The costs and benefits of the new regulatory framework for the technological ecosystem.
The European General Data Protection Regulation (GDPR) recently celebrated its three-year anniversary. Since its launch, hundreds of millions of dollars’ worth of fines have been handed to organisations all around the world, including over 91 penalties to Australian businesses.
Offences have included retailers misrepresenting the way they use CCTV cameras to monitor employees and companies not complying with the ‘right to be forgotten’ law. According to the GDPR Enforcement Tracker, the European data protection authorities have delivered about 700 enforcement actions over the last three years.
Courts have evolved their guidance and tools on international data transfers and GDPR continues to shape the regulatory environment globally, with many current and upcoming privacy bills replicating its standards and requirements.
The fear of non-compliance and fines had significant impact on businesses. According to our research commissioned before GDPR was first implemented, nearly one quarter (23 per cent) of local organisations worried that non-compliance could ultimately put them out of business. Additionally, 29 per cent were worried about potential layoffs, fearing that staff reductions may be an inevitable way to offset financial penalties incurred as a result of GDPR compliance failure.
Companies also were worried about the impact non-compliance could have on their brand image, especially if, and when a compliance failure is made public, potentially as a result of the new obligations to notify data breaches to those affected.
However, while no one denies that complying with GDPR can be challenging, Australian businesses must look forward to the benefits the legislation will bring and use the opportunity to improve their cyber security and data management posture, while increasing customer trust and loyalty.
Ultimately, adhering to new compliance principles will make businesses more efficient, secure and competitive – particularly as GDPR is here to stay, with organisations dealing with more diverse data forms than ever before. Ranging from images, videos to social media posts, this data is often untagged, unknown and unstructured, putting businesses at compliance risk.
What can we learn from GDPR?
The reality is that most organisations need to do more when it comes to data handling and storage. To meet GDPR requirements, many Australian businesses are currently eliminating risks in two ways – deleting old data that is no longer necessary and taking steps to reduce the risk of litigation.
This could be through consent forms on websites that ask customers to allow them to use their data, or through emails informing customers of the new GDPR rules and that they hold information about them.
Rather than correcting the underlying data management challenges, Australian organisations are often simply doing just enough to avoid any legal issues.
However, given the long arm of GDPR with its extraterritorial scope, Australian organisations may be more exposed than they think. Bad news makes good headlines, and it pays for businesses to learn from the implications of non-compliance and take more proactive steps to safeguard their data.
It has been three years since the gravel has struck on the GDPR and here are five key lessons for organisations to keep in mind:
- Misunderstanding of compliance – Compliance can be confusing. Not just GDPR, but the Notifiable Data Breach and CCPA. When everyone has a different idea of what compliance looks like, projects break down. Successful GDPR projects bring together all those involved, such as the legal department, the data protection officer, IT and management. In this way, all key stakeholders will gain the same understanding of compliance and jointly assess possible risks.
- Understanding the data footprint – Most organisations are faced with a data footprint that is far too complex. They can’t manage it, don’t know what they have, and what data they don’t. It is crucial for organisations to classify their data and act on it, to remain compliant in the face of growing data regulations. Knowing what data is out there empowers businesses to act more quickly if something ever goes wrong.
- Closing the data governance gap – With an ever-growing volume of data, not all organisations are equipped with the capabilities to capture all their data sources and achieve modern archiving to support the regulatory and corporate obligations. Organisations need to be more proactive at continuously improving their data governance and archiving strategy so that they can produce data on demand to avoid compliance penalties.
- Agreeing to the rules but not embracing them – Companies who limit themselves to the minimum measures to meet basic compliance often fail to achieve it. Companies now must take a closer look at what data they collect — and how its stored and protected. Project managers who follow the full spirit of the guidelines are better prepared to meet the stipulated regulations.
- Not seeing the bigger picture – Companies that see GDPR as an obligation, rather than an opportunity to take control of their data, see the least return on their projects. Those that look beyond the immediate challenge and invested in data insights often manage to reduce storage costs and improve data management as part of their GDPR compliance programs.
In the years ahead, we will see consumers continue to reward and choose companies that provide them with transparency, easy access, and control over their data. As a result, placing data privacy as a priority will become a brand necessity.
The GDPR is growing in importance, with data privacy in tandem for all businesses, big or small. It will take on a much bigger meaning with the growing realisation that it affects more than just the IT, compliance, and legal departments of companies – but also a company’s brand reputation, trust, and bottom line.
Geoffrey Coley is the director, strategy & architecture, Asia South and Pacific region, Veritas Technologies LLC.