Australian companies unprepared for GDPR data regime

When the European Union’s General Data Protection Regulation (GDPR) comes into force on 25 May 2018, it represents the most comprehensive update to global data protection regulations in decades. Despite this regulation coming into force in under three months, reports have shown that many companies, particularly outside of Europe, are not well enough prepared for the profound ramifications the GDPR brings.

According to professional services firm, Ernst & Young’s, Global Forensic Data Analytics Survey, released last month, very few companies globally are as prepared as they should be for GDPR.

When asked to describe their company’s current status with respect to complying with GDPR, only 33 percent of the 745 executives (from 19 countries) surveyed said that they have a plan, while 39 percent said that they are not familiar with the GDPR at all. The survey found that only 13 percent of respondent companies across the Americas and only 12 percent in Asia-Pacific, including Australia, have a compliance plan that addresses the GDPR.

“Although the EU developed the rules, Asia Pacific businesses are likely to need to meet the GDPR’s regulations if they have a presence, offer goods or services or monitor individuals’ behaviours in the EU,” says Sasha Kalb, vice president of compliance in Asia Pacific for American Express Global Business Travel (GBT) .

The aim of the GDPR is to ensure businesses are transparent about, and accountable for, how they handle individuals’ information. It touches all aspects of business and has the potential to impose strict sanctions on businesses. These include fines of up to £20 million or 4 percent of global turnover, whichever is higher.

The GDPR goes much further than many existing national privacy laws. For example, Australia’s privacy laws apply only to businesses with annual turnover of more than AU$3 million. In contrast, the GDPR applies to businesses of any size.

In order to comply with the GDPR, first it’s important to understand what personal data is. It includes things that would traditionally be understood as personal data, like names, passport numbers and dates of birth. But the GDPR clarifies that personal data also includes other information that allows companies to identify, locate, contact or single out an individual, including, unique identifiers such as IP addresses or mobile phone identifiers.

Ernst & Young’s survey found that the most prevalent increases in concern over data risk are in the following four areas:

  1. Data protection and data privacy compliance
  2. Cyber breach and insider threat
  3. Industry-specific regulations
  4. Regulatory response

Respondents reported that spending on Forensic Data Analysis (FDA) has increased substantially. The average annual spend per respondent is 51% higher than what was reported in 2016. Companies with annual revenue of more than US$5b reported the highest spending, with 26% of respondents spending US$1m or more.

For its third biennial survey, E&Y asked respondents questions about robotic process automation tools for the first time and learned that 14% are currently using them to manage legal, compliance and fraud risks. Further, 39% of respondents reported that they are likely to adopt robotic process automation within the next year. In addition, 38% plan to adopt artificial intelligence.

It also found that with the better adoption of advanced FDA technologies, many companies have shown improvements in the inclusion of a wide range of data sources, both structured and unstructured.

“While unstructured data is not as widely used by companies as structured data, its use still has increased significantly since our 2014 survey when almost half of the unstructured data sources had an inclusion rate below 40%. In this year’s survey, the inclusion rate for unstructured data sources is above 40% across the board. This indicates that companies are investing in the technical capabilities for collecting and processing unstructured data, which often provides context and meaning to structured data.”

The full Global Forensic Data Analytics Survey 2018 is available HERE