end of 2018.
With a large number of organisations wanting a clearer guideline on what it is they exactly need to be by May 2018. Here are a few key steps and questions to help determine whether you may be impacted by GDPR:
- A detailed review of the type of data you collect and store (e.g. Cross-border data flows) keeping in mind that almost every Australian business who has a website could potentially be covered by the GDPR. You need to know what type of data you collect and store including how you store this data to determine if you will be affected by the GDPR.
- An understanding of your risk landscape, risk appetite and how the GDPR requirements fit into it.
- What you are doing about data security and what your data breach response plan consists of – have you prepared a response plan? Have you tested your response plan? Is it in line with GDPR?
- Have you thought about how you can completely delete the personal data you may collect on EU citizens?
Have you put Cyber Risk Management at the top of your 2018 to-do list?
If you haven’t and aren’t already asking yourself these questions then this is a great starting point, because the GDPR could potentially impact your organisation and its only around the corner.
Written By Tulin Sevgin, Cyber Risk Lead, InConsult