The General Data Protection Regulation (GDPR) of the European Union is a set of data protection requirements that became effective on 25 May 2018. It is intended to harmonize data protection laws across the EU. The introduction of clear, uniform data protection laws is intended to strengthen consumer confidence in online services while building legal certainty for businesses.
The Australian Privacy Act 1988 (Cth) (the Privacy Act) (known as APP entities) applies to some Australian businesses. These businesses may be subject to the GDPR if they:
- have an establishment in the EU (regardless of whether they process personal data in the EU), or
- do not have an establishment in the EU, but offer goods and services or monitor the behavior of individuals in the EU
Although there are many similarities between GDPR and the Australian Privacy Act 1988, Australian businesses must comply with GDPR irrespective of their compliance with the Australian Privacy Act 1988.
Who will the GDPR apply to?
The GDPR applies to the data processing activities of businesses, regardless of size, that are data processors or controllers with an establishment in the EU. Generally speaking, a controller says how and why personal data is processed and a processor acts on behalf of the controller. Where a business has ‘an establishment in the EU, activities of the business that involve processing personal data will need to comply with the GDPR, regardless of whether the data is actually processed in the EU.
The GDPR also applies to the data processing activities of processors and controllers outside the EU, regardless of size, where the processing activities are related to:
- offering goods or services to individuals in the EU (irrespective of whether a payment is required)
- monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU (Article 3)
Australian businesses with customers in the EU, or that operate in the EU, should confirm whether they are covered by the GDPR and if so, take steps to ensure compliance.
What can you do to start the GDPR compliance journey?
1. Data Privacy Awareness: Ensure staff with your organisation are aware of the GDPR and its impact so that resources to be allocated are identified in the right time frame. Training programs must be role-oriented.
2. Build Data flows: GDPR recommends building data flow diagrams and data flow sheets in order to trace the flow of data. These flows are built to identify where and how personal data and special categories of personal data, as defined under the GDPR, are processed within the organisation. Based on the output of the data flows, maintain records of personal data processing as described under the GDPR depending on whether the organisation is a controller or processor of personal data.
3. Determine the legal basis for processing personal data: Identify the legal basis for processing personal data for each processing activity and assess its validity. The lawful bases can be a contractual necessity, Legal obligations, Operational dependencies etc.
4. Privacy notices and consent: GDPR is particular about the consent of data subjects. At the time of collecting the data from the data subject, directly or indirectly, it is important to communicate the reason for collection, usage to the data subject. Privacy notices have to be drafted or updated as per the GDPR requirements to include the range of information that controllers must communicate to data subjects. Some examples are given below:
- the purpose of the processing
- categories of personal data concerned
- recipients or categories of recipients of personal data
- reference to appropriate safeguards if data is going to be transferred to a third country
- period for which data will be stored
- right to lodge a complaint
- source of personal data and, if applicable, whether it came from publicly accessible sources (when data is not directly obtained from individuals)
5. Maintain and manage data subject rights: Organisations subjected to GDPR must ensure that data subject rights are protected at all times. GDPR provides the data subjects with the power to manage their personal data. If operating in the EU it is highly recommended that organisations must build processes and mechanisms to respond to data subject requests.
6. Manage privacy incidents: Implement technology and processes to manage and report data breaches. It is highly recommended to implement detection and reporting tools like Security Information and Event Management(SIEM), Intrusion Detection Systems( IDS), Data Loss Prevention (DLP). Build, maintain, and test incident response playbooks to ensure data breaches are handled in a systematic way.
7. Data Privacy Impact Assessment (DPIA): Define the circumstances under which a DPIA is required as per the GDPR. Perform DPIA for any personal data processing likely to pose a high risk to the rights and freedoms of natural persons and managing the potential impact on data subjects from processing such personal data. Rabbon has developed a DPIA tool that is free to download from here.
8. Appoint a data protection officer (DPO): Many organisations will be required to appoint a DPO under the GDPR. This will be essential when an organisation is a public body, is processing operations requiring regular and systematic monitoring, or has large-scale processing activities, or when a member state law specifies the appointment of a DPO. Some organisations that are collecting data from EU entities(Individuals or Businesses) might need a Data representative in the EU. Data representative(s) is an individual or business that represents your organisation in the EU. Rabbon has its roots in Europe with strong networks in many countries like Germany, France and Norway. Contact us if you need a data representative in Europe.
9. Meet data transfer requirements: Establish a process for managing personal data transfers and adequately protect the rights and freedoms of data subjects when transferring personal data to internal or external parties. Organisations must perform third-party data risks assessment to ensure data is handled with similar standards within your organisation and by external parties. If the data is transferred outside the EU then Data Transfer assessments are required.
10. Establish data processor accountability: Data processors, internal or external, to your organisation must handle data with similar standards as if data is handled with the EU. Therefore, it is critical to perform due diligence before establishing a relationship with a third party and ensure contracts with third parties that process personal data. It is important to acknowledge that the Data controller is held responsible even if a data breach occurred under Data Processor’s domain.
Organisations are advised to consider the above steps in order to ensure their compliance with the data regulation and save themselves from hefty fines and penalties. If you are not certain about the applicability of the GDPR regulation feel free to contact Rabbon.
Cybersecurity is what we do
Rabbon is a Cybersecurity company with offices in Sydney, Melbourne, Brisbane, and Canberra. Our team of Cyber Security Consultants and GDPR Consultants provides businesses with access to effective and affordable cybersecurity services that help them become cyber resilient. Cybersecurity matters to every business, no matter how big or small
You can contact our Cyber Security Consultants for an obligation-free consultation.
Email: [email protected]on.com.au