While many companies in Mauritius and worldwide are busy getting ready for the EU GDPR, many others remain unaware of the regulation, or have taken a stance assuming that the regulation does not apply to them.
Hiding behind the assumption that the regulation cannot be enforced in Mauritius, via legal means, leads to a false sense of security as European regulators are capable of imposing a ban on data processing at the source, or, may suspend data transfers to non-compliant entities. There is also the risk of international sanctions and reputational damage, all of which can impact the business, its finances and therefore, its livelihood. A single data breach could lead to redundancies as a result of financial losses.
Under the GDPR which comes into force in May 2018, fines associated with a data breach can reach up to 20 million Euros or 4% of the global turnover (whichever is higher). At time of writing, European companies are negotiating with multiple suppliers and will not risk dealing with non-compliant entities once the deadline has passed.
In short, GDPR compliance is becoming a marketing advantage for businesses who have taken the necessary steps to protect personal data, and is becoming a major disadvantage for entities who are not showing concern.
Local businesses who have invested in GDPR compliance are also advised to check that third parties within their supply chain are GDPR compliant, or at least on a path to compliance.
A major headache for companies trying to achieve compliance is the issue of figuring out how to detect a data breach. Under GDPR, a breach must be reported within 72 hours (3 days). Responding within this timeframe means that GDPR compliance requires a mature incident management framework involving people, processes and technology.
For example, instructing the IT department to install the best of breed firewalls and antivirus is one thing, but how is the business strengthening its human firewall?
HR doesn't normally have to deal with IT issues, but it is well-known that despite all of the technical controls such as firewalls, antispam or antivirus, the human element remains the weak-link in IT security. However, IT departments do not have authority to set enterprise-wide KPIs for employees in relation to their security awareness mindset.
No technology is 100% effective and cyber-criminals are continuously evolving in order to circumvent common technical controls. All it takes is for one false move from an employee to infect an entire network and cause a ransomware attack, which can paralyse a company for hours or even days.
When the crux of the problem is poor training, the issue enters a grey space, as IT is usually seen as responsible for tech crises. Nor does it help that many employers enter a false sense of security assuming that since nothing bad has happened to the organisation, nothing ever will.
In a nutshell, for companies dealing with European personal data, GDPR compliance cannot be avoided, and preparing for GDPR will involve a change of mindset and meticulous planning.