On May 25th, new data laws will be coming into force across the EU with the purpose of giving people more control over their data. The General Data Protection Regulation (GDPR) addresses the issues surrounding the export of personal information outside of Europe. In this post, we discuss what this means for Australian and what you need to do to get your house in order.
The purpose of this new regulation is to boost the digital economy in Europe through the harmonisation of the regulatory scope for businesses that trade internationally. It is also going to provide individuals with more control over their personal information.
If this is an EU Law, why does it affect businesses in Australia?
First of all, while this is not a new law outside of the EU, it is a regulation. This means that it does not need our national government to pass any legislation for it to become applicable and binding. So, for those of you who thought it would only affect businesses and individuals in the EU, that is not accurate. You need to make sure that if your business processes information for citizens or companies within the EU, whether you have an office there or not, that you are compliant.
The penalties for those who do not comply could be anything up to 4% of your worldwide turnover or 20 million Euros, whichever is greater.
Who Does This Apply To?
If you aren’t sure whether GDPR applies to you, then read on to find out exactly what businesses the GDPR will impact.
GDPR applies to organisations in Australia that:
• Incorporated or established within the EU.
• Not established within the European Union but offer services or goods to individuals based in the EU, whether these are free or paid services.
• If your organisation accepts payment in Euros.
• Not established within the European Union, but who watches, oversees or monitors the behaviour of EU residents.
Practical Examples for online businesses in Australia would be:
• Delivers products anywhere within the EU
• If you handle personal data of an individual located in the EU.
• If you give advice to Australians who are located in the EU, this also applies.
• If you sell a device OR app that monitors the actions or any individual within the EU.
It is for these reasons that we know there are many businesses in Australia who need to take action and ensure they are compliant with this new legislation.
What Are Your Obligations?
This new regulation puts several obligatory requirements into force for those who control and process data. In the specific policy, these individual roles are defined as Data Controllers and Data Processors.
• A Data Controller is an organisation that decides how information will be used or processed.
• A Data Processor is an organisation that is tasked with processing the information on the controller’s behalf.
There are many different principals that need to be complied with. To make it easy to understand what practical actions you can take, each of the principals is associated with an example of a typical action that would fulfil your obligatory requirements.
|Principal||Description||Typical Action You Can Take to Fulfil Obligations|
|1||Use the personal data for legitimate purposes only.||Only utilize the information you obtain for the original intended purpose.|
|2||Process information in a manner that is fair, lawful, and transparent.||Tell people how you will utilize their information.|
|3||Limit the use of the data to only what is necessary.||Do not ask for data that you do not need.|
|4||Process the information in a way that retains its accuracy.||When information is outdated, correct this to ensure it is accurate.|
|5||Do not store the information for any longer than is required.||Delete or remove information when you no longer have a need for it.|
Transfer of Information and Disclosure
From time to time, you may need to disclose personal information to a third-party. This isn’t always about selling on data; it could be something as simple as giving information to a marketing company or even your accountant. In these instances, you are only allowed to provide the required data for their specific purpose. The other party must also sign an agreement of confidentiality.
If this third-party discloses the information and breaches GDPR, then your business could still be liable for this. To avoid such an issue, you need to be able to clearly demonstrate you investigated the data protection capabilities of the third-party.
Data Protection Officer
If your organisation undertakes systematic or frequent monitoring on a large scale, you would be required to appoint a designated data protection officer. This could apply to online retailers with large global marketing capacities. This person would need to be available as a point of contact for any requests that could be made by a GDPR authority supervisor.
Organisations need to clearly request the consent to either process, or control personal information. The request must be made clearly and via a form that is easy to access. Companies are also required to:
• Make separate requests for every collection
• Make it easy to remove consent
• Send a ‘just-in-time’ notification prior to data collection or processing
These specific points will mean that many businesses will need to review their processes and perhaps the communications software that they use.
If your organisation collects personal information, the individual has a right to obtain and request copies of that information. They can also request that you delete information or even dictate that a restriction is placed on how their information can be used.
If an individual makes such as request, your obligations are to:
• Provide details about the length of time you intend to store their information
• Provide copies of all data held, and an explanation as to how you use that data
• Provide information about who that data is shared with
If you are asked to erase data, then unless you no longer need that information, you will need to comply with such a request in a timely manner.
If a personal information data breach occurs, then you are required to inform a supervisory authority. The data breach is only considered to be of importance if the rights of the individuals involved are at risk. For example, if you lose a list of names, this would be fine as no negative effects could come from such an action. However, if payment card information was compromised, this would be classified as an instance where the rights of those individuals would be affected. Notifications must be made within 72 hours so having these contacts ready in advance would be prudent.
While this is solely an EU regulation, for now, it is thought that other nations will likely be influenced by this. By achieving compliance with GDPR standards now, you are putting yourself in a stronger position to be compliant with any other future regulatory changes of this nature. This is also a reassuring confirmation to customers that you value their privacy and go above and beyond the call of duty to ensure their information is secure and protected at all times.
For further reading or information on GDPR, you can visit OAIC Guidance or the UK’s ICO GDPR website.As a final note, as you are preparing your business for GDPR, as per your obligations from 25th May, you need to ensure that anyone you work with who accesses or processes data for your business is also GDPR compliant.
In the dynamic world of eCommerce, IT capability can outstrip a retailers’ ability to maximise the effectiveness of the tools they own or are about to select. Playhouse commercialises the eCommerce proposition for its clients and manages their digital journey in four key areas – Strategy, Design, Mentoring, and Implementation.