Thursday, 31 May 2018 15:33

Why does European GDPR law matter to Australians?


With Australia now one of "the leading countries of cloud adoption in the world", and with the ability for business to be global having happened long ago, foreign regulations can have local implications.

Many Australian organisations are using cloud services to both run business applications and store massive amounts of data, according to Matt Hallewell, Cloud and Modern IT at Avanade, with the company stating it "transforms businesses for the digital era".

Cloud is just one part of that transformation, and now Hallewell tells us that the benefits of the cloud "are about to come under new data privacy and control regulations that impact Australian organisations".

So, what is GDPR?

Well, we're reminded that it stands for General Data Protection Regulation, and it's "Europe’s answer to data regulation".

Hallewell continues, stating that "over 500 million EU citizens will be given unprecedented rights, access and control over their personal data".

"In Australia", he continues, "there is a sense of confusion as to what this actually means, with clients asking how GDPR relates to us".

The answer is, quite significantly.

No matter where an organisation is located — within the EU or not — Hallelwell stresses that it must comply with the GDPR if it collects, processes, shares or stores personal data that identifies “EU data subjects.”

Australian businesses will have to comply if they:

  • Operate businesses that are established in a member state of the EU;
  • Offer goods or services to individuals in the EU, irrespective of whether a payment is required; and
  • Monitor the behaviour of individuals in the EU, where that behaviour takes place within the EU.

With this in mind, Hallewell has compiled "the following focus areas whereby owners of data need to get their house in order, especailly now that GDPR is a reality".

1. Shut down unauthorised cloud solutions

"A side effect of massive cloud growth in Australia is that many companies are currently storing data (including customer personal data) in many cloud services (such as DropBox, WeTransfer, Apple iCloud, etc) that aren’t authorised or controlled as traditional Enterprise IT services. This means that the data may be located and stored in multiple geographies around world.

"Because data can be stored within multiple locations by cloud service providers, store corporate data in one location in every jurisdiction. Avanade recommends moving data from unauthorised Cloud Services into enterprise cloud services (such as Microsoft OneDrive) and shutdown third party solutions, to give you more control over who is accessing your data."

2. Deploy mobile device management tools for greater data management

"GDPR has seen an increase in customers worried about mobile devices, smartphones or PCs having corporate data in uncontrolled environments. Mobility device management tools (such as the Microsoft Enterprise Mobility Suite) allows organisations to control and restrict access of sensitive data so it can’t be taken outside the corporate network, so it is be accessed insecurely.

"This is vital for organisations who have employees that travel to Europe on a regular basis for example."

3. Collect necessary data only

"Specify in any data processing agreement that only the personal data needed to perform the app’s function is collected by your organisation and nothing more. There are limits on “special” data, which includes race, ethnicity, political views, religion etc."

4. Don’t allow cloud apps to use personal data for other purposes.

"State clearly in any data processing agreement that the customer owns the data and it is not shared with third parties. It must be possible for the controllers to retrieve the data in a structured, commonly used format to provide to the data subject or another controller."

5. Ensure that you can erase the data when you stop using applications.

"Make sure that you can download your own data immediately and apps will erase your data once you’ve terminated any services with third parties. The more immediate (i.e. less than a week), the better, as the longer it takes, the higher the risk of exposure."

6. The contract should define a breach event

"Describe a procedure for the provider to notify your enterprise about any breaches without undue delay. Even if the cloud provider experiences a data breach that impacts multiple customers, you should be responsible for external communications and manage the overall breach with their support.

"What organisations don’t want is a breach making headlines before their provider notifies them of the breach and before the controller is able to notify local authorities. Organisations are not in control over the cloud provider’s (IT) environment and you must rely upon (IT) controls that the provider has in place. Therefore, it is always necessary to assess to what extent the provider can comply with your IT Security requirements."

Given the GDRP deadline on 25 May has passed, following these measures is imperative to ensure you and your organisation are well prepared for the realities of GDPR now being in force.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Alex Zaharov-Reutt

One of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.



Recent Comments