Skip to content

Comparison between APRA CPS 234 and GDPR


Overview

APRA CPS 234 is a set of standards for data security and privacy that was issued by the Australian Prudential Regulation Authority (APRA) in April 2018. GDPR is the General Data Protection Regulation, an EU regulation that came into effect in May 2018. Both regulations are designed to protect the privacy and security of personal data. APRA CPS 234 has a more specific focus on the financial sector, while GDPR applies more broadly to all types of data. Both regulations require organizations to have strong data security measures in place, and both provide individuals with the right to access and control their data. However, GDPR is more comprehensive in its scope, providing individuals with additional rights such as the right to be forgotten and the right to data portability.



What is APRA CPS 234?

APRA CPS 234 is a set of standards published by the Australian Prudential Regulation Authority (APRA) in July 2018. It sets out the minimum requirements for the security of digital systems and data used by Authorised Deposit-taking Institutions (ADIs) in Australia. The standards cover areas such as risk management, access control, monitoring, incident response and reporting, system and network security, authentication, encryption, and physical security. The standards are designed to help ADIs protect their customers' data and systems from malicious attacks, theft, and other security threats. The standards are applicable to all ADIs, regardless of size or complexity. They are intended to ensure that ADIs have robust security controls in place to protect their customers' data and systems.


What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA. GDPR aims to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It was adopted on April 14th, 2016 and became enforceable on May 25th, 2018. GDPR replaces the 1995 Data Protection Directive. It provides a harmonized data protection law across Europe, regardless of where the data is processed. It applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company's location. GDPR is designed to protect the privacy of EU citizens and give them control over their personal data. It sets out the rules for how companies must collect, store, and process personal data. It also sets out the rights of individuals with respect to their personal data and how they can exercise those rights.


A Comparison Between APRA CPS 234 and GDPR

1. Both standards emphasize the importance of data security and privacy.

2. Both standards require organizations to implement appropriate technical and organizational measures to protect personal data.

3. Both standards require organizations to conduct risk assessments to identify and mitigate data security risks.

4. Both standards require organizations to have clear policies and procedures in place for the collection, storage, use, and disclosure of personal data.

5. Both standards require organizations to provide appropriate training and awareness to staff on data security and privacy.

6. Both standards require organizations to have processes in place to detect, report, and respond to data security incidents.

7. Both standards require organizations to have processes in place to ensure compliance with the requirements of the standards.


The Key Differences Between APRA CPS 234 and GDPR

1. GDPR applies to all organizations processing personal data of EU residents, while APRA CPS 234 applies only to Australian-based financial institutions.

2. GDPR requires organizations to take proactive steps to protect data, while APRA CPS 234 requires organizations to assess their existing information security practices, policies and procedures.

3. GDPR requires organizations to notify their supervisory authority in the event of a data breach, while APRA CPS 234 requires financial institutions to notify their regulator.

4. GDPR requires organizations to appoint a data protection officer, while APRA CPS 234 does not.

5. GDPR requires organizations to obtain explicit consent from individuals for data processing, while APRA CPS 234 does not.

6. GDPR requires organizations to provide individuals with the right to access, rectify, or erase their data, while APRA CPS 234 does not.