Impact of EU GDPR Laws on Australian Companies
Europe takes the lead on personal data protection. The changes are coming to Australia, and here’s what you need to know.
The world is a global village, and there are scores of companies retaining the Personally Identifiable Information (PII) of both local and international clients. Data privacy has become an international dialogue, with more complex information flow crossing national borders and regulatory authorities. Although privacy laws do exist, they are not bound by data security regulations and are subject to highly variable accountability. The rise of information breaches around the world has raised red flags. Governments around the world, including the Australian Government, are now rising up against companies that store sensitive personal data or PII.
The EU approach
The European Union adopted the General Data Protection Regulation (GDPR) in April 2016. The GDPR seeks to protect all types of digital data, including PII, and to render companies fit for the digital age. New rights granted to EU citizens – such as data portability and erasure – give the individual much more control over their personal data. The GDPR can penalise a company up to 20M Euros, or 4% of its annual revenue for breaches. The new law mandates stricter accountability measures, including audits, Privacy Impact Assessments, activity records, policy reviews, and the appointment of a Data Protection Officer.
How can organisations achieve their journey to compliance?
Organisations seeking to achieve compliance need to focus on three basic components of the GDPR.
1) New compliance journey
The compliance journey will require all entities to classify personal data, carry out risk assessment, implement privacy protection for all new business practices, employ data protection staff, perform compliance audits, and maintain a complete documentation record.
2) New transparency framework
The transparency framework will require entities to provide individuals with complete, transparent information about how their personal data is being treated. In the event of a security breach, entities will be responsible for notifying regulators, as well as any affected people in critical cases.
3) New enforcement and sanctions framework
The enforcement and sanctions framework gives regulators exceptional power to keep check of an entity’s operations, and to intervene when they need to. Regulators also have the authority to impose fines in cases of non-compliance. Individuals will have right to access their data and to demand an end to the usage of their data. They will also be able to exercise data portability.
How GDPR changed data protection in the EU:
- More stringent requirements to obtain consent for personal data collection
- The age of individuals from whom consent to collect data can be taken has increased from 13 to 16 years of age
- Data must be deleted if it is no longer used for the purpose it was initially collected to serve
- Data must be deleted if an individual revokes his/her consent to hold data
- Companies must notify the EU government of any security breach incidents within 72 hours of knowledge of the incident
- A sole National Office has been established to monitor and handle GDPR related complaints
- Firms handling enormous amounts of customer data must hire a Data Protection Officer
- Organisations face a fine of €20m, or 4% of an organization’s global revenue, for non-compliance.
How does the GDPR Affect Australia?
The EU GDPR law is not limited to local firms in the EU. It will eventually apply to any organisation around the globe that handles the PII of European citizens, regardless of industry.
By 2018, all organisations will have to follow the GDPR, or face the consequences of non-compliance.
The new laws leave many Australian companies worried about not having complete control over data they provide online. Moreover, Australians can source business data from the abundance of websites that offer full access to updated information on Australian companies. The new law will dramatically affect the availability of digital data, and will have a major effect on Australian businesses concerned with gathering and analysing consumer data. The EU GDPR will also seriously impact Australian organisations that have:
- Direct operations within the European Union
- Third parties operating in the EU
- EU citizens as clients
What should Australian organisations do?
Understanding the new requirements of the EU GDPR is supreme for risk exposure management. Within two years, the EU GDPR will apply globally. Businesses should not underestimate the time it will take to conform to the new regulation. Organisations should think and act in terms of data security. Merely thinking about data security is not enough; management demonstrate that data protection is a foremost priority:
Be more pro-active
Businesses should be more hands-on and less reactive reactive about EU GDPR compliance, and should already have in place a risk-based methodology for managing privacy.
A more tailored approach
Organisations need to adapt policies and processes to identify exactly where and which type of data they are processing and sharing with customers.
Consider potential risk exposure areas
Australian companies should keep track of the territorial scope of the EU GDPR, timely data breach notifications, risk analysis and data protection impact assessments, the right of erasure of private data, and the obligation to appoint Data Protection Officers.
Priority actions for Australian companies and agencies in the 2 years before GDPR arrives here:
- Understand the extent to which you hold personal data of EU residents and whether you fall under the category of “data processor” or “data controller” for GDPR purposes
- Determine your scope of obligations and duties under GDPR
- Review all policies and procedures, particularly security and privacy policies, within your organisations. This will ensure if the policies and procedures are consistent with both GDPR and Australian requirements.
Data protection and its privacy are an integral to the EU GDPR, and senior management must take the lead in achieving compliance through the evolution of technological and organisational policy, procedures and. The GDPR will ultimately make everyone within the supply chain auditable and responsible, to ensure the integrity and confidentiality of Personal Identifiable Information.