General Data Protection Regulation will impact many areas of an organisation including data, technology and legal compliance. This paper notes that Australia has already started to be compliant with EU-GDPR law on the protection of natural persons information regarding the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC. The key legislation regulating privacy in Australia is the Privacy Act 1988 aka the “Privacy Act”. Significant amendments to the Privacy Act were passed on November 29, 2012 and came into effect on March 12, 2014.
In February 2017, the Australian Parliament passed the Privacy Amendment (Notifiable Data Breaches) Act 2017 and established the NDB scheme. From 22 February 2018, the NDB scheme mandates that all entities covered by the Australian Privacy Principles (APPs) will have clear obligations to report data breaches. This Bill would require organisations to notify the Australian Information Commissioner of any affected individuals of a data breach.
The Australian regulator responsible for the Privacy Act, the OAIC – Office of the Australian Information Commissioner, has issued guidelines to provide further context. Some states and territories have privacy legislation and/or administrative guidelines which apply to the state/territory public sector but eventually all of businesses across Australia should comply with GDPR.
In a world where data continues to grow rapidly at staggering rates, many organisations are already struggling to control their data let alone use it for their good. In addition, an increasing trend of global regulations where ransomware, cyber-attacks, data and security breaches are becoming regular in front page news; there is a need for clear and practical guidance for future proofing organisations in a proactive and practical fashion.
The Frame Group understand the enormous pressure organisations are under trying to protect, secure and access their data in an increasingly complex and regulated environment. That pressure is even greater for those organisations with global operations. We show you how Australian businesses can be caught by the GDPR, compare it to local privacy legislation and give you practical tips to prepare for this new regulation. We understand Digital and technology managers are under cumulative pressure from the board and are already in the middle of disruptive chaos from mandatory technology adoption such as cloud infrastructure, collaboration architecture and digital transformation, we’re here to help you be well prepared for the GDPR compliance and can seamlessly conduct business across Europe and globally.
Holistic View: Key changes of GDPR
What is the GDPR?
The GDPR is a new regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of pers
onal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). While Europe’s international trade policy is not yet in line with the GDPR but will harmonise data protection laws across all of Europe and replace the existing national data protection rules. The introduction of clear, uniform data protection regulation is intendedto build legal certainty for businesses and enhance consumer trust in digital and online services. GDPR is the law of personal data protection requirements adopted by the European Parliament that will apply to businesses across Europe and globally from 25th May 2018. Under the GDPR ‘personal data’ is any information relating to an identified natural person or from which a natural person can be identified. The GDPR aims to return control to global citizens over their personal data in an increasingly data-driven world and give businesses certainty with a uniform data protection law in the EU and non-EU states.
Are you GDPR Compliant?
Is your organisation ready for GDPR and are you compliant? General Data Protection Regulation will impact many areas of an organisation including data, technology, security, privacy, legal and compliance departments. Australian organisations and all others situated in the APAC will be caught by the new GDPR and need to be duly prepared to comply. Who in your organisation should care about GDPR are:
- Chief Information Officer
- Chief Risk and Compliance Officer
- Chief Security Officer
- Chief Operating Officer
- Chief Data Officer
- Digital Strategist
- Data Scientist
- General Council
- Privacy Office
The concept of “Privacy by Design” has now embedded in law, with the Privacy and Protection Impact Assessment as mandatory and expected to become routine across organisations from next year. Businesses will be expected to look more into information management, data authenticity, clarity, cleansing, masking, pseudo-anonymisation, encryption, and technologies that are designed and managed with user privacy as prime ingredient. Documented security and privacy risk assessments will be required before deploying major new systems and technologies. Security breaches will have to be notified to regulators within 72 hours, meaning implementation of new or enhanced incident response procedures.
Today’s Information management procedures will be challenged to provide clearer oversight on data storage, content management, user journeys, and data extraction. Having a better grasp of what data is collected and where it is stored will make it easier to comply with new data subject rights. The GPDR has also introduced new requirements and challenges for legal and compliance functions. Many organisations will require a Data Protection Officer (DPO) otherwise known as controller who will have a key role in ensuring compliance. A controller says how and why personal data is processed and a processor acts for the controller. A transformed emphasis on organisational accountability will require proactive, robust privacy governance, requiring organisations to review how they model their business and write privacy and security policies, to make these easier to understand.
Why European Regulations in Australia?
If your organisation or business offers products, goods or services to customers residing in the European Union (EU) or monitors their behavior for research or monitoring, you could be victim of GDPR penalties even if your business does not operate in or from EU or have any physical presence in the EU. Although the GDPR may not be in the priority list for many Australian businesses, they could face large potential fines if they are in breach of the GDPR when it comes into effect on 25th May 2018. The global reach of businesses today puts greater emphasis on Australian organisations to comply with GDPR consciously and efficiently while adhering their local rules and regulations. Australian business that may be covered by the GDPR regulation include:
- Any Australian organisation with an office in Europe
- Any Australian online business (eCommerce i.e. B2B, B2C, C2C etc.) or website offering products or services in Europe and charging the payment fees in Euros
- Any Australian company whose website has European references, customers or users
- Australian research bodies and other commercial businesses that tracks individuals or groups for monitoring, predictive and data analytics to forecast adoptions, user behaviors, personal preferences and perspectives etc.
Comparing EU-GDPR with Australian Privacy Act
Given the similarities in GDPR and the Privacy Act (particularly The Australian Privacy Principles also called APPs entities) on personal information and data handling, Australian businesses may already have some of the measures in place that will be required under the GDPR. Even so, they should begin taking steps to evaluate their information handling practices and governance structures, seeking legal advice where necessary, to implement the necessary changes before commencement of the GDPR to improve consumer trust through enhanced privacy practices and allow for more consistent internal privacy practices, procedures and systems across the business. The table below compares EU-GDPR versus Australian Privacy Act as per OAIC.
The following resources may further assist Australian businesses to assess whether they are covered by the GDPR and the steps to be taken to comply:
- European Commission, Reform of EU data protection rules
- Article 29 working group (from 25 May 2018, the European Data Protection Board) GDPR guidance
- UK ICO website GDPR guidance
Roadmap to GDPR Compliance
We have a dedicated team of risk, privacy and compliance professionals, with thorough expertise in leading Risk and privacy programs across small, medium, large scale and complex organisations. The following figure depicts the roadmap for successful adoption of GDPR in Australian organisations and businesses.
Frame Transformation Framework
The Frame’s modular transformation framework can be applied to assess, design, implement and monitor organisational privacy programs, controls and risks depending upon their size and structure. Frame can provide consulting services to advise best practices and apply risk and compliance management practices.
How Can Frame Help?
The following figure shows what key actions and activities needed to be performed for a successful GDPR adoption and transformation program. To cope up with the upcoming change in May 2018, Now is the time for Australian businesses and organisations to take a detailed examination of their current privacy and compliance programs as well as data breach processes to ensure basic setup to meet new requirements.
If you would like further advice about your business’s privacy and compliance requirements, please contact Frame Group at www.framegroup.com.au