Australia lacks understanding of EU data laws: Veritas

In May 2018, the General Data Protection Regulation (GDPR) will come into play, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where every ounce of data is stored.

According to Louis Tague, Australia and New Zealand managing director at Veritas Technologies, only 30 percent of local businesses meet the requirements to comply with the GDPR.

"I think a lot of Australian businesses are not aware of the implications of GDPR or potentially underestimate the effort needed to be compliant for that regulation," he told ZDNet, adding that in a lot of cases, businesses are just completely unaware of what the GDPR actually entails.

Organisations that fail to comply with the regulation requirements could be slapped with a fine of up to €20 million, or 4 percent of a company's annual turnover.

"In a simple form, the GDPR is about personal data of individuals from the EU, which a lot of Australian companies I would imagine have that kind of information about individuals and them not knowing that they're potentially at risk is a worrying concern," Tague said.

"Maybe this is an Australian government piece that needs to happen, but certainly [organisations] seem to be unaware of their obligations under that, seeing it as purely an EU regulation and not having the full visibility of their obligations and how it might affect them."

According to survey findings released by Dell Technologies in October, nearly 90 percent of businesses in Asia Pacific know little or nothing about the EU's upcoming regulation, while another 93 percent did not have any plan in place for when the GDPR regime kicks off.

Additionally, only 7 percent said they had a plan to prepare their organisation for the change.

While the GDPR only applies to data held on individuals from the EU, Tague said at the very least it points to the strategic nature of data being an asset, and the lengths organisations must go to protect that asset.

"I think good governance of your data is important for a good functioning organisation and that's where I think a lot of organisations need to be focused is really trying to understand what their information looks like," he said.

"50 percent of the world's corporate data is dark which means customers actually have no idea what that data is, who owns it, where it sits, or how that may be used. That's a worrying statistic in itself."

Under the GDPR, EU citizens have the right to be forgotten by an organisation.

"Effectively, if an individual from the EU wants you to delete all their information from your data storage, you need to be confident that you can do that, and just deleting that entry from a database is often not enough ... you need to be able to show the EU that you've successfully deleted it and have a process for that deletion," Tague said.

"That is a very challenging thing for organisations to do but we also see that as good governance in terms of being able to manage a company's information."

With that, Tague believes preparing an organisation for the GDPR will result in better understanding of what data is held to better protect it, but to also unlock the business value it holds.

"Being able to locate the data across an organisation is a challenge but companies need to take action to locate that data and then be in a position to be able to search through that data over time," he added.

In Australia, Tague said there is still a lot of work to be done in bringing different data pools together.

"Where data becomes more powerful is where you can link data with data from other databases or applications to be able to create data pools that you can then create some unique customer insights that I think Australian businesses need to start to leverage," he explained. "There's enormous wealth in unstructured data that companies need to try and unlock and need to leverage."

The GDPR, The Australian Privacy Act, and even the proposed legislation criminalising the re-identification of de-identified datasets are designed around protecting the data belonging to customers and citizens, Tague said.

"We absolutely believe that organisations that exercise good governance on their data are in a much stronger position to leverage that data and treat it as an asset that they can use to further their own business objectives, and also incorporate into any of their strategic decisions in terms of how do they service their customers better and drive revenue for their businesses," he concluded.