European Union General Data Protection Regulation (GDPR)

Overview for Australian Business Leaders

by Paul Green, Senior Information Security Consultant, Business Aspect

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is one of the biggest changes to data privacy regulation.  It took four years to prepare and debate before it was finally approved by the European Parliament on the 14th April 2016. This legislation is a game changer and will come into force on 25th May 2018.

Some organisations guess EU implies it only impacts European companies and inadvertently dismiss the new regulations. Many other organisations have no idea that the new regulations will affect their business.

So let’s outline what the GDPR is and how it will affect many Australian businesses.

What is the GDPR?

The GDPR goes further than any other data privacy law, defining privacy data as a greater attribute set than any other privacy law, as well as including fundamental European privacy concepts.  It also applies to all personal information, including employee and customer data that is collected from anybody within the European Union, including temporary residents.

The GDPR introduces new concepts to data privacy, and most notably the following:

  • Explicit and unambiguous consent
    Organisations will no longer be able to use long and complicated terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible format.  The purpose for collecting and using the personal information must be clear and it must be unambiguous. Organisations must provide an easy way for an individual to withdraw consent.
  • Easier access to your own data
    Organisations will be required to provide individuals access to any retained personal data.  The organisation must also provide a way for the individual to easily update their information and be able to review and update how the organisation is authorised to use their information.
  • Data portability
    A new concept of data portability is also written into the regulation which would enable an individual to export their personal data so that they can import it to another provider.  The objective of this concept is to make it easier for individuals to move from one provider to another.  Organisations must provide a simple and understandable way to export their personal information from the organisations systems.
  • A right to be forgotten
    Organisations holding personal data will be required to provide individuals with a way to delete their personal information.  This mechanism will be used when an individual no longer wants their data to be processed. As long as there are no legitimate grounds for organisational retention the data will be required to be deleted.  This right does not overrule other regulations and laws and if there is a legitimate reason for retaining the information then the organisation can retain it for those legitimate processing reasons and retention limits only.
  • The right to know when personal information has been compromised
    Organisations must notify the national supervisory authority of serious data breaches as soon as possible (within 72 hours).  They must also notify the individuals whose information may have been compromised as soon as is possible.
  • Data protection first, not an afterthought
    Organisations must be able to demonstrate that they have implemented appropriate information security protections.  The objective of this part of the regulation is to encourage ‘Data protection by design’ and that data protection safeguards should be built into products and services from the earliest stage of development.

The GDPR also introduces some new data protection stewardship terms:

  • A ‘data controller’ is the organisation that determines the purposes, conditions and means of processing personal information.
  • An organisation can have partners or service providers that perform the processing of the personal information.  These organisations are referred to as the ‘data processor’.
  • A new data role, Data Protection Officer (DPO) must be appointed in the case of:
    a) Public authorities,
    b) Organisations that engage in large scale systematic monitoring, or
    c) Organisations that engage in large scale processing of sensitive personal information.

The DPO must be an employee of the organisation and report directly to the board. This role is responsible for maintaining records, policies and procedures relating to personal information protection; as well as reporting to the Data Protection Authority. If your organisation is not in one of these categories, then there may be no need to appoint a DPO.

Regulation versus Directive

The GDPR replaces the European Data Protection Directive (95/46/EC).  The main difference between a European Regulation and a European Directive is:

  • Previously, the European Union Directive was interpreted into law by each member state resulting in many differing laws tailored per jurisdiction.  Organisations would attempt to find the friendliest jurisdiction to base their organisation and of course international organisations not based within the European Union were not subject to any of the laws.
  • Now there is a Regulation - a single law implemented across all European Union states almost identically.  Therefore, the GDPR as a Regulation harmonises data privacy laws across the European Union.
Why do Australian companies have to adhere to European Union laws?

The GDPR applies extraterritorially, and therefore any organisation (including local, state and Commonwealth government agencies) working with information relating to a living person located within the European Union, when the data is collected, will be required to comply with the stipulations of the regulation.  This effectively makes it the first global data protection law and protects the rights of European Union residents world-wide.

Privacy data is further defined within the directive and includes every manner of HR data, consumer data and business contact information; as well as behavioural information including website visitors’ data (logged in house or stored remotely, e.g. cookies) and IT network traffic and communications logs; and any potentially identifiable information even collected from publicly available sources.

Unlike the Australian Data Privacy Act, the EU Regulation applies to every organisation that collects, processes or stores privacy data of persons residing within the European Union.  The regulation requires that an organisation can demonstrate that they have structured their business processes and ICT systems so as to provide appropriate protections for the privacy data as well as the other aspects of the regulation such as “Right to be forgotten”.  It is also a requirement of the regulation that any data breach is notified to the appropriate Data Protection Authority within 72 hours of the breach being detected.  This is a much smaller timeframe than the 30 days required under the Australian Data Breach Notification laws.

When and how will it be enforced?

The regulation needs to be implemented by each member state, and it will come into force across the European Union on the 25th May 2018.Any organisation found to be in breach of the regulation after this date could be subject to fines, which are currently up to €20m or 4% of global turnover, whichever is the greater.  Failure to comply will be further enforced by preventing the organisation from accessing the European Union market, and the exclusions will be coordinated across the European Union.

Fines will apply when an organisation is deemed to have not put the appropriate protections in place.  If the organisation suffers a breach because of the lack of sufficient protections, then they will be sanctioned, not because of the breach, but because of the failure to implement adequate security measures.

If the organisation has a breach but can demonstrate good information security practices, and it is reported within the 72 hour period, then it is likely that they will not be sanctioned. However if an organisation suffers a breach and it is not reported within the 72 hour period, then this could be seen as a deliberate decision not to comply, and is likely to be met with the harshest of penalties.

What should I be doing to prepare for the introduction?
  • Make sure you can identify all of the data that your organisation collects and retains that is classed as personal information from persons residing within the European Union.  Remember that under the EU regulation this includes employee data, business data and customer data.
  • Ensure that you have processes and supporting ICT systems to implement the additional rights of the individual, right to be forgotten, access to personal information and export of personal information.
  • Review your current consent process and text to ensure that it supports the GDPR consent requirements.  Also, ensure that you have a process to allow an individual to revoke their consent.
  • Ensure that you have processes in place for how to identify and report a breach of personal information.
  • Ensure that your employees understand that there is an obligation to report suspected breaches in a timely manner.
  • Have a Data Breach plan in place. This plan should document how to review a suspected breach and determine what has been breached. It should include who internally needs to be notified, and processes to contain the breach, where available. Remember that forensics measures may be required. The plan must also identify who is responsible for notifying the EU Data Protection Authority (and also if applicable the OAIC) of the breach.

When it comes to data privacy, prevention is a priority. Understanding the European Union regulation and how it affects your business will assist you in minimising the risks. To discuss the practical application of new security plans and processes within your own organisation talk to Business Aspect about a privacy compliance assessment: risk@businessaspect.com.au