momius -

Australian organisations unprepared for GDPR

Faced with the double whammy of complying with Australia’s upcoming data breach notification requirement and Europe’s new data protection regime, Australian firms are behind where they need to be in their compliance efforts

This article can also be found in the Premium Editorial Download: CW ANZ: CW ANZ: Prepare for EU data law

Apart from some notable exceptions, there are fears that Australian organisations are still largely unprepared for the dawn of Europe’s General Data Protection (GDPR) legislation.

The new law – which will come into force in May 2018 – affects companies that do business with Europe, and hold personal data about European Union (EU) residents for purposes such as profiling and big data analysis. Failure to comply risks fines of up to €20 million or 4% of global turnover.

The GDPR also applies to companies that trade with the UK, which remains a part of the EU for now. However, the UK is currently drawing up similar legislation that is expected to come into force post-Brexit.

A particular challenge of the GDPR is that organisations have just 72 hours to alert authorities to serious breaches wherever they occur – including in Australia.

Affected companies will also need to comply with a raft of other GDPR obligations, such as appropriate privacy and data use policies, specified data retention periods, and a policy for addressing the “right to be forgotten” as enshrined in the legislation.

Fergus Brooks, national practice leader for cyber risk at Aon Australia, says local organisations have mainly been focused on the impact of Australia’s own mandatory data breach notification regime that will come into effect in February 2018, and less on the GDPR and its data protection component.

“Australian businesses are as a rule ... well behind where we need to be,” he says, adding that many organisations are not aware that they are still covered by the regulation even if do not have an office in Europe but sell products to Europeans.

Double whammy

Lisa Vanderwal, special counsel in the Sydney office of international law firm Bird & Bird, says many Australian organisations are facing the double whammy of preparing for both GDPR and local data breach notification rules.

Despite having two years to prepare, she says Australian businesses are only just getting an idea of what is involved.

For example, she says Australian organisations that sell goods and services to Europeans in euros or pounds and have French or German language websites are likely be covered by the GDPR. Those that use the personal information of Europeans in profiling and big data analysis will also need to prepare for the new regime.

Vanderwal warns that organisations will need to report nearly every data breach to stay on the right side of the GDPR, as the narrow 72-hour reporting window leaves little time for full analysis of the nature of a breach.

In addition, there are some “grey areas” where it can be difficult to determine whether the GDPR applies or not, according to Vanderwal, who recommends that organisations seek legal advice about their exposure, and take steps to ensure their privacy policy and data retention strategies are in order.

Aon’s Brooks says companies, at the very least, need to run data classification exercises to understand what data they hold, where it is held, and how it is being secured. “If you have personal records of customers, then they need to be properly protected.”

Some Australian organisations have started to get their GDPR house in order. Australian wine producer and exporter, Treasury Wine Estates (TWE), says it continually reviews its systems and processes to protect the personal information of customers, and to comply with regulations in countries where it operates, including the EU, one of the smaller global markets for the company.

Getting ready for GDPR

Partnering with data management software suppliers seems to be one way that local companies are navigating the challenge.

Steven Cvetkovic, chief information security officer for information technology at Swinburne University of Technology, for example, has been working with Michael Bishop, Commvault’s legal director for Asia-Pacific, to ensure the university’s data management and compliance system are GDPR-ready.

Swinburne has EU students, holds EU data for research purposes, and also has a strong international reputation to protect, says Cvetkovic. His approach has been to align the university with the requirements of the more stringent GDPR rules, which he says will be adequate to meet obligations under Australia’s data breach notification rules.

Cvetkovic says the impetus for Swinburne’s GDPR compliance efforts over the last two years is not the threat of hefty fines. Rather, it is the university’s awareness that it will not be able to advertise itself globally if it runs afoul of the law, as well as the reputational damage that will mar Swinburne’s image as a good digital citizen in the event of a data breach.

“I like to think that this is in alignment with Swinburne’s 2025 strategy as an innovative organisation. We need to think more maturely and outside the square,” he adds.

Kate Carruthers, chief data officer of the University of New South Wales and a regular speaker at events about data protection and use, says the level of awareness of the GDPR in Australia is not high, though it is higher than in the US.

Read more about data protection and breaches in Australia

She advises organisations to address the basic hygiene of having proper security and privacy policies and management in place, and develop a tried and tested data breach plan.

“I’m saying that you need to follow good practice,” she says, adding that companies which are properly prepared for Australia’s mandatory breach notification are at least in part ready for the GDPR.

Aon’s Brooks acknowledges that the enforcement of the GDPR has yet to be tested, but notes that businesses that shirk their responsibilities risk European regulators saying: “Don’t do business with us in the future, and you still owe us the fine”.

Lawyer Lisa Vanderwal adds that if European authorities enter a judgment against an Australian organisation, the ensuing reputational damage can limit the organisation’s ability to operate in Europe.

Read more on Privacy and data protection