Michael Shatter, National Director of Security and Privacy Services, RSM Australia
Preparation for Storm GDPR
There has been little if no awareness of the GDPR amongst the middle market in Asia Pacific. In Australia, the recent focus has been on ensuring compliance and ability to respond to incidents that are captured by the Notifiable Data Breach Scheme under the Australian Privacy Act of 1988. So with the recognition and awareness of the potential impact of GDPR, there are many questions being raised, essentially around - does it affect and apply to those businesses.
Implementing and remediation system changes that allow data to be identified in line with the GDPR and facilitate the rights of EU citizens in regard to their data will likely be an onerous and difficult exercise.
There exist various and many different regulations that apply across the Asia Pacific community of public and private sector organisations. For example, in Australia, the Australian Notifiable Data Breach Scheme came into effect in May 2018 and is the first piece of data-centric legislation. It is considered more diluted and softer compared to the GDPR and will therefore require a great deal of effort for Australian entities to identify EU citizen data and facilitate the rights owed to EU citizens via the GDPR.
The Australian scheme focuses on data breaches, compared to the citizen data focused on by the GDPR. The Scheme is aimed at enhancing what is referred to as the Australian Privacy Principle Guidelines. However, these are guidance only and not legislated regulations.
Data risk management in order to move towards compliance of GDPR has been, and is, slow. More importantly, recognition of the effort required to comply with the regulations has been difficult. This is especially so as Asia Pacific organisations have been dealing with a barrage of data and security risks over the last two years. With significant effort and focus being channelled to improving systems and data security, businesses and their information technology groups are under significant strain to accommodate another major security and data project effort.
It is likely there will be a lag in these risks being managed compared to counterparts of other regions. The exceptions to this are likely to be those enterprises who operate and do business in the EU. Understandably, those entities will have GDPR front and centre in their minds and risk registers.
Reaction and response to GDPR is only now receiving an increased level of attention. However, efforts and establishment of projects focusing on GDPR risks are not yet as widespread as we would expect given the reach and potential impact of the regulations. Challenges are still being digested with regard to the rights of EU citizens and their data, however, once better understood there may be some synergies to be realised with existing efforts around other local data security and regulation projects underway within the enterprises.
One thing is recognised for certain, there is a clear and present requirement for GDPR to at least be included in the risk register to be brought to the attention of executive management and governance bodies.