HOMEGROWN and multinational companies in the Philippines with presence or serving the European Union (EU) market are encouraged to secure their digital infrastructure now in compliance with the regional economic block’s General Data Protection Regulation (GDPR), which finally was enforced last month after a two-year transition period.
Adopted on April 14, 2016, and just became effective on May 25, this law is aimed at protecting the personal information of all citizens of the 28 EU member-states and implemented through fines, sanctions and injured-party compensation.
It’s quite akin to the Philippines’s Data Privacy Act of 2012, which subjects any business based in the country to stringent data-protection laws that could cost erring organizations fines and jail time of up to six years. The GDPR balances the rights of EU citizens to control their personal data against the responsibilities of organizations to protect their information in the course of normal operations or from any infringement case.
Under this policy, the people can explicitly approve the use of their personal data and have the “right to be forgotten,” thus allowing them to demand an organization to purge any information about them.
According to network solutions provider Fortinet, key industries poised to be impacted by the EU’s GDPR compliance requirements include retail, health care and financial services.
All players in these sectors need to review all business processes involving personally identifiable information (PII) and assess their readiness to meet the 72-hour data breach reporting mandate. Studies have shown that most businesses here and the rest of Asia Pacific, which cater to the EU zone or have significant transactions that capture PII, are still not fully prepared to meet the impending deadline.
In fact, only 12 percent of these enterprises in the region have a GDPR compliance plan in place, based on the third biennial EY Global Forensic Data Analytics Survey by Ernst & Young.
“While GDPR affects private and public-sector organizations handling PII, certain key industries will have heightened exposure as a result of the volumes of PII data they handle, as well as the nature of their business,” said Peerapong Jongvibool, regional director for Southeast Asia and Hong Kong, Fortinet.
“These include e-commerce-based organizations operating internationally, as well as companies that serve significant numbers of tourists, visitors or expatriates from the EU,” he added.
In preparation for GDPR compliance, businesses and governments with a physical presence in the EU, as well as firms serving customers in the region, must focus on reconfiguring their business processes and information-technology architectures, while lessening exposure of PII data.
In doing so, Fortinet advised enterprises in the Philippines to tap a third-party firm to assess data-protection practices and exposure to the rules.
Likewise, they are suggested to conduct a comprehensive audit to understand data source, collection and processing.
It must include documenting where GDPR-impacted data is stored, how it is communicated between systems within the domain, and any external clouds or third-party data custodians.
Moreover, they need to determine how long it takes for data-breach detection and mitigation, and what is required to improve these processes to meet the requirements. This element of the action plan should also include a detailed security assessment, according to Fortinet.
“At the end of the day, complying with GDPR may well turn out to be the right thing to do to protect the privacy and interests of all stakeholder communities linked to an organization,” said Jongvibool.
“As onerous as GDPR might seem, it could mark a big step toward restoring public confidence in the ability of businesses to deliver social benefits while simultaneously curbing social risks,” he stressed.
Fortinet is a global leader in broad, integrated and automated cybersecurity solutions. Serving over 340,000 international customers, the company is leading in the most security appliances shipped worldwide.