Unfortunately, although we all like to avoid such emails, these are pieces of communication you can’t ignore. They are important both in terms of your personal data, and to ensure your business is meeting its obligations.
It’s easy to question whether a law passed in the European Union applies to you. But in this case, in most circumstances, it does. The GDPR extends to any person or business that is dealing with people in the EU, receiving data on people in the EU or otherwise monitoring people in the EU. Is your website accessible to people in the EU and do you record information about people accessing your website? If the answer is yes, then you are likely to be monitoring someone from the EU and caught by the GDPR.
Even where you are not collecting information about people based in the EU directly, you will likely feel the impact of the GDPR if you are dealing with businesses based in the EU. They are now obliged to ensure that any person with which they are dealing and passing personal information to is also GDPR compliant.
We’ve had a number of clients get in touch to understand what these regulations mean to their businesses and the steps they should be taking to meet their obligations. Don’t stick your heads in the sand over this one. It’s important.
Is your data at risk?
One of the biggest hurdles facing businesses today is effective management of data and its security. In fact, every day almost 5 million data records are either lost or stolen globally, and accidental loss is leading the way with an increase of 580% to almost 2 billion compromised records in 2017.
In Australia, we’ve seen a data breach of 19 million accounts at the Commonwealth Bank, and more recently the ACCC announced its investigation of Google over harvesting of data, with Aussie customers unwittingly paying for gigabytes consumed during that harvesting. At a global level, one of the most significant breaches of all time was by disgraced UK analytics firm, Cambridge Analytica, which was responsible for compromising data from 87 million Facebook profiles.
What are the data protection laws?
It is of no surprise that new legislation is coming into play to protect the rights of the consumer. For Australian businesses, it is essential to be aware of the Australian Privacy Principles (APP) and Notifiable Data Breach (NDB) scheme (newly introduced to the Privacy Act 1988), as well as the EU’s GDPR:
1. Privacy Amendment (Notifiable Data Breaches) Act 2017
The NDB scheme is an amendment to the Australian Privacy Act 1988 and came into effect on February 22, 2018. It relates to a breach that is likely to result in serious harm to any of the individuals whom the information affects. Entities required to comply with the APP now have the following breach notification requirements:
- A statement provided to the Office of the Australian Information Commissioner; and
- Notification to each person whose data is breached or at risk, including recommended steps they should take.
The amendments to the Australian privacy laws implemented as a result of the NDB bring Australia more closely into line with data breach reporting requirements elsewhere in the world. In particular, although not quite as stringent, our notification requirements more closely resemble those recently introduced in the European Union under the GDPR.
2. European Union General Data Protection Regulation (GDPR)
The GDPR was implemented on May 25, 2018 and regulates the collection, storage and use of personal data from individuals in the EU. As stated, the new regulation has global implications as its territorial scope extends beyond simply capturing businesses and individuals located in the EU. It also affects businesses of any size and individuals who:
- Offer goods and services in the EU, or
- Monitor behaviour of individuals in the EU.
With technological advancements allowing an increasing number of businesses to trade globally, the significance of the increased territorial scope of the GDPR can’t be over-stated.
In the context of Australian businesses, there are some notable differences between the APP and the GDPR, with the EU regulations tightening up several conditions, including:
- The requirement to appoint a representative in the EU where the business does not have an establishment in the EU;
- The requirement to appoint a data protection officer (in certain circumstances);
- Consent by a statement or clear affirmative action, not a pre-ticked box, silence or inactivity;
- An individual’s right to be forgotten (the right to data erasure);
- The right to data portability to another data controller without hindrance;
- Limiting data collection and time of storage to what is necessary;
- Implementation of security measures to ensure the protection of privacy; and
- Strict requirements on data transfer outside the EU.
Is any of this important to your business?
In a word – yes! Our advice is that you make sure your data governance framework ensures you adhere to the requirements of both the GDPR and the APP (incorporating the NDB). The outcome of failing to do so could be significant penalties.
To help meet your obligations, we have put together a starting checklist:
The bottom line is that now is the time to take steps to ensure your business meets its obligations for data protection and privacy, both nationally and internationally. Talk to us today about how the APP and GDPR may affect your business and how you can implement measures to mitigate risk.