How - and why - to be GDPR compliant

Comments (0)
ReneLeMerle_December2017_BLOG.jpg
Rene LeMerle, Head of Marketing at Bonfire Digital, considers the implications of the European Union's recently enacted General Data Protection Regulation for Australian businesses.

In case you've been sleeping under a digital rock, or missed the onerous number of privacy policy update emails in your inbox, the General Data Protection Regulation (GDPR) has taken effect.

The GDPR?

As of May 25, the European Union's (EU) General Data Protection Regulation came into effect. In simple terms, it aims to protect EU citizens from breaches of their privacy and personal data.

"We live in Australia, so what's the big deal?" you may be asking yourself.

Well, it's not just confined to the EU - plenty of Australian businesses are directly affected by the new regulations. And in case you were thinking the jurisdiction of the new laws don't apply to Australia, you'd be sadly mistaken. If that's not enough to capture your attention, perhaps non-compliance fines of $30 million or 4% of global revenue might. 
Now that we've established that Australian businesses should be paying close attention, especially since the regulations are already in effect, who does it impact, and what needs to be done?

According to "Privacy business resource 21: Australian businesses and the EU General Data Protection Regulation" put out by the Office of the Australian Information Commissioner (OAIC), it affects businesses that:
  • have an establishment in the EU (regardless of whether they process personal data in the EU), or
  • do not have an establishment in the EU but offer goods and services or monitor the behaviour of individuals in the EU.
It's now abundantly clear that the GDPR has a significant impact on Australian businesses. To clarify the level of impact further, the OAIC Resource 21 details that businesses covered by the GDPR include:
  • an Australian business with an office in the EU;
  • an Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros;
  • an Australian business whose website mentions customers or users in the EU;
  • an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
So what do Australian businesses need to do to be GDPR compliant?

Well this is just some basic guidance and should not be taken as legal advice. It is highly advised you do your due diligence. I'm a marketer, not a lawyer after all. But the following will give you some pointers.

It's important to note that compliance with the Australian Privacy Law alone is far from sufficient.

Whilst both the GDPR and Australian Privacy Law cover off broad concepts like use for specified purpose, security of data and transparency, the GDPR specifically states that you MUST have a valid lawful basis to collect, possess and store personal data.

In doing so, it introduces the concepts of "Controllers" and "Processors".

Controllers are the entity that decides why personal data is collected and processed, irrespective of whether they do the processing or outsource it to a "processor". Accordingly they are responsible for it being processed in accordance with the GDPR.

Processors only process personal information on behalf of Controllers and have more limited regulations than Controllers.

The GDPR outlines six lawful bases for collecting, possessing and storing personal data as follows (source: fenergo):

  1. The data subject has given consent to the processing of his/her personal data for one or more specific purposes.
  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  3. Processing is necessary for compliance with a legal obligation to which the controller is subject.
  4. Processing is necessary in order to protect the vital interests of the data subject.
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
With this in mind, how do you ensure compliance?

Well that's a minefield that requires much deeper consideration and potentially professional consultation. In broad terms, consider the following:

Consent: Controllers must gain consent from an individual to process their personal data. And importantly, consent must be requested, not assumed or automatically opted in.

Data Protection Officers: Where large scale processing of personal information occurs, organisations should appoint a data privacy officer to monitor and advise on compliance. 

Access and Deletion: An individual has the right to request, obtain and have their personal data deleted at their discretion. Organisations are required under the GDPR to comply.

Disclosure and Data Portability: In instances where sharing and disclosure of personal information with third parties is required to assist with service/product provision or marketing, then only necessary data may be transferred and confidentiality ensured. 

Communication of Privacy Policy Changes: Where an organisations Privacy Policy has been updated, such changes must be communicated to customers and impacted individuals.

Data Breaches: In situations where data breaches have occurred, organisations are required to inform the relevant supervisory authority within 72 hours of the breach. 

So there's quite a lot to digest for Australian businesses to ensure they're GDPR compliant. While there's a plethora of resources online to assist with the process, it's highly recommended that businesses seek the appropriate legal and professional advice to ensure they adhere to the regulations appropriately.

Leave a comment