The European Union's General Data Protection Regulation (GDPR), substantially increases individuals' rights over their data. The GDPR is aimed at ensuring businesses are able to handle individuals' information appropriately – or suffer serious consequences including fines of up to £20 million or four per cent of global turnover, whichever is greater.
The new rules means organisations must have appropriate processes to collect, store and use personal data.
Europe is leading global privacy regulations and the GDPR is much tougher than any individual jurisdiction's privacy laws.
Although the European Union (EU) enacted the new rules, Australian firms may need to comply with the GDPR 's regulations if they do business or monitor consumer behaviours in the EU.
People have far more rights over their data
Europe's new privacy rules differ substantially from Australia's Privacy Act 1988, which only applies to businesses with annual turnover of more than $3 million. In contrast, the GDPR applies to businesses of any size.
Under the GDPR, in Europe businesses must seek informed consent to collect personal information from their consumers. Additionally, individuals have a right to understand the personal data that a company has collected about them. Businesses must also tell consumers why they are collecting their information, to be compliant with the new rules.
Under the GDPR, people will also have a choice in how their information may be used.
For instance, firms caught by the new laws must give individuals the right to choose whether they want their data transferred to a third party. People can also choose to have their data erased or to transfer their information from one business to a competitor firm.
Australian firms subject to GDPR for their European customers
Because the new regulations apply globally, any Australian business with a customer that has moved to Europe during the relationship with the company, is likely to be required to comply with GDPR regulations.
Deloitte Partner David Owen says the first step is for CFOs to understand how the GDPR applies across their organisations.
“It's an opportunity for finance chiefs to undertake a risk assessment of which parts of their business require remediation," says Owen.
“The GDPR effectively transfers ownership of personal information to the consumer. So the overall tone and culture of businesses needs to change to always put the customer first; this is really heralding a culture of true transparency over consumer data," he adds.
Owen says the initial work organisations need to do is to understand the flow of personal data they collect across the business. This may sound easier than it actually is.
“It's also important to understand what to do if you have a breach and when and how to notify the regulator," he adds.
According to Owen, while the May deadline is fast approaching, many firms are still coming to terms with how the new rules will apply to them.
“Some provisions are tougher than Australian rules. For instance under the GDPR, firms only have 72 hours to notify the regulator if their data is breached, which is much more urgent than Australian regulations," he explains.
Owen says some firms may also need to think over how they will comply with the data portability rules. For instance, the GDPR's requirement that customers give consent for their information to be transferred to a third party is one area that will require considerable forethought by CFOs.
Many businesses transfer their data to consultancies or outside firms to be analysed. Under the GDPR, consumers will need to give consent to this. This is likely to require new processes to be introduced to allow firms to provide their consumers with the ability to do this – or not, if that is their preference.
There are a number of different software vendors that have developed products to allow this – but technology is only part of the solution and there is no magic bullet that will allow businesses to stay inside the rules.
Importantly, compliance activities with new privacy rules need to be driven by the board and cascaded through the business, to ensure the right cultural shift happens so that staff understand how much power people now have to control their own information.
“This needs to be driven from the top. Cultural change is required so staff understand new expectations about how consumer data is handled," Owen adds.
“This requires good quality management reporting and risk assessment systems. It is also a good idea to practice mandatory breach reporting before one actually happens," he advises.
Costs and future considerations
Many finance chiefs may discover that becoming compliant with the GDPR is a substantial and complex piece of work, especially for those firms with multiple product lines across a number of jurisdictions.
It also potentially raises the cost of doing business, because firms may need to reengineer systems and processes – which finance chiefs may need to factor into their operations.
One big issue is potential reputational damage for firms that suffer a breach, and do not comply with the rules. Previous examples of businesses whose systems have been infiltrated and personal data compromised have hit the headlines worldwide. As a result, no firm can risk being complacent around the protection of personal data.
Despite potential risks which must be managed, new privacy rules offer an opportunity for businesses to engender better trust as they reengineer how they collect and use their customers' information, while ensuring their customers' personal data is protected.
- New European rights give people much more power over how their personal information is used by businesses.
- Australian firms doing business with European customers are potentially subject to the GDPR.
- There are large fines and penalties for firms found to have flouted the new rules.