The Lowdown on the GDPR
Does it apply to me?
Coming into effect on Friday, 25 May 2018, the European General Data Protection Regulation, aka the GDPR, is the new privacy kid on the block in the EU. It is the most extensive and far-reaching privacy protection legislation for individuals who live in the EU, but don’t be fooled – although it is European legislation, its reach is far broader than the European Union. You may have noticed that you are receiving emails from your various service providers and software and app developers, who may or may not be in the EU, seeking express consent from you to continue to market their product or service to you. This is because if you evidence an intention to market your goods or services (free or paid) to any resident in the European Union – you will need to comply with the GDPR. This intention might be demonstrated by a variety of factors, such as:
listing your product pricing in Euros
using any European language; or even
having testimonials from European residents on your website
Importantly, the GDPR differs from the Australian Privacy Act in that there are no turnover thresholds or activity-related thresholds… If you offer goods or services in the EU, regardless of the size of your business, you will need to comply with the GDPR.
So how is it different to the Australian Privacy Act?
Both the Australian Privacy Act and the GDPR place significant focus on consent, transparency and accountability for personal information. Under both regimes, an individual has the right to access their information and have it de-identified or corrected. Under the GDPR, however, the rights go further:
individuals have the right to have their data completely erased or destroyed
the right to restrict processing; and
the right to request their data file or records in a portable format.
Rights under the GDPR also extend to employees within the EU, including employment records, performance management, health and any other relevant personal information recorded. The GDPR requires businesses to obtain active consent from users to collect any personal data, including websites, cookies or simply email addresses. This consent request must be clearly written using plain language. Businesses are also required to have a legitimate purpose for collecting personal information i.e. they must collect information in order to fulfil a contract with the individual. The collection of personal data without a legal and legitimate purpose is an offence.
How do I comply?
If you are already an Australian Privacy Principle Entity under the Australian Privacy Act, then you have a good head start! If you market your products or services in the EU, you must:
Have a Privacy Policy in place that is compliant with GDPR.
Have a clearly visible and plainly written privacy notice and consent button on your website every time you collect information to collect or process personal information.
Have undertaken a review of your data processing activities and record types of data and the legal purpose for the collection.
Ensure your IT systems and technology are appropriately secure, having regard to the type and sensitivity of Personal Information you collect. This may mean utilising encryption services, two-factor authentication, and emergency backup systems if necessary.
Make sure you have processes in place to efficiently and appropriately respond to any request by an individual for access to their Personal Information, including the capacity to provide them with their data in a portable format or file.
You must have a Data Breach Notification process so that you can quickly and effectively mitigate any loss caused by a Data Breach. You will have 72 hours from when you become aware of a breach to notify affected individuals and the relevant EU authority.
If another entity processes the Personal Information of EU residents on your behalf, you are deemed a Data Controller under the GDPR and are ultimately responsible for the processes of that entity. You should be requesting a Data Processing Agreement to ensure they are compliant with the GDPR! Similarly, if you process the Personal Information of EU residents on behalf of another entity, you must have a Data Processing Agreement in place.
What should I do now?
These changes are significant in the privacy protection evolution and cannot be ignored. To know more about how these changes might specifically impact your business – you can get in touch with us through this link. You can read the Office of the Australian Information Commissioner’s guidance on the changes for Australian businesses here.