Amazon has been fined 746 million euros ($885 million) under the European Union’s General Data Protection Regulation for violating privacy rights. The fine was imposed by Luxembourg’s data authority, known as the National Data Protection Commission, aka CNPD, Jul 16, 2021.
The regulators stated that fines were imposed because Amazon did not comply with GDPR requirements. Although Amazon did not agree to this decision and will appeal against the fine.
The final verdict of this fine is yet to come and will take a long time, however, there is one thing we can all agree on: GDPR is a monster regulation.
Non-compliance with GDPR is not an option.
Why do Australian Organisations need to be aware of GDPR?
If your organisation is dealing with European data, directly or indirectly, you need to think about GDPR. If you are collecting data directly from EU citizens (as a data controller) or indirectly processing it (as a data processor) GDPR is applicable to your organisation.
Australia Privacy Act 1988 is much lenient, it is applicable only if your organisation passes the three million revenue mark and fines are not huge. But that is not the case with GDPR. Personal data/privacy is important and how your organisation handles it is the core of GDPR. And as you can see in Amazon’s case, fines are huge and real.
What Australian organisations can do to be compliant with GDPR?
We have talked to many of our customers, and we found that most organisations are not sure if they need to be compliant with GDPR or not. The most common question we get is, “ Is it applicable to us?”
Therefore, start with identifying the requirement. Is it applicable to you or not? If it does, find the clauses you need to comply with.
Build a GDPR framework that is designed to meet your organisational needs.
A well-known framework is:
Another common misconception is that if your organisation is compliant with Australian Privacy Act 1988, then you are complying with GDPR as well. This is not true. To maintain compliance with GDPR, your organisation needs to have a parallel program for GDPR compliance.
The biggest challenge that Australian organisations face is the lack of competent resources. GDPR is a very complex regulation and it is primarily focused on European citizens or Entities. In Australia, only a handful of organisations deal with European data subjects due to low demand for GDPR compliance, there are only a few GDPR compliance consultants available in Australia.