Australian companies believing geography lets them ignore the EU’s general data privacy regulation (GDPR) may be in for a nasty surprise with an expert warning non-compliance may lock them out of contracts and make it harder to comply with our own upcoming consumer data right (CDR) legislation.

Since coming into effect in May 2018, Europe's new legislative regime “has had a positive dynamic far beyond the border of the EU”, Nicolas Arpagian, vice president of strategy and public affairs with expanding French security firm Orange Cyberdefense, told Information Age.

With Australia’s consumer data right (CDR) legislation to be phased in over coming months and the California Consumer Privacy Act (CCPA) providing yet another GDPR-like privacy environment, businesses face growing obligations to protect personally identifiable information (PII) no matter where they are based.

Yet compliance is still lagging in Australia and many other countries, with a recent Capgemini survey finding just 28 percent of firms are GDPR-compliant and 30 percent are “close to compliant” – leaving 42 percent that still have a way to go.

By comparison, Capgemini found, only around two-thirds of organisations expect to be compliant with the CCPA – which, Arpagian said, “has had an impact on the global market by forcing companies to identify what are personal data”.

“Just the idea of qualifying information, and understanding who holds it and where they are located, is a very constrictive action because we have to have the clearest view about who is in charge, and what level of protection they have.”

Privacy closer to home

Clarity is good business practice and important for meeting compliance obligations, but in today’s governance-focused climate it could be the difference between winning a contract with a European company or being passed over for a less risky competitor.

If data about a European provider’s customers was lost or stolen from an Australian subcontractor, Arpagian pointed out, those customers would have the right to sue that company.

European companies “don’t want to have to explain to customers or employees that they were negligent in the care of their data”, he explained, “and we can see that has had an impact on the global market.”

“Australian providers will have to justify that their data is being protected in conformity with GDPR.”

Failure to meet those standards is no longer an excusable offence – as the likes of British Airways, Google and Marriott have learned after copping massive fines for GDPR violations.

With the volume and cost of cybercriminal activity surging in Australia, failure to maintain GDPR-level privacy standards could be equally problematic, with significant potential fines well above those prescribed by Australian privacy laws.

“We are in a situation where people without technical knowledge or financial capacity have the capability to find ways to bypass security using high-performing tools that are almost free of charge,” Arpagian said.

“In the past, when you were a victim of cybercrime people had compassion for you – but now, you have to make a choice between the risk of a fine and the investment required.”

Global reach, local capabilities

Orange Cyberdefense has worked proactively with customers to further extend its business globally, with an evolving Australian presence expanding its existing network of 22 sites in 13 countries.

Each of these markets has a different profile of privacy laws, overlaid by global obligations imposed on transnational commercial relationships by GDPR and similar legislation.

Maintaining consistency across these many domains had required a significant investment in skills that are ever more difficult to acquire.

This requirement had led Orange Cyberdefense to expand strategically in recent years, with “very cautious” acquisitions of specialist firms including CERT, threat intelligence and incident response specialist Lexsi and, more recently, UK technical audit specialist SecureData.

“When we are talking about cybersecurity we are talking primarily about trust,” Arpagian explains, “and the human part is very strategic.”

“Without that it’s absolutely pointless, but competencies are rare – so we have been very cautious in merging the companies, so that we keep the talent we need.”

A dry run for CDR

Leveraging that talent will be crucial in helping Australian businesses meet their obligations under GDPR – which itself will prove to be a trial run when the more locally-applicable CDR kicks into force next year.

If the EU’s experience with GDPR is any indication, CDR will significantly ramp up expectations on staff to both improve cybersecurity and competencies around PII management.

Fully 90% of organisations have received GDPR-related data queries since legislation was introduced, Capgemini notes, with 13 percent receiving over 5000 queries in the past year.

Ramping up to meet these requirements had improved cybersecurity practices in 91 percent of organisations – reflecting the symbiosis between better compliance and better security.

That linkage will continue to shape Australian investments in security as the scope of contemporary compliance obligations becomes more widely understood.

“It’s not a question of putting technology everywhere,” Arpagian said, “but giving a clear understanding of what technology makes possible.”