The GDPR: The new data protection requirement impacting Australian organisations in 2018
A significant new data protection requirements are being introduced in May 2018 that will impact Australian organisations. It's called the European Union General Data Protection Regulation or GDPR.
What is the GDPR?
The GDPR contains new data protection requirements that will apply from 25 May 2018. Although this is an EU regulation, it has broad coverage that will affect many Australian businesses, educational institutions and Government agencies.
Although, the GDPR and the Australia Privacy Act 1988 share many common requirements, it also has some notable differences to the Australia Privacy Act, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent under the Privacy Act.
Under GDPR, any business that processes their customer/clients’ personal data under GDPR, will need to document all the data they hold and where it is stored, map data processes and be able to demonstrate a legal basis as to why they require personal data. The GDPR also establishes a requirement for active review of security controls and management of breaches.
Australian businesses should determine whether they need to comply with the GDPR and if so, take steps now to ensure their personal data handling practices comply with the GDPR before its commencement.
Enforcement, fines and sanctions can be undertaken by EU Authorities through international laws. Compliance clauses may be included in business insurance, potentially affecting coverage and claims.
Who does it affect?
The GDPR will affect all Australian businesses which offer goods and services to citizens of the EU, whether the service is provided in the EU or in Australia. The OAIC provides the following examples of Australian businesses that might be covered by the GDPR :
- an Australian business with an office in the EU
- an Australian business whose website targets EU customers, for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros
- an Australian business whose website mentions customers or users in the EU
- an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
What will happen if an organisation does not comply?
Penalties for failing to meet GDPR requirements could lead to fines of up to €20 million or 4 percent of the company’s global annual turnover for the previous year, whichever is greater.
What do organisations need to do to prepare?
- Create a data register and an inventory of all IT systems, networks and devices that store or process sensitive data, including on premise and cloud environments and employee BYOD (as organisations with employees that process or store data on unapproved devices will be liable and subject to regulatory fines).
- Undertake a Data Protection Impact Assessment to identify weaknesses. These are not all technical, potentially more weaknesses may exist as a result of human error/intent or poor business processes or policy. Conducting Data Protection Impact Assessments is mandated under Article 35 of the GDPR, and will assess whether the system falls within the scope of GDPR, the level of risk and the strategies to address any risks.
- Develop and implement a procedure to analyse the effectiveness of security controls, as required by Article 32. This is expected to be a regular, repeated process.
- Implement threat detection controls to enable rapid notification when a breach occurs. This includes processes to monitor network and user behaviour to identify inappropriate data access from within the organisation. GDPR requires organizations to report a breach to the appropriate regulatory body within 72 hours of becoming aware of it.
This is also a requirement of the newly-passed law Privacy Amendment (Notifiable Data Breaches) Act 2017. This Act requires all organisations that are covered by the Privacy Act who have a data breach to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of a breach. Notification must include a description, the kind of information involved, and how customers should respond.
- Develop an incident response plan and communication plan so that all relevant parties can be notified about the breach, and the actions that are being taken.
Data Protection Impact Assessments (DPIA)
If the GDPR applies to your organisation it will be mandatory to undertake a DPIA each time you plan to introduce any new, or enhanced, technology, project, activity or process that is likely to result in a "high risk" to the data protection rights of individuals (whether customers or employees).
Recent guidelines published by the Data Protection Working Party ("the Guidelines") indicate that if the proposed system/activity involves two or more of the following, it is likely to result in a "high risk" :
- Evaluation or scoring, including profiling (eg screening individuals against credit reference data, use of website navigation data to create behavioural or marketing profiles)
- Automated decision-making which could lead to exclusion or discrimination of individuals
- Systematic monitoring of individuals (eg CCTV monitoring)
- Processing sensitive data (for example in relation to health, religious or political beliefs or trade union activities)
- Processing data on a large scale (for example, any datasets that involve a large number of individuals, a large volume of data, long term data collection, or wide geographical coverage)
- Matching or combining datasets collected for different purposes and different data collection agencies
- Processing data concerning vulnerable individuals
- Innovative use or application of technological or organisational solutions (eg finger print and facial recognition software for access control, IoT)
- When the processing in itself "prevents data subjects from exercising a right or using a service or a contract" (for example, a bank screening customers against a credit reference database to determine whether to approve a loan).
Doll Martin Associates have extensive experience in Data Protection Impact Assessments and can assist you in identifying if your organisation will be impacted by the GDPR, and if so, preparing for it.
 Article 29 Data Protection Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, October 2017