This guest post was contributed by Nicola Hermansson, APAC Data Protection & Privacy Leader at EY. It is the second in our Working with Industry series of guest posts. The Working with Industry series do not necessarily reflect the views of our office and are published to inform and stimulate debate on topical privacy issues and developments.

Friday 25 May is D-Day for the European Union’s General Data Protection Regulation (GDPR), yet many organisations in this part of the world don’t know what it is and how it will impact them. Only 12 percent of Asia Pacific businesses impacted by GDPR have a plan to address it.

GDPR: What is it, who does it apply to, and why should you care?

The GDPR is an EU regulation, but it has global reach. Essentially, it requires that organisations doing business in the EU or processing data of individuals in the EU implement a number of data protections. A failure to do so can be met with fines of up to 4 percent of global annual turnover or €20million, whichever is greater. Many New Zealand organisations with EU connections are affected and will need to change their processes to be compliant.

Data breaches happen too often. The failure of organisations to protect and respect their customers’ personal data has led to customer trust being eroded. The GDPR requires organisations to be more responsible for their customer and employee personal data, and gives control back to individuals. In addition, the GDPR is setting a new global standard for the management of personal data, which is causing change well beyond the borders of the EU.

What does it mean for your organisation?

Organisations need to be accountable and proactive. A good start is to document all personal data processing activities and map data flows so that the organisation is aware of what data it has and how that data is used and managed.

The GDPR focuses on facilitating the rights of individuals, including the right to have data collected, used and disclosed in a robust manner, rights of access to data, the portability of data between various organisations, and the right to be “forgotten”.

Consent for processing personal data must be freely given, specific, informed and unambiguous. It cannot be bundled with other written agreements. A catch-all tick box is no longer good enough. Having privacy notices hidden in general terms and conditions is no longer acceptable.

Organisations need to incorporate data protection into the way that they manage their business using privacy impact assessments and Privacy by Design principles to embed privacy into the way that business is done.

Certain breaches must be disclosed within 72 hours, to both supervisory authorities and potentially to affected individuals.

Key challenges of GDPR

In this data-driven era, organisations desire more and more personal data, but have not been demonstrating the same desire to protect it. Many organisations are struggling to identify what personal data they possess, where it is, who has access to it, what third parties they have given it to, and what they are using it for.  A set and forget approach cannot be adopted when business is constantly challenged to use existing data sets in new ways.

The GDPR demands accountability – organisations need to get their data under control and demonstrate compliance. Many organisations who have not previously focused on data protection are finding that complying with the GDPR is taking more effort than they anticipated. Becoming GDPR compliant requires work, forethought, planning and very importantly, senior stakeholder buy-in.

For organisations that have done little to prepare, it may seem overwhelming, but taking a balanced approach, with a focus on high-risk personal data processing, can make the challenge more palatable. Organisations that really embrace the purpose and spirit of the GDPR can make privacy a valuable differentiator. They can turn compliance from a challenge to an opportunity, from a chore into a chance to differentiate and a tangible demonstration of their company values.

If your organisation has yet to fully understand how GDPR impacts it, your new compliance obligations and the extent of your personal data processing, you need to act now. It is never too late to start thinking about data protection. This Friday marks a significant date in what should be an ongoing journey towards data management maturity for every organisation – whether impacted by the GDPR or not.

Image credit: GDPR via Tech Talks