Preparing for data laws: The impact of the EU’s GDPR on Australian businesses
When we think of commodities, we think of raw materials and agricultural products – copper, coal, coffee, writes Michael Bishop.
But in today’s digital economy, these commodities are taking a back seat to make room for something much bigger, easier to move and more valuable ... data.
Data has long been recognised as its own asset class, yet the extent of its value to businesses has only recently begun to be realised. Found in every organisation, data has become increasingly business-critical – with the power to make or break organisations.
Governments and institutions across the globe are imposing rules and regulations in a bid to protect individuals and make businesses more accountable. From sourcing to storing data, there are hundreds of pieces of legislation impacting business processes around a company’s data. This legislation varies by country, and here in Australia, by state too.
The result? Confusion. Which is why we need to be clear about the rules impacting Australian businesses, and their data, now and into the future.
Case in point: GDPR
One such regulation that has national and international businesses concerned is the European Union’s General Data Protection Regulation (GDPR), which will harmonise existing data privacy laws in the EU and introduce a far reaching revolution in data privacy. We’ve all been hearing about this regulation for months, but what does it really mean for Australian businesses? Who does it really impact? Like all such regulation and legislation, finding transparency and simple, clear guidance on the matter is harder than you might think.
In the case of GDPR, we know that from the 25 May 2018, the expanded scope of jurisdiction means that Australian businesses of any size will need to comply with this regulation if they have an established presence in, offer goods and services to, or if they in any way monitor, or profile, the behaviours of individuals in the EU.
The intention of GDPR is to strengthen and unify data protection throughout the region. This means that a huge number of Australian companies meeting the GDPR criteria will be forced to comply with these rules or cease serving or profiling their European customers.
What complicates new regulations like GDPR further is that Australian companies will also need to ensure they are compliant with local industry laws and regulations specific to Australia. There seems to be little or no connection or collaboration between government bodies to streamline or simplify these processes for businesses.
In response, this article will help prepare organisations for the GDPR, and other legislation, with a proactive approach to compliance. Here are the four steps involved:
1. Know your data
In order for businesses to best prepare for new legislation, they must first know their data and be able to answer key questions like: Where does our data originate and where is it stored? Do we know all of the places where our data is backed up and replicated? How does personal data flow in and out of my business? What is our customer and office presence across regions? And, how much control do we have over the processing of data? Without knowing and understanding your data, and having a solid data privacy compliance framework, you cannot clarify how exactly you will be impacted by new legislation as it emerges.
2. Understand your obligations
Once you know your data, you can start having more meaningful conversations around data compliance.
With so many laws and regulations, it’s difficult to fully understand what your obligations are, both internally and externally. Yet in reality, this is the most important aspect of preparing for new legislation and actioning your business accordingly. With this in mind, it’s advisable to get expert advice on legal obligations and IT solutions to quickly understand business responsibilities as legislation emerges or is adapted.
3. Review the processes
It is vital that every organisation knows where its data is stored, not to mention the risks associated with it. The review process requires an understanding of the risks to personal information held by an organisation, the consequences of data loss, and the way the data privacy compliance framework works to deal with these situations and shore up data privacy.
Businesses must sift through their policies, documents, procedures and third-party arrangements to ensure they are compliant.
4. Get staff on board
Staff engagement is critical to the successful implementation of new legislation. Knowing your data is fundamental to having the right compliance framework, which is why it is vital that employees are proactively engaged with the process of understanding your data. However, getting staff on board doesn’t happen overnight, instead it requires continuous empowerment of individuals with the right training and support.
The bottom line is, organisations today have copious amounts of data, and must comply with the myriad of state, national and international laws and regulations that govern it.
It’s a complicated business, but Australian companies must not be deterred. Instead, they need to switch their mindsets when it comes to compliance.
Businesses far and wide must acknowledge that compliance is no longer simply an IT issue. Instead, it must be handled across an organisation – from the board, to legal, to sales and beyond. Implementing a proactive strategy, across the entire organisation, is the only way organisations can be confident they are meeting their compliance obligations. It’s time to overcome complication with proactivity, face up, and protect your data.
Michael Bishop is the APAC legal director at Commvault.