As of May 2018, the European Union’s laws regarding data protection and regulation have changed. Even though the laws don’t strictly cover Australian businesses and trading, it’s still worth understanding what’s going on and vital if your business trades with those within the European Union. Depending on how, where and with who your business operates, you may need to be compliant anyway.
To help break this elaborate enforcement down, we’ve covered the major questions most business owners have about the GDPR.
The information in this article has also been provided to guide businesses, and help break down the complexities of the legislation. However, it’s recommended that any business affected by the GDPR take the time to understand the specifics of the relevant articles.
What is the GDPR?
Essentially, the GDPR is the European Union General Data Protection Regulation. The changes were introduced to clarify some of the cloudiness of previous legislation regarding data protection.
The changes will apply to any Australian businesses that:
- Have a location within the European Union (EU)
- Offer goods or services to, or monitor the behaviour of, people within the EU.
The GDPR specifically applies to information that concerns an individual person – which does create some overlap with the Australian Privacy Act. Our current law (section 6(1) of the Privacy Act) already governs the use and protection of ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’.
Australian businesses that hold (or access) information concerning European individuals will need to adhere to the Australian Privacy Act AND the GDPR.
According to the Office of the Australian Information Commissioner in the Australian Government, there are 3 main aspects of the GDPR that define an infringement subject to the maximum penalty:
- Not adhering to the data processing principles in Articles 5, 6, 7, and 9
- Not adhering to the data subjects’ rights under Articles 12 to 22
- Not adhering to the requirements relating to the transfer of personal data to a recipient in a third country or an international organisation, under Articles 44 to 49.
Data processing principles
The key themes of these articles are that you must ensure your business:
- Processes personal data under the correct principles by:
- Minimising the processing of data
- Pseudonymising data as soon as possible
- Making the functions and processing of any personal data transparent
- Allows participants to provide adequate consent (silence, pre-ticked boxes or inactivity are definitely NOT considered adequate consent)
- Applies the added protections to the ‘special categories’ of personal data, such as:
- Race or ethnicity
- Political or religious beliefs and opinions
- Identifiable biometric data
Health or other data concerning a person’s sexual activity or orientation.
The GDPR clearly lays out what data is considered ‘personal’, and what data is further categorised as within a ‘special category’.
The rights of the subject have been enhanced in the changes. Any controller of personal data must:
- Give individuals the ‘right to be forgotten’ (if they wish to have their data deleted, it must be)
- Delete any data relating to an individual that is no longer necessary for the exact purpose it was collected for
- Provide individuals with the details of how their information will be used in clear, concise, easily accessible, and plain language
- Ensure that if an individual’s data must be destroyed, any copies, replications, or links to the data are completely destroyed too.
Transfer of personal data
The basic consensus of articles 44 through 49 is that any data transferred overseas must be done so to nations with adequate levels of protection. If the adequacy of a nation’s information protection isn’t clearly defined, an individual can give clear consent that their data is shared – making the transfer legal.
What are the penalties of not being GDPR-compliant?
In a word: severe.
The GDPR has listed that a breach of the major aspects listed above would incur a fine of €20 million, or 4% of annual worldwide turnover – whichever is higher.
How does the GDPR differ from the Australian Privacy Act (APA)?
The APA also has sections that compare closely to the articles of the GDPR discussed above. However, the key differences are:
- Jurisdiction – The APA applies to businesses incorporated in Australia, or those that ‘carry on a business’ in Australia, and collect personal information from Australia (or hold personal information within Australia). This act also doesn’t necessarily apply to businesses with an annual turnover under $3 million – but it may in certain circumstances.
- Reporting data breaches – Within the APA, reporting is only mandatory for breaches where a serious risk of harm is likely. Within the GDPR, data controllers must formally report any data breach.
- Individual rights – The GDPR makes data destruction clear; however, the APA doesn’t clearly specify the rights of the individual. The APA only specifies that data that is no longer needed for a permitted purpose is destroyed or de-identified.
What do I need to do to be compliant?
Some businesses may have to adapt their practices to become compliant with the GDPR – but if your business has operated legally under the Australian Privacy Act, these changes shouldn’t be extravagant. The biggest consideration will be the fines for any data leaks or breaches, which start at €20 million.
For peace of mind, make sure any personal information you hold is destroyed with complete certainty. Shred-X hold NAID AAA certification, internationally the highest certification in the industry.
To find out how Shred-X can help your business comply with the GDPR, chat to a member of our team today.