The European Union’s tough privacy laws may have gathered momentum as they head into their second year, but one compliance specialist warns that the Australian government needs to take the initiative to motivate Australian companies that are still coming to grips with the legislation and don’t realise its potential impact on their businesses.
General data protection regulation (GDPR) policies kicked into effect in late May 2018, imposing tight controls on the movement, storage and protection of EU citizens’ personally identifiable information (PII).
Numerous breaches of the legislation have driven substantial fines for EU firms caught violating it, with the International Association of Privacy Professionals noting that €56m ($A89m) in fines have been handed down in the first year of GDPR – during which more than 206,000 cases were received by authorities and 94,622 individual complaints lodged. Yet even though the fines confirmed that regulators are deadly serious about GDPR, Australian businesses continue to question its relevance to them – just as they did a year ago, when a survey found that just 13 percent of local companies had achieved GDPR compliance.
A year on, says compliance expert Andrew White, ANZ country manager with Signavio, not much has changed.
“The market is still slightly confused about how GDPR applies to them,” he told CSO Australia. “Everyone knows about it, but in some people’s minds it’s something out of Europe – and not in Australia.”
“People are still waiting to be pushed into it, even though we’re a year down the track. The urgency just isn’t there.”
Those companies that have approached Signavio – a global company whose German roots made GDPR a core element of its activities – often had no idea of the extent of their exposure. This posed issues not only by increasing the potential damage from a data breach, but also by threatening required compliance activities that involve ongoing demonstrations of compliance.
“The interesting thing about GDPR is that you basically have to prove that you’ve got it under control,” White explains. “They can request that you show them your processes and controls are GDPR compliant, and you have to demonstrate that you have put the right processes in place to match the framework.”
Signavio has been working with its clients to work through a four-step approach that includes classifying, identifying, mapping and monitoring the data – yet while it’s clear what needs to be done, many companies are still finding it to be quite taxing.
Mass data fragmentation – the spread of data, and copies of data, across numerous locations – had created real problems for organisations that cannot account for their data, Cohesity vice president of products Raj Rajamani warned.
“The leniency period for compliance is over for GDPR,” he said, “and organisations must ensure that they continually evaluate their current readiness by knowing where all of their data resides, processing it in compliance with regulations and laws, controlling access to it and making sure it’s protected against both internal and external threats.”
Time to step up
Given the importance of EU trade relationships to Australia’s economy, the Australian government has a role to play in promoting better GDPR understanding and compliance amongst local organisations, White said, noting that policies set down by governments “can be a tad grey, and that’s not good because most companies will exercise the easy route.”
“The government needs to take the lead” around promoting and ensuring compliance to GDPR-equivalent levels,” White said, noting the effectiveness of measures to improve individual responsibility amongst executives of financial-services organisations.
“A rule is one thing, but enforcing it is another,” White said. “A few companies are getting this, but most just are not. The data security people focus very much on the technology, and not so much on the processes – so getting the staff to understand this is really important.”
Vendors across the security and compliance markets have been working to reinforce the ideas behind GDPR in their own way.
Clarifying the requirements for breach reporting and fines had been one of that outcomes that made GDPR a “great start”, said Katherine Noall, CEO of digital identity management platform Sphere Identity, but she noted that “while these fines to date show protection for those citizens within the EU, the protection of their global data rights is yet to be demonstrated.”
“As a whole, GDPR compliance is more than just about technology,” she continued. “It touches every business process and person. It is no longer sufficient to appoint a Data Protection Officer and be compliant, but instead requires a willingness to make major changes and perform ongoing monitoring and optimisation.”
Simon Harman, co-founder and project lead of Australia-based global Internet privacy initiative Loki, believes the climate that GDPR has spawned is empowering consumers to become more proactive about protecting their private data – and the industry needs to respond in kind.
“If protecting data privacy is something which has been recognised as a priority by consumers,” he said, “it is time for the technology community to consider more innovative solutions that can address a challenge this complex, and to discuss data privacy in a new light.”
“We should move away from the assumption that consumers are incapable of protecting themselves and give them some options to control their own digital lives by harnessing the power of existing and emerging security technologies.
“The past year has built an awareness that the future of emerging technology must be compliant, and innovations to make this a reality are taking place today,” said Jonathan Rouach, CEO and co-founder of Zero-Knowledge Proof privacy firm QEDIT.
Rouach anticipates the coming introduction of “stringent regulations mirroring GDPR” in the Asia-Pacific region and believes GDPR will drive a sort of privacy arms race amongst countries and geographies. “We expect the European Commission to allocate more resources to keep European leadership in this space.”