Share this article on:
The costs and benefits of the new regulatory framework for the technological ecosystem.
The European General Data Protection Regulation (GDPR) recently celebrated its three-year anniversary. Since its launch, hundreds of millions of dollars’ worth of fines have been handed to organisations all around the world, including over 91 penalties to Australian businesses.
Offences have included retailers misrepresenting the way they use CCTV cameras to monitor employees and companies not complying with the ‘right to be forgotten’ law. According to the GDPR Enforcement Tracker, the European data protection authorities have delivered about 700 enforcement actions over the last three years.
Courts have evolved their guidance and tools on international data transfers and GDPR continues to shape the regulatory environment globally, with many current and upcoming privacy bills replicating its standards and requirements.
The fear of non-compliance and fines had significant impact on businesses. According to our research commissioned before GDPR was first implemented, nearly one quarter (23 per cent) of local organisations worried that non-compliance could ultimately put them out of business. Additionally, 29 per cent were worried about potential layoffs, fearing that staff reductions may be an inevitable way to offset financial penalties incurred as a result of GDPR compliance failure.
Companies also were worried about the impact non-compliance could have on their brand image, especially if, and when a compliance failure is made public, potentially as a result of the new obligations to notify data breaches to those affected.
However, while no one denies that complying with GDPR can be challenging, Australian businesses must look forward to the benefits the legislation will bring and use the opportunity to improve their cyber security and data management posture, while increasing customer trust and loyalty.
Ultimately, adhering to new compliance principles will make businesses more efficient, secure and competitive – particularly as GDPR is here to stay, with organisations dealing with more diverse data forms than ever before. Ranging from images, videos to social media posts, this data is often untagged, unknown and unstructured, putting businesses at compliance risk.
What can we learn from GDPR?
The reality is that most organisations need to do more when it comes to data handling and storage. To meet GDPR requirements, many Australian businesses are currently eliminating risks in two ways – deleting old data that is no longer necessary and taking steps to reduce the risk of litigation.
This could be through consent forms on websites that ask customers to allow them to use their data, or through emails informing customers of the new GDPR rules and that they hold information about them.
Rather than correcting the underlying data management challenges, Australian organisations are often simply doing just enough to avoid any legal issues.
However, given the long arm of GDPR with its extraterritorial scope, Australian organisations may be more exposed than they think. Bad news makes good headlines, and it pays for businesses to learn from the implications of non-compliance and take more proactive steps to safeguard their data.
It has been three years since the gravel has struck on the GDPR and here are five key lessons for organisations to keep in mind:
In the years ahead, we will see consumers continue to reward and choose companies that provide them with transparency, easy access, and control over their data. As a result, placing data privacy as a priority will become a brand necessity.
The GDPR is growing in importance, with data privacy in tandem for all businesses, big or small. It will take on a much bigger meaning with the growing realisation that it affects more than just the IT, compliance, and legal departments of companies – but also a company’s brand reputation, trust, and bottom line.
Geoffrey Coley is the director, strategy & architecture, Asia South and Pacific region, Veritas Technologies LLC.