Over the past few weeks, your inbox and news feed have probably been clogged with updates about the European Union’s General Data Protection Regulation (GDPR). Why should an EU law be of interest to businesses in Australia and what does your business need to know and do?
The GDPR came into effect on 25 May 2018 and is designed to protect the privacy of European Union citizens. It empowers individuals to own, protect and control the use of their personal information, and to know how personally identifiable information is handled, processed and used.
The GDPR and Australia’s privacy laws share many common requirements, though there are also some noticeable differences. For example, in Australia, with some exceptions, consent can be implied however under the GDPR it must be explicit.
The impact of the GDPR is far reaching and Australian businesses that have a presence in the EU, offer goods or services in the EU, or capture data about individuals in the EU must comply with the GDPR. Businesses that breach the GDPR face massive financial penalties and potentially irreparable reputational damage.
Australian business decision makers are generally supportive of stronger data protection yet surveys indicate only a fraction of Australian businesses are GDPR-ready. In the European Union, Australia and elsewhere, indications are individuals – concerned, curious and even mischievous – will inundate companies with personal information requests in coming weeks. Many businesses are expected to struggle to respond to these requests while simultaneously scrambling to comply with the new regulations.
Here are eight steps to achieving GDPR compliance:
1. Audit
Conduct an audit to thoroughly understand what data your business collects, where it is stored, and how it is used. Consult with all affected parts of your business including IT, legal, marketing and human resources.
2. Close the gaps
Your audit may highlight gaps or weaknesses in your data processes and procedures. For example, it might alert you to the need to introduce security layers to reduce the risk of a data breach. Take the opportunity to bring your business in line with industry best practice.
3. Document
For good governance, document your data management practices.
4. Privacy policy
Develop or update your privacy policy ensuring it details how you collect, store, transfer and process data.
5. Contracts and conditions
Your agreements, terms and conditions, and legal disclaimers may also need to be updated.
6. Educate staff
Your staff need to understand your organisation’s privacy obligations and the implications of non-compliance. Education and training are key to ongoing compliance and risk management.
7. Transparency and disclosure
The findings of your audit must be communicated to your customers or clients. They must be made aware of when and how their data is being used, and what their rights are.
8. Monitoring and reporting
Your businesses must have processes in place to detect, investigate and report data breaches.
Beware the privacy bandwagon
The GDPR is a big issue for business and a big business opportunity for lawyers. Given the complexity of the regulations, affected Australian businesses will require external assistance. A word of warning: privacy law is a specialist areas of expertise. Carefully check the credentials of the individual who will do the work. Are they a genuine privacy expert or simply on the privacy bandwagon?
How to identify a privacy law expert:
- Check their LinkedIn profile. Is Privacy Law or Privacy a skill for which the individual has been endorsed?
- Check their firm’s website? Does it validate the individual is an expert in privacy law?
- Ask for recent references from clients for which the individual has provided privacy advice.
- Google the individual. Are they a privacy thought leader?
Helaine Leggat, Principal Lawyer, Sladen Legal
