From the Facebook data breaches to 20 million lost CBA customer records, widespread data abuse has sparked the need for reform.
The EU’s General Data Protection Regulation (“GDPR”) which sets out new accountability and governance requirements around data privacy standards. Effective from 25 May 2018, the GDPR covers the protection of personal data of EU individuals including the processing and free movement of their data.
Australian businesses with an office in the EU will need to comply with the GDPR, as will businesses who process data of EU customers, track EU users’ profiles, or target EU customers. The GDPR applies regardless of whether data is processed in the EU or in Australia.
Nigel Phair, managing director of the Centre for Internet Safety at the University of Canberra, says that Australian businesses – regardless of size – need to comply if they operate within the EU, i.e. if they sell goods or services in the EU or monitor the behaviour of individuals in the EU.
“The GDPR takes into account consumer behaviour in the digital world. It improves protection for EU citizens and clarifies how organisations must safeguard these rights,” says Phair.
Phair adds that the GDPR also gives individuals the 'right to be forgotten'.
“It means people can apply to a search engine operator and have a list of URLs removed which may contain information about them upon an internet search.”
In preparation for the introduction of GDPR, Phair says that company directors will need to ensure their businesses are transparent in the way they collect, collate, process and use personally identifying data.
“Directors should ensure a privacy impact assessment is completed, just like they should ensure this is done for any Australian-based entity,” says Phair.
“Essentially, when creating a new product or service, directors should take into account an individual’s right to data protection and look closely at their business processes to minimise the amount of processing of personally identifying data.”
Phair says there are many similarities between Australian Privacy Principles and the GDPR.
“If you're governing an organisation which abides by the Australian Privacy Principles [Australian Privacy Act 1988 (Cth)] – for example, an organisation with greater than $3 million turnover and you are fully compliant – preparation for GDPR compliance will be quite easy,” says Phair.
“Both are focused on more carrot than stick and include a set of privacy principles which encourage organisations to be transparent with customers on how they handle personally identifying information.”
Phair warns directors that the GDPR is more detailed than current EU legislation and that the EU takes consumer privacy far more seriously than Australia.
“Europe has a better culture of protecting personally identifying information than Australia. They have much larger fines, €20 million or four per cent of global revenue versus about $1.8m,” says Phair.
The GDPR also gives organisations 72 hours to notify the relevant authorities and affected consumers in the event of a data breach, compared with the Australian regulator which has indicated a period of 30 days is desirable (though not binding).
Phair believes compliance of the GDPR will require not only adjustments to organisational policy and procedures, but also to corporate culture.
“Businesses are the custodians of information; they need the utmost care to protect it. Simply put, it is good business practice.”
For further information on the GDPR go to: