Governments across the globe have progressively imposed greater restrictions on what organisations can—and cannot—do with personal data. But data protection will be taken to a whole new level come May 25, 2018.
A few years back, the EU Parliament, the Council of Ministers, and the Commission joined together to strengthen and harmonise data security laws across the European Union. Long story short, the General Data Protection Regulation, aka GDPR, was created and finalised on April 14, 2016, with a transitional period built in to allow time for all affected organisations to adjust to the significantly more stringent and punitive regime.
In late May, the impact will finally come into effect and be truly felt as it becomes enforceable—don’t get caught in a cold sweat. Here’s what you and your IT team can do to start preparing your business for this inevitable future.
Welcome to a brave new world of data protection
Under the GDPR, you can only process data if you have a lawful basis to do so. These lawful bases range from the need to process data for the performance of a contract an EU citizen has entered into (i.e., to protect that citizen’s vital interests) to complying with a legal obligation a data controller is subject to. That said, consent is the big one here. Before you can process the data of an EU citizen for any reason, they must explicitly consent to having it collected first. In the case of minors, consent must be obtained from their parent or custodian. In short, the Wild West days of “If you’re not paying, you’re the product” are over.
Organisations with the scale to do so will need to appoint an internal data protection officer (DPO). A DPO should have a thorough understanding of the GDPR to make sure your organisation remains compliant with it. Under the new regime, EU citizens also have the right to access their data, be informed about how that data is processed, and request erasure of personal data related to them if they have valid grounds for doing so. They also have the right to transfer their data from one electronic processing system to another—without the data controller preventing it.
The new regulations mandate “data protection by design and default.” This requires you to bake data protection into the development of business processes and set default privacy settings to a high level. If a data breach occurs, you’re legally required to notify the relevant supervisory authority without undue delay. If the data breach could result in an adverse impact on the EU citizens whose personal data was accessed, they must be notified. Pseudonymised data is still considered personal data and treated as such under the revised laws.
What will the impact* of GDPR be like in Australia?
You may be wondering why the EU’s new data protection regime is of anything other than academic interest to Aussies. It’s because:
- It will impact many non-European businesses.
- The sanctions for breaches are more severe than the slap on the wrist corporations are used to in today’s day and age.
The regulation applies to any organisation in the world that collects or processes the personal data of EU residents. Personal data is defined broadly, too: “Any information relating to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a home address, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.”
A non-European company that so much as tracks an EU citizen’s cookie will find itself subject to strict laws. For a first offence, you’ll most likely receive a written warning. But things escalate quickly from there—once you’ve exhausted the goodwill of the commissars, the best-case scenario is your organisation will be required to undertake regular data protection audits. After that comes a fine of €10 million or up to 2 percent of the annual worldwide turnover of your company (whichever is greater). The maximum fine that can be imposed under the GDPR is €20 million or up to 4 percent of the annual worldwide turnover of your company (whichever is greater).
Unless you work for a business that has no contact with the 500 million or so people residing in the European Union, inadequate data protection could cost you your job and maybe even cost your employer their business.
Beware the global implications on data everywhere
There’s a hodgepodge of data protection regimes around the world. In a globalised economy, you can’t afford to ignore the half a billion customers in Europe. Sooner or later, the EU will become the “digital gold standard.”
If your company operates across borders, you should adopt the most stringent set of requirements found in any of its markets. For the foreseeable future, it appears the GDPR will be the strictest set of rules in the world, and thus, it will become the de facto global standard. It’s not hard to imagine customers in Australia (and elsewhere) coming to demand high-level data protection from all the organisations they deal with. Any national government or regional decision-making body looking to revamp data protection is certain to use these regulations as a template.
Businesses have enjoyed a few decades of not worrying too much about doing the right thing with data, but that era is over. As a result, IT decision-makers need to be even more on the ball when it comes to network security. This includes the need to make sure printer networks and other endpoint devices won’t become entry points for malicious actors. The more secure your IT environment, the safer your business will be from experiencing a data breach and the risk of failing compliance with today’s strict data regulations.
*The information contained in this webpage is general in nature. It is not intended to be comprehensive or to constitute legal advice. You should not rely on this information without first obtaining legal advice based on your specific circumstances.