Fortinet advised organizations in the Philippines to make final preparations to abide by the General Data Protection Regulation (GDPR), effective 25 May 2018.
This law protects the personal information of all citizens of the European Union (EU) and will be enforced through fines, sanctions, and injured-party compensation. It is quite similar to an existing law in the Philippines, the Data Privacy Act of 2012, which subjects any business located in the country to stringent data protection laws that could cost offending organizations fines and jail time of up to six years.
As such, industries impacted by GDPR will need to review all business processes involving personally identifiable information (PII) and assess their organisational readiness to meet the 72-hour data breach reporting mandate.
The GDPR finely balances the rights of EU citizens to control their personal data against the responsibilities of organizations to protect that data both in the course of normal operations as well as in the case of data breaches. Significant new EU personal information protections include the right to explicitly approve personal data usage and a “right to be forgotten,” enabling people to demand that an organization purge any personal data about them. While businesses and governments with a physical presence in the EU will need to abide by GDPR, it may also apply to firms with significant EU customer or client bases.
Despite the impending deadline, most Asia Pacific businesses, which serve the EU market or have significant transactions that capture PII are still not fully prepared. According to the third biennial EY Global Forensic Data Analytics Survey by Ernst & Young (EY), only 12 per cent of firms in APAC have a GDPR compliance plan in place.
Fortinet lists the top three industries impacted by GDPR are Retail, Healthcare and Financial Services.
Organizations preparing for GDPR must focus on reconfiguring their business processes and IT architectures, as well as reducing exposure of PII data.