This game-changing law might be a tad dry or boring for some but stay with us as we dig deep and uncover ‘what is the GDPR?’ and why you should take it seriously.
The rules for administering personal data in Europe are driving rapid changes in digital rights for individuals, corporations and business across the world, since the introduction of the European Union General Data Protection Regulation (the GDPR) in May 2018.
The GDPR is widely considered to be the most stringent, all encompassing, broadly applicable and comprehensive privacy legislation in the world sanctioning the value of personal data.
With the huge growth in the amount of personal data being captured and used globally, and the inequity between an individuals’ information and businesses who collect and handle it, along with the many challenges in protecting this data, the GDPR now forces businesses to take a serious and proactive approach as to how they store, manage and use their customer details.
It also addresses increasing public concern over privacy issues which continues to rise with every new high-profile data breach. The GDPR lifts the code of consent by putting consumers back in control of their data, ensuring compliance is met in a wide range of rulings including seeking permission of customers to be able to use their personal data through the multiple touch points they have with an organisation.
A recent RSA Data Privacy & Security Report noted, “As businesses continue their digital transformations, making greater use of digital assets, services, and big data, they must also be accountable for monitoring and protecting that data on a daily basis,”. It also concluded, “As consumers become better informed, they expect more transparency and responsiveness from the stewards of their data.”
While the GDPR is a European Union ruling, it has profound significance on all organisations globally. Any corporation or business who supplies the EU with good and services, uses an EU business within their supply chain, and/or keeps data of EU citizens who live in a non-EU country is now required to obey GDPR rules surrounding data protection.
Importantly, Australian businesses need to understand their obligations under the GDPR legislation. Fines are significant, up to 2% of an organisation’s annual turnover or $16 million for non- compliance, and fines starting from 4% of turnover or $32 million, whichever is higher, for loss of people’s personal data.
Whatever industry your business is in, whether that be finance, retail, manufacturing, SME or large corporations, understanding how the GDPR impacts your business is the first critical step in meeting GDPR compliance.
What is the GDPR?
Simply, the GDPR or General Data Protection Regulation is the European Union Regulation covering privacy and data protection overseeing the “personal data” of individuals in the EU. It limits the risk of an individual’s personal information from being exploited or misused by limiting the amount of data that may be collected by companies, the way it can be used, and the amount of time that it can be stored.
Under the GDPR rules, personal data protection includes
- Identification number or online identifier.
- An individual’s
- Their physical and online location data.
- Details of the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
- An individual’s ethnicity or racial
- Religious or philosophical beliefs.
- Sexual orientation.
- Political views.
- Any trade union membership.
- Identification data using genetic and biometrics
Rules are also now stricter for any company handling the data of people residing in the EU, or who move and process EU citizen’s data in a non-EU country. In some instances, the European Commission can stop the transfer of data to external countries conditional to those countries existing privacy protection laws.
What are the requirements of GDPR laws?
The GDPR law governs all data your business collects and handles on individuals, including website visitors. Even if your business data is managed by third parties i.e. data storage and cloud providers, the law claims as the “controller” of that data you will still be responsible for breaches and infringements, as will the “processor” of the data, i.e. your cloud service provider.
There are five key areas of an EU citizen’s personal data rights and entitlements which are upheld by GDPR laws;
- Right to request access to data your business holds on EU citizens which must be delivered within 40 days of that request.
- Right to limit and object to the handling of personal data.
- Right to data portability where users must be able to access and transfer the data you hold on them in a commonly used, machine-readable format.
- Right of EU citizens to be forgotten where full deletion of any information you hold on an individual is removed upon request, including business partner data processors
- Requirement to report data loss or data breaches within 3 days from point of awareness. An exception is where a breach is unlikely to place the rights and freedoms of individual at high risk.
One key requirement of the GDPR we highly recommend you take immediate action on concerns any partnerships where you, as the data controller, only partner with third party processors who can provide satisfactory guarantees they are GDPR compliant. In your contractual arrangements you must include a clause prohibiting the data processor from working with another data partner without your authorisation to limit the sharing of data you collect.
GDPR also demands organisations hold the ‘burden of explicit consent’ whereby a user’s consent is sought and given by the user for the collection and processing of their personal data, including specific categories that require end users “explicit consent”.
Importantly, putting into action policies, procedures and technologies encompassing data protection and data management for your organisation should be a high priority as not only do you need to meet the compliance requirements of the GDPR, you are also obliged to show you are being compliant.
What does the GDPR mean for Australian businesses
As with Australia’s Privacy Act, local businesses can’t afford to ignore the European Union’s new General Data Protection Regulations as the business implications are far-reaching and could be very costly.
The good news is if you are currently meeting the latest Australian Privacy Act conditions, you have a solid foundation to build upon in fully meeting the extensive GDPR laws.
While the GDPR laws are not directly related to information security, the changes to systems and processes required to meet the compliance regulations may impact your existing security systems and protocols.
Meeting the GDPR laws demands you take immediate action if you haven’t already done so. By understanding how your business currently stores and processes data, and the channels from which the data is collected is an important first step in being GDPR compliant. Your third-party suppliers, such as cloud services should also be included in your review to ensure they are also compliant.
Remember, you hold the ultimate responsibility for all data used by your business under the GDPR rules.
Keep on the good side of the GDPR
We highly recommend you look closely at how you are collecting and storing your customers personal data as a matter of urgency. The GDPR is a complex set of laws and we can assure you it’s worth safeguarding to future proof your organisation against a data breach or GDPR mis-demeanour.
DOES ALL THIS INFORMATION REQUIRE A CHAT?
Get in touch with us to discuss how we support your business operations in becoming fully GDPR compliant.