The EU is getting serious about protecting their citizens’ privacy.
The General Data Protection Regulation, or GDPR, is coming into play on 25 May 2018, and is set to disrupt the way companies track, process, store and use your personal data. While the GDPR is designed for EU citizens, any company with access to this data must comply, including those located outside the EU.
In the wake of recent serious data breaches, the new legislation is designed to build legal certainty for businesses and improve customer trust in online services. They will help to cultivate transparent data handling practices and business accountability. People deserve to feel confident that businesses will protect their personal data.
Australian businesses of any size will need to comply if they have a presence in the EU, if they offer goods and services to EU citizens (for example, an ecommerce store that ships to the EU) or if they monitor the behaviour of EU citizens (for example, a health monitoring company or financial advisory service used by someone in the EU).
Even though the legislation won’t affect every Australian company, we should see this as more than an issue of regulatory compliance. Rather, it’s an opportunity to provide a better experience for your customers and secure a competitive advantage.
What are the GDPR legislation requirements?
The legislation strengthens the protection of privacy, including the right to be forgotten, clearer consent provisions, data breach notification, and the right for EU citizens to access, correct or erase personal information held by marketing or other bodies.
Key requirements of the legislation:
- Get clear consent to access and use the data of people in the EU. This means that companies need to be clear about the data they are collecting and what they will use it for.
- As soon as the company no longer needs the data, they should delete it. Companies will also need to delete data if the person who originally gave their consent later revokes it.
- If there is a data breach, companies will need to notify the EU government within 72 hours.
- Any company with a significant amount of EU citizen data will need to hire a Data Protection Officer to act as first point of contact for GDPR officials.
Failing to comply with any of the regulations will earn companies a fine of 4% of their global revenue or €20million (over $30 million AUD), whichever is higher.
Is the GDPR legislation the same as the Australian Privacy Act?
As we’ve mentioned before, the Australian Privacy Act recently changed. Businesses now must follow a set of guidelines in the event of a data breach. While there are similarities, the two laws aren’t exactly the same.
Both laws require businesses to implement a series of measures that ensure they comply with prescribed privacy principles. Both laws also take a ‘privacy by design’ approach, ensuring businesses build these measures into their strategic foundation. There is also a notification piece in both laws. Businesses must inform the government and their own customers of breaches in certain circumstances.
However, under the Australian Privacy Act, small businesses with an annual turnover under $3million are exempt, unlike the GDPR. The penalties under the GDPR are also significantly higher. Under Australian law, businesses aren’t required to get specific consent for collecting personal information, unless it’s considered sensitive. They also aren’t legally required to erase the data of any individual.
How will the GDPR affect Australian businesses?
According to Louis Tague, Australia and New Zealand managing director at Veritas Technologies, only 30% of Australian businesses currently comply with the GDPR. Businesses are sometimes unaware of the what the legislation means, or underestimate how much work is needed to achieve compliance.
This might be a scary thought if your business collects data in the EU. Remember, you’ll need to comply with the GDPR if your business is present in the EU, offers goods and services to EU citizens, or if you monitor the behaviour of EU citizens. Even if you don’t operate in the region, privacy standards here in Australia are likely to start evolving as well.
There are also ways that the GDPR could indirectly affect Australians. Analysts at Forrester predict that the new legislation could have a significant impact on the current digital marketing landscape. Relatively standard tracking practices like behavioural targeting, predictive modelling and cross-device recognition could result in big fines for digital behemoths Google and Facebook. There’s also a possibility that artificial intelligence progress could suffer a setback as a result of the new rules.
How should Australian businesses prepare to meet GDPR compliance?
Worried about the new legislation or want to review your privacy policies? It’s important to take steps now. Make sure your personal data handling practices comply with the legislation, and seek legal advice where necessary. Look at your existing infrastructure, and analyse the gap between where you are now and where you should be.
We recommend getting legal advice before acting on any new privacy processes or measures to make sure you’re compliant with all relevant laws.
As a starting point, Australian businesses should:
- Put a risk-based methodology in place to manage the privacy of any personal data on file.
- Identify what data they hold and the channels through which it is collected.
- Review any processes or policies in place for managing a data breach.
- Make sure you are prepared in the event that you need to respond or notify people who have been affected.
- Assess whether you should appoint a Data Protection Officer to implement and report on any new strategies.
Download this report from the Office of the Australian Government Commissioner for more detailed information.
Of course, the first step is to review your existing privacy policies.
Get in touch to speak to us about how you collect and manage your data.