As well as meeting these regulations, organisations must also understand the risks and penalties for non-compliance. Failure to do so will leave them open to a hefty hit, both to their reputation and their bottom line.
Falling short of requirements
A recent global survey conducted by Talend found there is an alarming gap between what companies are required to do by law and what many are actually doing. For example, of the companies surveyed, 58 per cent failed to address requests made from individuals seeking a copy of their personal data within the one-month time limit stipulated by GDPR. Unfortunately, Australian companies in the panel were among those falling short.
However, some of the requirements regarding the GDPR are not new and unfamiliar to Australian companies. Some are already part of the Australian Privacy Principle (APP) for an open and transparent management of personal information. Nonetheless, and although they have been regulated, the results of the study suggest that many Australian companies have not yet established the basis for data privacy – the limited cost and risk of non-compliance with the current regulations which may explain it.
Indeed, the survey results are clear evidence that Australian companies with interests in the EU are not complying with their legal obligations.
The reasons for this are likely to be varied but fall into a range of different categories:
- Ignorance of the GDPR requirements and what they mean for the way customer data must be stored, managed and made available. There is also a widespread lack of awareness of the need for accountability even if the APP itemises the requirements to implement procedures and systems to ensure the Privacy Act 1988 (Privacy Act).
- Reluctance to take the steps required to become GDPR compliant. This can involve a full data audit and the introduction of specific and comprehensive data management and protection processes.
- Mistaken belief that, because Australia is geographically remote from the EU, the likelihood of being penalised for non-compliance is small.
- Failure to continually monitor customer data and ensure any new data collected is managed within the tight requirements of GDPR. The regulations mandate the establishment of a data protection officer to oversee progress and compliance. However many organisations are yet to take this step.
The results come at a time when Australian data privacy regulations are being tightened, and more attention is being placed on the issue. Indeed, the federal government has announced significant changes to the Privacy Act that include stricter penalties for the misuse of personal data. These penalties can amount to the greater of $10 million, three times the value of any benefit obtained from the data misuse, or 10 per cent of a company’s annual domestic turnover.
These compare with penalties for non-compliance with GDPR which invoke fines of €20 million or 2 per cent of a company’s annual global turnover.
Interestingly, many of the requirements imposed by GDPR are not new and have been part of Australian privacy regulations for some time. These include the need to implement a privacy-by-design approach to compliance and the ability to demonstrate compliance. What is new is the significantly increased penalties for organisations that fail to comply.
Handling requests for personal data
Interestingly, the survey found a lack of automation when it comes to processing requests for data was one of the key reasons many companies were failing to meet the one-month turnaround required by GDPR.
This is being exacerbated by a lack of a consolidated view of data and clear guidelines around internal ownership. For example, data relating to a single customer can exist in multiple places and pulling it all together to meet a request can often require a large number of manual steps.
The research also highlighted the issue of identify checks as being an issue for many companies. Of those surveyed, only 20 per cent asked for proof of identification when a request for data was logged. Also, of those who did ask for ID, only a few used an online and secure way of sharing the documents. Often, copies were simply requested by email.
Another issue identified by the research was the need for data portability. Here, Australia is taking a leading role with the introduction of the Consumer Data Right (CDR) scheme that mandates organisations must share consumer data with authorised third parties in a machine-readable form if requested by the consumer. The initiative is initially being applied to the banking sector, and this will be followed by the energy and telecommunications sectors.
Becoming privacy compliant
To meet the strict rules of data privacy regulations and avoid significant penalties, Australian companies that are not yet compliant should make becoming so a priority in 2020.
To achieve compliance, four key steps that need to be followed are:
- Locate all customer data: In many companies, customer data can be stored in multiple locations. To be able to comply with data privacy regulations and respond in a timely matter to access requests, data needs to be located and made readily accessible. Start with a comprehensive audit and develop a strategy from there.
- Reconcile your customer data: When data is collected at different times and in different ways, its overall quality can sometimes be called into question. Ensure that only accurate data is retained and securely managed.
- Create data protection policies: Data privacy regulations dictate specific requirements to which companies must adhere. For this reason, it’s vital to have in place a set of well thought-out policies that guide how data is treated with the company. The policies need to cover everything from collection methods and handling processes to the locations in which it will be stored. Where appropriate, data must also be anonymised to ensure personal privacy.
- Unlock personal data for the data subject: As well as protecting collected customer data, companies also need to be able to provide access to it upon request. Review access processes and ensure these requests can be met in a timely manner and look for processes that can be automated to smooth the methods used.
Requirements for data privacy regulations, such as GDPR, California Consumer Privacy Act (CCPA) and Australia’s CDR or APP mean affected companies cannot afford to ignore them and continue to operate in a business-as-usual fashion. Taking the time now to ensure compliance will avoid regulatory issues and potentially significant fines in the coming years.
Jean-Michel Franco, senior director - product marketing, data governance products, Talend