With the 25 May implementation of the EU’s General Data Protection Regulation (GDPR) now just days away, a staggering number of Australian businesses appear unprepared for the sweeping reforms.

Business software company, Sage, asked 342 Australian businesses if they were ready for the upcoming reforms.

The results were worrying: 84% of the businesses said they were not very familiar with GDPR or had not heard of it at all, while 82% did not understand what the changes meant for their business.

Executive Vice President for Sage Asia Pacific, Kerry Agiasotis, explained that the Australian figures fell into a wider global pattern.

“Unfortunately, the results were fairly consistent with what we saw around the world – which is, outside of Europe, there is still a very low level of awareness,” he told Information Age.

While GDPR is to be enforced by the EU, it is extra-territorial by nature, in that it applies to the data of individuals from the EU, irrespective of the company's location.

This means that Australian companies that have offices, customers or suppliers based in the EU will be subject to the regulation.

Agiasotis attributed much of this under-preparedness to miscommunication.

“This is legislation that has been drafted in Europe and it affects European individuals, so I think the notion was this was just for European businesses – people didn’t understand the extra-territorial nature of the legislation,” he said.

“Any business that has information about a EU person that can be identified uniquely falls under this legislation. And that’s what is concerning.

“This could include an IP address. If you had the combination of a name, an IP address and related it to an individual who surfed your website, you would fall under the requirements of this legislation.

“Many businesses may not understand that they hold that sort of data because the requirements are really broad in nature.”

A state of confusion

Earlier this year Australia introduced its own data breach laws.

While these reforms provide enforceable guidelines for Australian businesses when it comes to data protection, Agiasotis highlighted that when compared to GDPR, there is room for confusion.

“The Australian Data Privacy Act… was really targeted at larger businesses,” he said.

“So, that effectively carves out the vast majority of small businesses in Australia, which is where the numbers lie.

"This legislation effectively applies to every business.”

Although Australia’s legislation does not yet perfectly align with GDPR, Agiasotis predicts that local policies may soon mirror Europe in a move towards global compliance.

“What this legislation is doing is that it’s now starting to influence local legislation and I think that’s how more and more people will find out,” he said.

“You’ll start to see more local governments falling in line with the types of things that have now been embedded in GDPR.”

Not all bad

Though there is no doubt that there will be some initial hurdles for businesses globally when GDPR comes into force later this month, Agiasotis reminded Australian businesses that the reforms also present an opportunity.

“The positive side of things is that it does allow for a business now to strengthen core practices,” he said.

“It’s an opportunity for businesses to really understand, because this type of legislation will become more normal around the world and in Australia.”