Although just 1 in 3 Australian companies believe they need to be compliant with forthcoming European Union privacy regulations, the remainder are likely to find themselves commercially disadvantaged if they don’t do the same, a senior European cloud-industry executive has warned.
With less than a year to go until the EU’s General Data Protection Regulation (GDPR) takes effect in May 2018, many Australian companies are still a long way from complying with laws obligating them to protect personal data relating to European Union citizens.
The majority, in fact, believe – erroneously – that they have no obligations under the GDPR, which EU regulators have explicitly said does apply in countries outside the EU. Nonetheless, just 36 percent of Australian respondents to Gemalto’s recent Data Security Confidence Index 2017 said they would need to comply with the regulation.
That could be problematic given the prevalence of EU citizens amongst Australia’s population. More than 28 percent of Australians were born overseas, according to the Australian Bureau of Statistics, with over 1.5m Australian citizens born in the UK, Italy, and Germany alone.
As several Parliamentarians have recently learned in a most inconvenient manner, any of these citizens may be eligible for citizenship of one of the EU’s 28 member states. And that makes them protected by the GDPR, which penalises companies up to 4 percent of their annual turnover for breaching private data of a EU citizen.
Unless Australian businesses are collecting detailed information to ascertain whether their customers hold EU citizenships, they have no real way of sidestepping their exposure to GDPR. The potential legal quagmire should concern every Australian business but surveys show that many local businesses – SMEs in particular – are well behind on meeting their obligations. Many admit they won’t be compliant by the deadline, or simply don’t know how to protect data to the GDPR’s requirements.
“Many companies won’t be ready when they should be,” Alban Schmutz, vice president for development and public affairs with French cloud provider OVH and president of European cloud-services group CISPE, told CSO Australia.
“It’s more complicated for SMEs, who have smaller teams and aren’t always taking into account regulations around developing software and managing data. GDPR is really impacting companies that have no history of a strategy regarding end-user customer data. They are collecting a bunch of data but never put it coherently into their information systems.”
In his role with CISPE, Schmutz has been actively engaging with the group’s membership to set the bar for GDPR compliance through its Code of Conduct for data protection. This set of guidelines was released last September and has since seen 33 certified cloud services – including cloud backup, server, hosting, disaster recovery and other services from ARUBA Spa, Amazon Web Services, OVH, Seeweb, D.FI Services, and others.
The Code of Conduct offers valuable guidance about overall compliance practices, which the Gemalto figures show could definitely use some improvement. Only 40 percent of respondents in that study believe their organisation carries out all procedures in line with data protection laws, while 14 percent said they wouldn’t trust their own organisation to store and manage their personal data.
By demonstrating their continuous commitment to GDPR compliance, such companies will advantage themselves in the market and potentially gain an edge with companies outside of Europe, who have already recognised that GDPR compliance will soon be essential to access the lucrative European market.
Schmutz has already engaged with organisations as far afield as Africa and South America, and says that if Australian companies lag behind they may not only threat their Australian business through mishandling of EU citizens’ information – but end up being marginalised in larger contracts.
“Each [European] country will manage its own countries,” he said, “and the way it will be managed will be different per county. This may create competitive disadvantage for Australian companies if they are not using the same rules. Even if they are not fighting to access European markets, they will be affected in their own markets.”
By all accounts, Australian companies have their work cut out for them in achieving compliance by the deadline. Lack of clear local guidance means few companies are appointing formal data protection officers (DPOs) – even though GDPR legislation explicitly requires them to do so.
“Data Protection Officer isn’t a job title I’ve heard a lot” while talking with Australian businesses, said Graeme Pyper, ANZ regional director with security firm Gemalto, although some local divisions of multinationals report flexibility from their head offices depending on local needs.
“You don’t need to boil the ocean,” Pyper said, “as long as you’re doing sensible things. But you can’t continue without having those protection mechanisms in place.”
Schmutz agrees that Australian organisations can likely get away without having a DPO for the moment, but emphasises the importance of the role in the long term: within the next few years, he predicts, GDPR’s scope will be broadened from consumer data to include business-to-business data as well.
That change would signal a major new requirement from data-management frameworks – and that means it’s never too early for Australian companies to start planning for GDPR both in the short term and long term.
“Preparing for that, and having people seen to be able to do that, would be a good idea,” said Schmutz, noting that compliance with the CISPE Code of Conduct is “a powerful tool to show that you have done the work” to prepare for GDPR.
“It’s about preparing things, and being able to show authorities that you have prepared things,” he explained. “It’s about being able to be as reactive as possible, being able to muster your value chain, and to be sure that there is no cascade of issues behind that.”