What is General Data Protection Regulation?
Commonly referred to as the GDPR, the General Data Protection Regulation is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). With these primary objectives in mind, it also addresses issues in the exporting and protection of EU data internationally. Their intentions look to set the benchmark in personal data protection and has been well received by officials as a positive movement to more control for its citizens and residents.
The GDPR becomes enforceable on 25 May 2018 and will override the Data Protection Directive 95/46/EC adopted in 1995.
Why is the GDPR being introduced?
The economic value of personal data has increased dramatically in the last 8 years and brought with it issues around significant data protection. The GDPR ensures stronger digital rights for its citizens in an age where cyber threats are the third most common crisis event.
Would the GDPR affect your organisation?
A breach of the GDPR could result in major fines for Australian organisations with trade links to Europe. Ie:
- An Australian organisation with an office in the EU
- An Australian organisation that employs EU citizens
- Australian Education establishments with EU students
- An Australian organisation whose website targets EU customers. eg, enabling EU customers to order goods or services in a European language (other than English), or enabling payment in Euros
- An Australian organisation whose website mentions customers or users in the EU
- An Australian organisation that tracks website visitors from the EU and uses data profile techniques to profile individuals to analyse and predict online personal preferences, behaviors and attitudes
A spokesperson from IAG and McAfee both agreed that Australia is not prepared for major changes in the GDPR.
What does your organisation need to do to comply to the GDPR?
If you have digital data or connection to any European entity or citizen (whether it be receipt details or client data in your CRM), you are subject to these laws.
Should a data breach occur within your organisation, you must report the data breach to the GDPR within 72 hours. A data breach could be as little as the release of an individual’s IP address. Failure to report this breach could result in a fine.
The GDPR has confirmed that the minimum fine for failure to report a breach is $10,000,000 Euros or 2% of the organisation’s annual earnings (whichever is higher). This covers a baseline breach. It will then adjust to $20,000,000 Euros or 4% for more serious breaches.
Management Consultant Firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year.
When the regulation goes live, many predict that the GDPR is likely to make an example of companies that do not take data breaches as seriously as they should. They are likely to crack down hard in the first 3 years and set expectations internationally.
It’s important to remember that most cyber-attacks will happen regardless of measures that are put in place. The most important thing is how you react after a cyber-attack has occurred – you may need to go into Crisis Management mode to ensure business continuity. Having processes in place to deal with the crisis, report the breach to the GDPR, present your solutions to remedy the crisis and implementing preventive action should now be your priority.
If you would like more details on this new regulation, RiskLogic has a team of experienced consultants who can provide support. Email us at firstname.lastname@example.org or call 1300 731 138.