GDPR is here, but few Australian staff know what to do about it

Although 96% of Australian IT execs support privacy controls, just 13% of local companies are GDPR compliant

Eurovision may have accepted Australia as one of its own, but Australian businesses may be hoping European Union authorities forget about them for a while as survey after survey suggests that they have missed today’s deadline for compliance with the EU’s general data protection regulation (GDPR) by a country mile.

Australian businesses were generally positive about the intentions behind tighter data privacy protections – fully 96 percent of decision-makers believe that stronger data protection policies will reduce the number of data breaches – but just 13 percent of Australian respondents to a March Webroot survey said they were ready to comply with the privacy protections of GDPR.

That was a fraction of the 89 percent of Australian businesses that were compliant with the new notifiable data breach (NDB) scheme, which came into effect in February.

Low levels of GDPR compliance pose very real issues for businesses whose employees will be charged with activities such as providing copies of all data that the company holds about a particular customer.

Indications are that companies will be inundated with requests in coming weeks. Fully 38.4 percent of respondents to Veritas Technologies’ recent 2018 Global Data Privacy Consumer Study said they were concerned about the protection of their personal data because they have no visibility into how companies are using it and who they are sharing it with.

Fully 40 percent of UK consumers were planning to take advantage of their GDPR rights in the next six months. Of these, 65 percent said they would request access to the personal data that a company has about them, while 71 percent intended to instruct that their data be erased.

Some 56 percent said they want to know what information companies have about them – and 8 percent said they would lodge GDPR requests just to annoy companies that they have issues with.

That expected level of activity will test the abilities of staff that have, in a surprisingly large number of cases, still not been trained about their GDPR obligations or activities. Even within the tranche of GDPR-compliant companies, the Webroot survey – which was conducted by Wakefield Research and included 200 Australian IT decision makers and 600 worldwide – found that just 29 percent of companies had completed training and 47 percent said their training was in progress.

Just 19 percent of Australian respondents said they were very confident that their employees are equipped to comply with GDPR or NDB, and only 50 percent were very confident that they will be able to provide individuals with all personal data collected on them within a month of the request.

Yet that was still better than IT decision-makers in the UK – which falls squarely under GDPR’s requirements – where just 18 percent of IT decision makers said they would be able to comply.

Staff education about GDPR and its day-to-day implications was worryingly infrequent, with just 24 percent of Australian companies saying they had trained IT staff about GDPR compliance. Just 43 percent have trained, or were in the process of training, staff about their NDB obligations.

Such figures highlight the challenge of putting GDPR into practice, even where a company’s data holdings have been appropriately inventoried and catalogued. A recent ISACA survey found that half of companies had struggled to keep GDPR on the agenda, while ISACA and Gartner have independently predicted that just half of companies will be compliant with the legislation by the end of 2018.

That is likely to see extensive non-compliance amongst companies that are struggling to complete their GDPR efforts while simultaneously managing the influx of data requests from consumers that, surveys have repeatedly shown, are increasingly sceptical about many companies’ storage and use of personal information.

“Not all countries, regions, or organisations have data breach notification policies and guidelines in place,” Trend Micro ANZ country director Ashley Watkins said in a statement, “but this week’s EU GDPR changes, much like the recent Notifiable Data Breach legislation locally, will empower data owners in the event of a data breach by increasing transparency between organisations and their customers or users.”

“The EU and Australia are taking strides towards enabling better documentation of data breaches, providing knowledge that can benefit organisations and authorities worldwide in the constant battle against cyberthreats.”