Critical GDPR Facts You Need to Know
On 25 May 2018 the General Data Protection Regulation (GDPR) officially went into effect. After being approved on 14 April 2016, it’s finally a reality that has greatly changed the way businesses handle data.
Although it’s a regulation that’s specifically for organisations within the European Union (EU), it impacts companies the world over. Like with any major overhaul, the transition process can be difficult, and many businesses still have a ways to go before they’re totally aligned and fully on board.
So there’s a good chance that this is something your organisation is struggling with.
For this post, we’re going to discuss some critical GDPR facts that should help you better understand the fundamentals, alleviate any friction you may be up against and make the transition as seamless as possible. We’ll also include a couple of infographics to illustrate key points.
How the GDPR Affects Australian Companies
The first thing to mention is that the GDPR has its tentacles spread all over the world and isn’t limited just to the EU. Asha McLean of ZDNet discusses how the GDPR impacts companies at large, including those in Australia.
She says, “The laws do not stop at European boundaries. Organisations in the rest of the world, including Australia are bound by the GDPR requirements if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.”
She also mentions how there is some overlap between the GDPR and the Australian Privacy Act 1988 considering they both take a privacy-by-design approach to compliance.
In particular, the GDPR affects Australian companies that:
- Have operations within the EU
- Have customers or clients located in the EU
- Gather and analyse data of consumers located in the EU (e.g. looking at web analytics)
- Work with third parties within the EU
While there is no hard data on this, it’s safe to say that a substantial number of Australian businesses are impacted, especially when you consider how globalised the world has become.
In turn, this changes several aspects of business and marketing including:
- How you develop and update your data protection policies
- The data you choose to store and how long you retain it
- Overall IT security
- Marketing strategies
- Your approach to analytics
As you can see, this is quite substantial and will require you to rethink your data protection and cybersecurity game plan if your company is affected.
When some companies think of the GDPR, they only consider the negatives—the inconvenience, changes to policies that must be made, potential fines, etc.
But when you look at the bigger picture, there are some major positives to it. Here are some specific ways that GDPR compliance can be a huge asset to your business and help you thrive in 2018 and beyond.
Develop a More Efficient Cyber Disaster Response
Research found that the average cost of a cyber attack for Australian SMBs in 2017 was over $1.89 million AUD.
This means there’s simply no room for ignorance or half-hearted cybersecurity these days. The financial backlash, downtime and blow to brand equity are just too devastating.
But you can think of the GDPR as a call to arms for modern organisations because it basically forces you to address any weaknesses or inefficiencies in your cybersecurity infrastructure. This regulation encourages you to examine your current cybersecurity strategy and take the necessary steps to refine it.
In turn, you should have a more robust and fully developed cyber disaster response where you maintain tighter control with more effective data protection and streamlined security monitoring. It could even be the catalyst for preventing a major cyber attack from ever occurring in the first place. So this is definitely something to keep in mind.
Ability to Continue to Engage in Business with Europe
For traditional brick-and-mortar companies with a demographic that’s located exclusively within Australia, the GDPR will be of little interest.
But if a portion of your customers—even if it’s only minor—are based in Europe, it’s a huge concern. Without compliance, you could lose valuable customers, which will ultimately result in diminished revenue.
Taking the necessary steps to become compliant ensures that you can continue to do business with this segment of your customers. On top of that, you may actually be able to increase your customer base if primary competitors fail to comply because their customers could potentially come to you.
This makes compliance critical for maintaining and growing your customer base.
Improved Client and Consumer Trust
Try to put yourself in the shoes of your average client and consumer for a second. How would you feel if a company you’ve been doing business with fell prey to a serious data breach or cyber attack?
- Would it reduce your trust in them?
- Would it make you a little wary about how they’re handling your personal data?
- Would you be inclined to take your business elsewhere?
For many people, the answer is yes to all three of these questions. In most cases, the trust and overall brand equity of organisations take a significant hit in this type of incident.
One particular study even found that 76 percent of people would move away from companies who suffer a large data breach, and 72 percent will share fewer personal details.
But when clients and consumers know that you’re compliant, this can increase their trust level considerably. Needless to say this can have a tremendous impact on your organisation and will contribute to your longevity.
When you look at it on the macro level, being an organisation known for GDPR compliance can even strengthen your culture. Just think about it.
There’s a major trend going on right now where people are more concerned than ever with their online privacy and keeping their personal information out of the wrong hands. It’s a multi-billion dollar industry.
Facebook’s recent data crisis is a great example and one of the main reasons why they’ve been embroiled in controversy as of late.
Being known as a company that’s human privacy-friendly can be huge for your overall culture and a major selling point to customers and clients. In some cases this can even move you to the upper echelon of your industry.
Many Companies Are Missing the Mark
Despite all of these benefits, it’s clear that many organisations aren’t where they need to be at in terms of compliance. With roughly only half being compliant at the time of the GDPR going into effect, this is an issue that countless companies need to address—and soon.
As you can see from this infographic, some of the main challenges are understanding the requirements, having access to experts who understand the ins and outs of the GDPR and executing the necessary actions on the company-wide level.
Overcoming These Challenges
The first step to getting on track is taking the time to familiarise yourself with the key changes that are stemming from the GDPR. Luckily, there’s a great resource from EUGDPR.org that breaks these changes down succinctly in a way that’s easy to understand.
It covers all of the essentials like:
- The full scope of the law
- Gaining consent
- Breach notifications
Another option is to enroll in a GDPR course. This involves web-based training through digital materials like webinars and slideshows that cover this new law in detail but in a way that’s easy to understand for beginners.
You may also want to check out this previous post we wrote, which discusses the specific implications of the GDPR for Australian businesses.
The next step is to align yourself with someone who’s well versed in the GDPR and data protection in general. Fortunately, you don’t necessarily need a dedicated IT security department with in-house experts. Even SMBs with limited funds and finite resources can usually afford to hire a GDPR consultant to ensure compliance.
Senior vice president and general manager of CompliancePoint, Greg Sparrow explains that you’ll ideally find someone with a combination of certification and plenty of industry experience.
Finally, you’ll need to adjust your data protection policies so that you have the framework to effectively implement technical and organisational changes. This of course can be onerous, but a cyber security consultant can assist you with this as well.
The Time is Now
There was a long period where all you heard about was the impending GDPR and making preparations before it went into effect. But that time has passed, and the law has already been implemented.
Considering that numerous companies are affected all over the world—including many in Australia—now is the time to fully familiarise yourself with all of the facts and go over any details you may have overlooked.
And if you still have any uncertainty regarding your organisation’s compliance, it’s wise to contact an expert right away.
Are there any particular aspects of the GDPR that you still find confusing? Please let us know: