The European Union had declared all business establishments having access to personal information of European residents would have to abide by the framework laid down under GDPR (General Data Protection Regulation). In the words of Brendon Lynch, Microsoft's chief privacy officer, “GDPR is the most significant change to European Union (EU) privacy law in two decades". There is no doubt that GDPR would have a major impact on companies operating in the European states. The seriousness of this newly formulated regulation is evident from the fact that the business establishments will be fined 20 million Euros or 4% of their annual global turnover if they fail to abide by the rules mentioned in the GDPR.
Will GDPR have its Impact on Australian Companies Operating in the EU?
As a matter of fact, yes, the GDPR will affect Australian companies which has access, stores or processes data that relates to anybody who have their foot on European soil. It has also been clarified that after the GDPR would be brought to full affect it would cover not only citizens belonging to the European states but also an outsider who is in Europe as well.
Call-for-Action for Australian Businesses Operating in the European Union
The impact of the GDPR will be massive and the regulations call for an immediate review and risk assessment of Australian companies. According to the set guidelines enlisted in GDPR, it would be mandatory to assign a data protection officer (DPO) who would be responsible for ensuring that the company is complying with the various articles enlisted under the GDPR.
The new set of laws has made it mandatory for Australian companies to ensure that their cloud service and applications has been certified by European agencies. This also means that business establishments would need to have in-depth knowledge of the providers and the cloud supply chain that has access to personal information of European residents. The work flow and the data flow needs to be carefully reviewed and documented as to how it’s being processed and transmitted through various network channels. Both data controllers and data processors will be brought under the ambit of GDPR.
Shedding light on understanding the data flow, Matthias Reinwarth who is a senior analyst at KuppingerCole has strongly recommended companies to have a robust Identity and access management (IAM) strategy in order to comply with the rigorous guidelines under GDPR. IAM strategy relates to a categorical approach that clearly defines who should have access to the right resources at the right times and for the right reasons.
As stated in an article on IAM being a core building block for GDPR compliance written by Warwick Ashford (security editor at ComputerWeekly), Reinwarth said,” A strong, robust, reliable and trustworthy IAM strategy and capability is a core building block required to achieve compliance with the GDPR”.
One of the priorities of Australian companies at the moment must be to create a fool proof strategy that would enable them to respond promptly within 72 hours of a data breach (as per the GDPR). Now such a prompt response to a possible breach would include complying with Article 17 of the GDPR, “Right to be Forgotten”. This article states that the data subject or the affected person has the right to get his or her personal details erased from the databases and the data controller is obliged to do so without undue delay. Henceforth, it would be wise to have a robust IAM strategy and capability to comply with GDPR.
The Crystal Eye Consolidated Security Platform (CSP) is an architectural approach forged through Human-Machine Teaming (HMT), a paradigm involving technology, people and processes all working to bring inescapable scrutiny to observe intent across these three dimensions.
Are Australian Businesses Operating in Europe or who intend to do so in the Future Ready to Comply with GDPR?
Australian businesses operating in Europe or those who intend to do so in the near future must realize the importance of GDPR and deploy their technical and non-technical resources to deal with GDPR. Louis Tague, Australia and New Zealand managing director at Veritas Technologies stated earlier this year that,” only 30 percent of local businesses meet the requirements to comply with the GDPR”-reported ZDNet. The Office of the Australian Information Commisioner has mentioned in its Media Release that, “The GDPR includes requirements that resemble those in the Privacy Act 1988, and additional measures that similarly aim to foster transparent information handling practices and business accountability around data handling.” Now, the Australian Privacy Act might have been there since 1988 and there are no second thoughts that data controller’s in Australia are following them. But it’s a fact that GDPR requirements could be much elaborated and necessary steps must be taken by Australian companies to comply with it.
Click here to read the entire set of 99 articles of General Data Protection Regulation.