General Data Protection Regulation (GDPR)
In April 2016, the European Union adopted the General Data Protection Regulation (GDPR), becoming globally enforceable as of 25th May 2018. GDPR replaced the 1995 Data Protection Directive, changing the rules surrounding the protection of personal data pertaining to EU residents.
It is the primary law regulating how companies protect EU citizens’ personal data. GDPR requirements aim to create more consistent protection of consumer and personal data across EU nations, whilst strengthening the rules surrounding the collection and protection of personal data pertaining to EU citizens and residents.
Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data. Non-compliance penalties are significant, with fines of up to €20 million (approximately AUD$30m), or 4% of global turnover (whichever is greater), plus other sanctions including the ability to halt trading in the EU.
As a multi-disciplinary practice made up of risk, data governance, cyber and legal practitioners, we are uniquely placed to help your business navigate, adjust to, and understand the GDPR regulatory environment. Our experienced team includes the complementary skills and expertise of lawyers, consultants, auditors, risk specialists, forensics experts and strategists available to assist entities to turn GDPR compliance into a competitive advantage.
This information is provided as guidance only and for more detailed information please contact CAT today, or visit the excellent resources available through the EU GDPR website here.
What Is GDPR?
GDPR seeks to protect all types of digital data, including Personally Identifiable Information (PII) and to render companies fit for the digital age. New rights granted to EU citizens, such as data portability and erasure, afford individuals greater control over their personal data. The new law mandates stricter accountability measures, including audits, Privacy Impact Assessments, activity records, policy reviews and the appointment of a Data Protection Officer.
As a result, data protection and privacy risks can no longer be assessed from an Australian regulatory standpoint alone. Businesses now need to consider the protection of customer data from a global perspective. The Office of the Australian Information Commissioner (OAIC) has recommended that businesses take steps to evaluate their information handling practices and governance structures, seeking specialist advice where necessary, to implement the necessary changes for GDPR.
If you require any assistance with complying with GDPR, please contact us today and speak with one of our specialists.
Who Does EU GDPR Apply To?
GDPR applies to any business that holds, controls or processes personal data of EU residents. Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU. It may also affect your business if you have an EU customer or client which has to meet its own obligations under the GDPR. In that case, your EU customers or clients may require new or updated agreements for the processing of personal information and require that you impose the same obligations on your service providers regardless of their location.
GDPR may also apply directly to your business if it processes the personal information of individuals in the EU, with or without an intervening EU corporate. The requirements are deceptively complicated – consider if you are targeting and marketing goods and services to individuals in the EU, or monitoring and profiling them.
How Does European Legislation Affect Australian Companies?
Australian businesses must take appropriate steps to determine whether they need to comply with GDPR and if so, take steps now to ensure their personal data handling practices comply with the GDPR.
What makes things complicated for Australian businesses is that Australia has been recognised as not having “adequate privacy laws” by the European Commission. This means that further “appropriate safeguards” have to be taken by organisations that want to transfer information to Australian service providers. If your business sells goods or services directly to customers in the EU and you collect the personal information about individuals in the EU, you will likely be caught by the GDPR.
Key Aspects Of GDPR
Notification: Companies have a 72-hour notification window and must notify EU regulators of breaches where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
Access: Individuals can ask for confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. They can also request a copy of the personal data in an electronic format at no cost.
The right to be forgotten: Individuals can ask for any PII about them to be erased and for third-parties that have access to that data to stop using it. In other words, consent to collect and use data can be revoked.
Portability: If an individual receives their data from one entity, they can pass it to another.
Privacy by design: There is now a legal obligation to build systems with privacy as a core design element.
Data protection officers: Entities that collect, store and use PII will need to appoint Data Protection Officers – these can be internal or external personnel – who will manage the processes associated with compliance with the GDPR.
The Questions Board Members Need To Ask
- What is our data footprint in the European Union (EU)?
- Do we hold data about EU customers and employees?
- Do we have visibility of and control over the personal data we collect? How do we use it? With whom do we share it?
- Are we prepared to provide evidence of GDPR compliance to EU or Australian privacy regulators if requested?
- Have we conducted a readiness assessment?
- Do we have a tested breach-response plan that meets GDPR’s 72-hour notification requirement?
- Have we defined a roadmap for GDPR compliance?
If your company requires assistance in navigating the compliance complexities associated with EU GDPR, contact one of our specialists today.