If you have undertaken the Compliance Questionnaire, you may be wondering what further steps you can undertake to ensure your compliance and improve your cyber resilience.
If your business or organisation has a presence in Europe, the European Union’s General Data Protection Regulation (‘GDPR’), will affect how you conduct your business in that region. Continue reading for resources and actions you should take to ensure compliance.
Your business will need to comply to GDPR if it conducts any of the following:
- Established in the EU
- Has an officer in the EU
- Targets EU customers (i.e. enables them to order goods and/or services in a European language, enabling payment in Euros)
- Mentions customers or users who are in the EU
- Tracks individuals in the EU on the internet and use data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes
The European Union Agency for Cybersecurity (‘ENISA’) is an agency established in 2004 under the Directive on security of network and information systems (‘NIS Directive’). This agency focuses on providing cyber security best practices and techniques.
In addition to your business’ compliance to the Australian APPs Principles, under the GDPR, the following steps will need to be incorporated:
- Privacy notices on your website should be visible to your visitors
- Provide explicit request for consent when you process user’s data
- Ensure request for consent is written using clear and plain language
- Ensure that stored personal data can be easily extracted, provided or erased as per customer’s request
- Implement a notification process once customer withdraws their consent to delete such stored personal data
- Incorporate data breach notifications process as GDPR requires notification within 72 hours to affected individuals and relevant supervisory authority in the affected EU resident once your business becomes aware of the breach
What happens if you fail to comply?
Infringement in the GDPR could lead to fines up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher). While this cost of non-compliance can be high, the reputational damage upon your business is hard to quantify and is insurmountable.