If your business handles personal data, then forthcoming EU regulations may affect you

Within the world of compliance, one of the biggest challenges people face is transparency. The issue of transparency is further amplified in the digital economy, where consumer data is readily accessible with the increased use of digital technologies.

As data becomes the new currency, how companies manage, secure and share data is fast becoming a determining factor in strengthening customer allegiance. Companies that choose not to be open about their data sharing practices may suffer the consequence of a hefty penalty when the EU General Data Protection Regulation (GDPR) comes into effect next year.

The GDPR is a win for transparent practices and will allow EU citizens, at home or abroad, to have more control over their personal data in a climate operating largely under frameworks developed before widespread digitisation.

Whilst these protections aren’t directly in place for Australians, the GDPR has the potential to foster a culture of transparency and responsibility in the use of consumer’s personal data, which will benefit consumers globally.

For Australian businesses, understanding what requirements the GDPR presents will help in remaining compliant and avoiding penalties. By remaining compliant, businesses can help protect valuable personal and business information, deliver on compliance responsibilities and support the Rule of Law. Below are some key areas Australian businesses need to be aware of in order to tread carefully.

What is the GDPR and how will it affect Australian businesses?

The new regulation comes into effect on 25 May 2018 and applies to all EU member states and any organisations globally who offer goods or services to, or monitor the behaviour of, EU data subjects. The goal of the regulation is to enhance the data protection rights of EU citizens and aid the free flow of data across a single digital market.

In clear terms, the regulation applies to any company globally that processes or holds the personal data of subjects residing in the EU and concerns both controllers and processors, meaning that ‘clouds’ are not exempt.

Financial penalties for not complying with the GDPR can be up to $20 million, or 4% of annual global turnover, and can be enforced for breaches such as not having sufficient customer consent to process data or failing to notify the DPA of a data breach within 72 hours.

Gartner has predicted that by the end of 2018 more than 50% of companies affected by the GDPR will not be in full compliance. Thus, it is worth Australian businesses considering now what they must do now to ensure that they are compliant.

What do businesses need to do?

A key component of the framework is the strengthening of conditions of consent. Rather than using lengthy unintelligible terms and conditions, forms requesting consent for use of personal data must use simple language and be in an easily accessible form. It is also required that companies make it as easy for individuals to withdraw consent as it is to grant consent.

The EUGDPR website also makes it clear that Data Protection Officers must be appointed ‘in the case of (a) public authorities, (b) organisations that engage in large scale systematic monitoring, or (c) organisations that engage in large scale processing of sensitive personal data.’

Here’s what else Gartner says must be done:

  • ‘Organisations should appoint a representative to act as a contact point for the data protection authority (DPA) and data subjects.’
  • Organisations must identify every single process where personal data is involved in order to be accountable. ‘Going forward, purpose limitation, data quality and data relevance should be decided on when starting a new processing activity.’
  • Due to consent requirements, organisations must implement streamlined processes in order to obtain and document consent for use of data and withdrawal of consent.
  • If transferring data outside of the EU, ‘appropriate safeguards such as Binding Corporate Rules (BCRs) and standard contractual clauses (i.e., EU “Model Contracts”) should be used.’
  • Outside of the EU, organisations processing personal data on EU residents should select the appropriate mechanism to ensure compliance with the GDPR.’

Whilst compliance will come at a cost for Australian businesses, the regulation has the potential to start a cultural shift towards transparency in the ownership and use of personal information. This move prevents data transfers operating within frameworks with blurred ethical and legal boundaries.

About the author

 Myfanwy Wallwork, Executive Director for Regulatory Compliance at LexisNexis Pacific, a global provider of legal, government & corporate information solutions.