The new General Data Protection Regulation (GDPR) is set to come into effect on May 25, 2018, yet businesses in both the UK and Australia do not seem fully prepared for the consequences.
GDPR to Affect Non-EU Companies
While the GDPR is an EU law, it will cover businesses in other non-EU countries, too – including Australia and possibly Britain, depending on how Brexit negotiations unfold. This will be the case for enterprises that have a branch on EU soil, offer their services or goods within the EU or simply monitor the behaviour of persons that find themselves within EU borders. This extends to numerous international companies, especially those providing digital or subscription services, which often store and process personal data of clients. If companies are found to not be in compliance with the new rules, they stand to face hefty fines – which is why a lot of professionals are rushing to meet the obligations.
UK and Australian Companies Unprepared for New Rules
It seems that UK companies do not have the lead over their US counterparts in that respect: according to a study conducted among privacy professionals in both countries, just last December, over 60% of those surveyed said that had yet to begin with GDPR implementation preparation and 90% responded that they needed to invest in further capabilities in order to meet the new standards. 50% of the respondents identified technology as among the top three priority areas that they need to focus on when it comes to implementing the GDPR requirements.
It is going to be a costly affair, too: 69% of UK professionals expect the costs to rise to six digit figures, while among large companies, 6% are looking into over £740,000 extra in their budget for privacy measures. Australian companies do not appear to be faring any better when it comes to preparing for the impact of the new Regulation, as they have focused a lot of their attention on Australia’s new data breach notification regime, set to come into effect last month.
Companies Need to Put Technical Measures in Place
According to the GDPR, companies need to put in place organisational and technical measures, such as a data protection risk assessment, data breach response plans or safeguards for companies that deal with online payments, like the PCI DSS. The acronym stands for Payment Card Industry Data Security Standard and is a set of standards that were developed in 2004 by major card issuers like Visa, MasterCard, and American Express, in order to protect consumers against online fraud.
Another essential for companies like e-shops is SSL (Secure Sockets Layer) technology, which allows websites to establish an encrypted link between the website and the client accessing it. This allows them to keep all data (including sensitive information like banking data used in online transactions) private and secure while the payment is being processed.
With just a few weeks left until the GDPR requirements come into effect, the race against the clock for businesses is now more pressing than ever.