In Europe for GDPR – Comparing it to Australia’s Privacy Act NDB

I have been in Europe for a couple of weeks now working on some longer-term strategic initiatives for Security Centric. My work brought me into a larger number of organisations than I normally would in my usual consulting life, and a consistent hot topic was GDPR. This is hardly surprising considering the gradual tidal wave of privacy policy update emails we have all be subjected to, as organisations align their compliance programs ahead of the deadline which comes into effect in a few hours across the EU.

We’ve been working with a number of organisations in Australia as they assess applicability of the regulation to their operations, clients and datasets. As is common, we’ve had a broad range of responses in Australia, ranging from absolute ignorance through to something close to hysteria, and many steps in between. The preparedness of organisations is equally diverse, mirroring the introduction of Australia’s Privacy Act NDB amendment. By diverse I mean even receiving requests for assessment and remediation projects, quite literally, several days before the introduction.

As I mentioned, I was interacting with a higher number of organisations, one on one, at a faster rate, than I normally would, and this provided insights in itself. Rather than the deep dive projects I would normally oversee, there were some very experienced, insightful and senior people sharing their thoughts and observations across some very diverse verticals. GDPR is more prescriptive and generally more onerous than the NDB amendment, but similarities in professional response exists, where there is some trepidation that organisations do not know how well they may be implementing their changes, how widespread the applicable Personally Identifiable Information is distributed, and what response governments will have as compliance breaches are discovered.

For some organisations, GDPR can significantly alter their business model. GDPR-K, which significantly limits data that can be stored regarding children, has had a massive effect on producers of games and apps, which were previously able to very effectively use traditional customer segmentation, targeting and positioning techniques to cross and up-sell products.

Some of the requirements, such as the right to have your data deleted, can be quite challenging technically. Replication, geographic and jurisdiction boundaries, business continuity and disaster recovery, can all prove troublesome. Take a situation where offline backups are kept in archive for several years to meet financial and accounting obligations. Encryption keys (because no one in their right mind would be storing masses of their data unencrypted!) are kept to extract and recover data if required. How does a legitimate request for the deletion of PII that extend to hundreds of magnetic tape backups stored by a third party, offsite and offline, get fulfilled?

Like a lot of aspirational regulations, there will be teething issues and, hopefully, a gradual application of penalties, cognisant of any attempts to implement controls. Conversely, organisations wishing to obtain a competitive commercial advantage by ignoring their regulatory compliance obligations should be made an example of. I’ve witnessed both types of organisations – that is, trying to do their best, and those trying to maintain or increase profit margins – in the past few months, and look forward to the application of the law/regulation matching the aspirations of the protection of privacy with the corporate responsibility decisions being made at the board and executive level.