Fortinet, provider of cybersecurity solutions, has advised organizations across Asia Pacific (APAC) to make final preparations to abide by the General Data Protection Regulation (GDPR), effective 25 May 2018. This law protects personal information of all citizens of the European Union (EU) and will be enforced through fines, sanctions, and injured-party compensation. Industries impacted by GDPR will need to review all business processes involving personally identifiable information (PII) and assess their organizational readiness to meet the 72-hour data breach reporting mandate.
The GDPR finely balances the rights of EU citizens to control their personal data against the responsibilities of organizations to protect that data both in the course of normal operations as well as in the case of data breaches. Significant new EU personal information protections include the right to explicitly approve personal data usage and a “right to be forgotten,” enabling people to demand that an organization purge any personal data about them. While businesses and governments with a physical presence in the EU will need to abide by GDPR, it may also apply to firms with significant EU customer or client bases.
Despite the impending deadline, most APAC businesses which serve the EU market or have significant transactions that capture PII are still not fully prepared. According to the third biennial EY Global Forensic Data Analytics Survey by Ernst & Young (EY), only 12 per cent of firms in APAC have a GDPR compliance plan in place.
“While GDPR affects private and public sector organizations handling PII, certain key industries will have heightened exposure as a result of the volumes of PII data they handle as well as the nature of their business,” said Peerapong Jongvibool, Fortinet’s regional director for Southeast Asia and Hong Kong. “These include e-commerce-based organizations operating internationally, as well as companies that serve significant numbers of tourists, visitors, or expatriates from the EU.”
Fortinet lists the top three industries impacted by GDPR:
- Retail − Retail businesses most likely to curate GDPR-relevant PII data include cross-border e-commerce operations, multi-venue retail chains, hospitality, travel, and F&B businesses. Brick-and-mortar businesses serving EU customers can also find themselves liable to GDPR PII protections. Paying with a credit or debit card, providing shipping address information and participating in a customer loyalty program all fall under the protection of GDPR.
- Healthcare − GDPR extends its coverage to non-EU organizations storing or processing the medical information of EU persons. GDPR enacts particularly stringent protection and processes for handling particular types of PII medical information. In general, an organization may collect and process personal medical information only if it is necessary for patient treatment and diagnosis, and with the explicit consent of the patient. GDPR also mentions genetic data as an area of particular concern.
- Financial Services – Financial organizations often maintain huge stockpiles of PII data on account holders. They also consume and generate vast quantities of highly personal marketing data to support selling financial services and assessing credit worthiness of commercial and individual customers.
Organizations preparing for GDPR must focus on reconfiguring their business processes and IT architectures, as well as reducing exposure of PII data.
Fortinet advises enterprises in APAC to take the following steps to accelerate GDPR compliance:
- Engage a third-party firm to assess data protection practices and exposure to GDPR rules.
- Conduct a comprehensive data audit to understand data source, collection and processing. It should include documenting where GDPR-impacted data is stored, how it is communicated between systems within the domain, and any external clouds or third-party data custodians.
- Determine how long it takes for data-breach detection and mitigation and what is required to improve these processes to meet GDPR requirements. This element of the action plan should also include a detailed security assessment.
“At the end of the day, complying with GDPR may well turn out to be the right thing to do to protect the privacy and interests of all stakeholder communities linked to an organization,” concluded Jongvibool. “As onerous as GDPR might seem, it could mark a big step towards restoring public confidence in the ability of businesses to deliver social benefits while simultaneously curbing social risks.”