The scope of the (General Data Protection Regulation) GDPR is broad and Australian businesses can be caught by surprise. Here’s what it means for the Australian businesses how you can prepare for it.
The General Data Protection Regulation (GDPR) is a regulation introduced in the European Union (EU) and has become enforceable since 25 May 2018. GDPR mainly addresses how companies should capture, process and store user information, and gives more rights to users to safeguard the use of their personal data. Though this is an EU law, it does have a global impact.
This new law is a replacement for a set of guidelines previously set in 1995. That was the Data Protection Directive. Unlike the previous directive, which was a set of guidelines, which companies may or may not follow – the new regulation is a law, which companies must follow. Failure to abide by the new law can enforce significant fines for the companies.
What is GDPR?
Every aspect of our lives revolves around data. Our personal information like name, address, age, behaviour, credit card numbers and bank accounts are all being stored by organisations. The reforms are essential in today’s world where data breaches and analysis of personal data are so common. The data breaches like information theft can happen at any time. These kinds of breaches are exploited by people with malicious intents.
Under the GDPR regulation, the consumers must explicitly give consent to companies to collect their personal data. The company must inform the users how the data is being used and why it is being collected. The companies will need to gather personal data legally and store it securely. The individuals can also withdraw their consent or use their right to be forgotten. In that case, the companies will need to delete the personal data of the user. This regulation aims to protect consumers from exploitation and prevents misuse of personal data. Further, as per GDPR, users may request a copy of the data collected about them from a company.
How does GDPR apply to the Australian organisations?
So it’s a European law. How does it effect Australia? This is where it could impact people who are building apps, software and other Internet-based businesses. Though the law is in EU, if you have customers who are residents of EU, you still need to follow and abide by the rules and regulations of the law. This could apply to Australian based companies as well.
As per the Australian Government, GDPR can affect your products or services,
- If you have an establishment in EU, OR
- If you offer goods or services to EU residents, OR
- If you monitor the behaviour of individuals of EU.
Most internet and digital products these days capture a reasonable amount of customer data, and sometimes this data is processed to gather much more intelligence for marketing activities. So, if your app, product or service is capturing customer data, it’s a wise decision to update your privacy policies and terms of service to indicate how you intend to use this data – and inform the users about the change.
In summary, if you’re going to serve users in the EU region, you will have to consider GDPR regulations.
6 Step GDPR Ready Framework
The following is the 6 Step GDPR Ready Framework to be followed by companies to ensure they have a smooth transition from existing business processes to become a GDPR compliant organisation.
Source: GDPR Ready Framework™ – Elegant Media Research Unit
Here are the 6 Steps of GDPR Ready Framework in detail:
Step 1: Improve Awareness
Increase awareness among the stakeholders, including employed staff, contractors, third-party vendors, consultants and anyone else who will have exposure to customer data. Ensure everyone understands GDPR, its impact, their responsibilities and potential legal liabilities. Conduct an assessment to know how compliant your organisation is with GDPR and further steps to be taken.
Step 2: Take a Data Inventory
Prepare an inventory of customer data and who has access to this data, both internally and externally. All the data sources should be documented; what it holds, where it was obtained, and how the organisation uses the information. Your organisation should keep reports that are up-to-date. This process will help the auditors evaluate the data handling process to identify any loopholes.
Step 3: Assign Responsibility
Create job roles in your organisation such as a Data Protection Officer (DPO) to generate accountability and to bring together different divisions of the organisation to manage the privacy risks better. The DPO should assess how the data is handled and transmitted between divisions and work with the C-Level Management to implement processes, which are placed to reduce and eliminate privacy risks to user data. Also, protecting customer data must be one of the work-related responsibilities of all the employees.
Step 4: Regulate
Create privacy policies, terms of service and other legal documents that comply with GDPR. All the updated policies must be communicated to the affected customers as well as the internal and external stakeholders. The organisation must also ensure any third-parties who handles with data have their own GDPR compliant regulations as well.
Step 5: Monitor
Enhance the technology of the organisation to monitor and detect security breaches, add strong data encryption for user data and add privacy by design for new projects.
Step 6: Respond
Prepare a robust privacy-breach handling process and assign a person or a team to be responsible. This person or the team should be responsible for deciding on the actions and the response the company should take to be in line with GDPR. Also, the company must implement a response process whenever users request their data or the records to be erased.
Is GDPR Really New to Australia?
Though GDPR has been enforced since 2018 in the EU, Australia already had some similar regulations in place, as per the following legislation.
- Australian Privacy Act 1988
- Privacy Amendment (Notifiable Data Breaches) Act 2017 – From 22 Feb 2018
Both GDPR and the Australian Privacy Act 1988 share common requirements such as,
- have a privacy-by-design approach,
- being able to demonstrate compliance with privacy principles and obligations,
- adopt transparent information handling practices.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect on 22 February 2018. Under this law, the businesses need to notify the Australian government through the Office of the Australian Information Commissioner (OAIC) in case a data breach, which may cause serious harm to the individuals whose information is breached. There is a fine of $1.7 million if the companies fail to report a data breach. The Act applies to government agencies, businesses, and not-for-profits with an annual turnover of over $3 million, private health service providers, credit reporting bodies, credit providers and organisations dealing with TFN (tax file numbers).
How Will GDPR Affect Australian App Development, Software and Other SaSS products?
If your project doesn’t serve residents in the EU, you may not have to make any changes. However, you still must follow the Australian privacy laws. As technology evolves and more user data is collected, we may see the Australian privacy laws getting stricter as well in the future.
Though may not be required, following some of the GDPR regulations as guidelines will make your projects and data more secure, even you may not serve residents in the EU.
Here are a few suggestions:
- Secure your projects by default and by design.
- Use strong encryption when collecting, transmitting and storing data.
- Store your data and encryption keys separately.
- Have proper monitoring systems to detect data breaches.
- Collect a minimal amount of Personally Identifiable Information (PII) of users.
- Inform the users how the data is collected and how it’s being used.
- Verify any third party services you use are GDPR or privacy law compliant.
- Allow users to remove their data.
- Assign staff or team members responsible for monitoring privacy practices.
GDPR and Future
GDPR a right step in the current digital age and organisations have the opportunity to strengthen their organisation. However, it has forced some companies to re-think their business models and put more focus on the data protection.
Disclaimer: The information in this article is provided as a general guideline, and shouldn’t be taken as legal advice. Please consult a qualified legal practitioner on how privacy laws impact your project for counsel.