How Europe’s new General Data Protection Regulation may impact your business
From 25 May 2018, the European Parliament’s General Data Protection Regulation (GDPR) comes into effect, superseding the Data Protection Directive adopted in 1995. The impetus for the new regulation – which applies specifically to personal data – is not only the unprecedented growth in data mining since that time, as facilitated by the rise of social media platforms, data breaches and hacks have also fueled understandable concern about the way personal data is stored, collected and used.
The GDPR has many requirements in common with the Australian Privacy Principles (APP) governing personal information as set down under our Privacy Act, but there are also some important distinctions. Therefore, it’s imperative to determine whether your business needs to comply with the GDPR and if so, that procedures to do so are in place before it takes effect.
Not only does the GDPR protect the personal data of EU citizens for transactions within the 28 EU member states – it also regulates the export of personal data outside the EU. So even if you don’t have a physical business presence (such as an office or representative) there, if your business processes the personal data of EU residents, for example through offering them goods or services (irrespective of whether a payment is required), or if it monitors the behaviour of EU individuals, then the GDPR applies.
As a starting point, if your business is already subject to Australia’s Privacy Act personal information regulations (ie is an “APP entity”), then you may likely need to also comply with the GDPR. Given the similarities between the new European regulations and our own, your business will already have some of the necessary measures in place.
Additionally, the Government Office of the Australian Information Commissioner recommends that where additional measures are necessary and not inconsistent with Australia’s Privacy Act, that businesses consider rolling these out across their Australian operations – as enhanced privacy practices may generate improved customer trust.
As with any such regulations, it’s the definitions and possible interpretations which need to be carefully considered. The GDPR’s definition of ‘personal data’ is a broad one, encompassing not just basic information like names, addresses, IP addresses and stored cookies. It also has protections for ‘special categories’ of personal data including not only genetic and biometric data but information such as sexual orientation and racial and political profiling.
The accountability and data governance obligations as set out in the GDPR are similar to those of Australian Privacy Principle 1.2. But the GDPR goes further in specifying and defining organisational roles responsible for ensuring compliance. It states for example that data controllers within an organisation must in certain circumstances appoint data protection officers (DPOs) to monitor and advise on GDPR compliance as well as with internal privacy policies and procedures – there is no such obligation under our Privacy Act. Data controllers must also undertake a compulsory data protection impact assessment in certain instances.
Importantly, the GDPR places liability for data breaches not only on the company or business which owns the data, but also outside organisations which manage and/or store it, such as third party data processors or cloud providers. This means that your business is responsible for making sure that any outside contractors you use are also operating according to the regulations. These responsibilities will need to be written into your supplier contracts, as all parties need to ensure compliance – so you should ensure you are aware of the extent to which the GDPR specifies clauses which must be included.
The regulations also specify that customers must be informed of their rights under GDPR, which means all client contracts and conditions of use will need to include the relevant disclosures.
And they encompass a new definition of what constitutes ‘consent’ to the processing of personal data – such that the individual is not deemed to have given consent if they have no free choice or are unable to refuse or withdraw consent at any time. Businesses will also need to make the withdrawal of consent as easy as the giving of consent, and inform individuals of this right to withdraw consent. Specific requirements also apply in relation to the consent of children below 16 years.
There is also a range of enhanced rights for individuals – including the right to erasure, which encompasses the ‘right to be forgotten’ (giving individuals the right to require data controllers to delete their data in certain circumstances); the right to data portability; and a right to obtain restriction of data processing in certain circumstances. These are in some cases similar, but not equivalent, to provisions under Australia’s Privacy Act.
In order to ensure that your business complies with the GDPR, your IT department and data governance team will need to take a fresh look at how data is managed and protected, and ensure there are clear reporting pathways in place. You’ll need to examine your data flows and management processes – and identify any high risk areas which need better procedures and processes.
You’ll also need to define obligations and responsibilities for all relevant parties including your third party suppliers – so that in the event of a data breach, there’s a clear procedure in place for how to respond. The GDPR specifies a 72 hour reporting window in the event of a breach, and the EU has a track record of harsh fines for regulatory non-compliance.
While businesses in recent years have become used to thinking of data as a digital asset, these new regulations underscore that times are changing – that there are also liabilities inherent in data management and storage, and increasingly these will have to be recognised and mitigated.
A comprehensive overview document for Australian businesses, Privacy Business Resource 21: Australian Businesses and the EU General Data Protection Regulation is available to download from the Australian Government Office of the Information Commissioner, and you can also find information on the European Commission’s website.