Much of the attention given to the looming General Data Protection Regulation (GDPR) coming into force next year has focused on the onerous bureaucratic requirements it will create. Yet many people are failing to see it can also deliver benefits to Australian businesses.
The intent of the GDPR is to ensure better protection of personal data for all individuals within the European Union. This includes any data that can be linked, directly or indirectly, to an individual.
This is relevant to any Australian business that deals with EU citizens. With the rise of the digital economy and online transactions, the regulations will affect large numbers of businesses in this country that will need to ensure they have the systems in place necessary for compliance.
However it's not all bad news. For forward-thinking businesses, complying with GDPR can also safeguard their digital activities and make them more competitive in an increasingly global marketplace. Compliance will help drive more efficient and effective security measures that encompass partners and supply chains across international borders.
The compliance challenge
Complying with GDPR will be challenging for many businesses because of the shift they have made into the digital world. In order to compete and survive in a changing market place, they are making use of everything from ecommerce sites and electronic payments to customer portals and chatbots. Often, these are used by EU citizens.
As a result, businesses are collecting increasing amounts of personal information which needs to be stored and protected. This is challenging enough when that information is held in on-premise systems but becomes even more complex when cloud-based platforms are added to the mix.
To enable successful collaboration and further their strategic business goals, many companies have also built complex ecosystems that allow access by other parties to personal data. GDPR expands the responsibility for the protection of personal data from those who collect it to their partners who process it. Once the new rules are in force, all will be held responsible.
The GDPR also adopts a broad approach to territoriality which affects organisations whether acting as controllers or as processors. It will create significant changes that have an impact on businesses established outside the EU but that are conducting business within the EU.
Security implications
The goal of GDPR is to improve the security of personal information stored by businesses, and it comes at a time when that goal has never been more imperative. While the importance of personal data has grown within connected businesses, so has its appeal to cyber criminals.
The criminals are attracted both by the amount of data available and what it allows them to achieve. Personal details open up opportunities for a range of crimes including theft, fraud, resale on the black market and even ransom demands.
At the same time, cyber criminals have become smarter at what they do. Regular newspaper headlines attest to the fact that perpetrators continue to become more sophisticated at compromising personal data for malicious purposes. Managing who has access to personal data is key to adhering to GDPR requirements and, given the variety of new internet platforms, devices and cloud services being managed, there are a lot more threat surfaces that need to be secured.
The business benefit of GDPR compliance
A lot of emphasis has been placed on the financial penalties resulting from non-compliance to the new regulations which can include fines of up to 4 per cent of a company's global turnover. Also, for the first time, EU residents are given the explicit right to compensation for the misuse or compromise of their personal data.
However there is an important business benefit that come from stronger protection of personal data above and beyond the avoidance of fiscal pain. Maintaining responsible custodianship of your customers’ data helps to protect the revenue stream of your business. Customer loyalty and trust is the basis for customer retention, gaining new customers, and increasing their lifetime value so adhering to the new requirements makes significant business sense.
The ability to demonstrate compliance to the regulations will not only strengthen customer relationships, but can also enhance a company's brand, thereby attracting new employees, better partners, and more business.
The role of privilege
At the heart of GDPR compliance is controlling who has access to the personal data collected and stored by a business. This, at least in part, high-value privileged accounts must be monitored and controlled at all times.
This process should involve deployment of tools able to provide proactive, end-to-end detection and protection of all private data that is collected and stored. These privileged account security tools allow for strong protection by:
- Securing processing through least privilege enforcement, limiting use of privileged rights within an organisation and ensuring adherence to data access policies
- Allowing early response to breaches, thereby ensuring they can be reported within the 72-hour window prescribed by GDPR
- Protecting from non-compliance by ensuring a business can prove that it met its obligations under the legislation.
By adopting a strong privileged access management strategy, Australian businesses can be sure they are able to adhere to the GDPR requirements when they come into force while also being best placed to protect their online operations and reputation in a rapidly evolving digital world.