By now, most of us will be familiar with the European Union's new General Data Protection Regulation (GDPR). Even if you're not explicitly aware of the legislative change, you will have seen or heard about the updates to privacy policies from your social media, your favourite webstores as well as any other online services where an account is necessary.
You may be wondering how European legislation affects businesses in Australia and New Zealand. The matter is simple – if your Australian or New Zealand organisation does business with consumers in the EU, you'll be required to comply with the requirements of the GDPR.
What is the GDPR?
To start with, let's take a closer look at what the GDPR covers – though note that it's extensive, and this section is a summary only.
At its core, the GDPR exists to help protect individuals' data. The key changes are around 'personal data' (referring to any information relating to an identifiable person) and 'sensitive personal data' (referring to genetic or biometric data used for identification purposes).
Under the GDPR, individuals must clearly express consent for their data to be processed by the organisation. Further, individuals will now have the right to access any information that an organisation has collected about them, and more importantly, the individual can request for their information to be erased. Finally, if an individual's personal data is unlawfully accessed and poses a threat to the freedoms and rights of the individual, they must be notified within 72 hours.
This regulation was much needed, as the most recent data protection rules in the EU were written in 1995 and have simply not kept up with technology. With the GDPR, Europe is now covered by the strongest data protection rules in the world. Given the nature of international trade and online commerce, many businesses outside the EU will be required to comply with the GDPR. Are you one of them?
What does the GDPR mean for NZ and AU businesses?
As previously stated, the GDPR requirements go beyond businesses in the EU, and will have a global impact. The regulations will apply if you are an Australian or New Zealand business that:
- Has an office or outlet in the European Union.
- Has a website targeting EU citizens by enabling them to use the website in a European language other than English, or by accepting payment in Euros.
- Has a website that mentions customers or users based within an EU member state.
- Tracks individuals from the EU online and uses data processing techniques to profile them according to analysis of personal preferences, behaviours and attitudes.
If any of above covers your current operations, then you'll be required to meet the compliance requirements of the GDPR. According to Minter Ellison, there are three key factors that Australian and New Zealand businesses will need to address to ensure GDPR compliance:
- If your business is processing personal data of individuals in the EU, you'll need to appoint a Privacy Officer to monitor your compliance, liaise with relevant supervisory authorities and advise on the responsible use of personal data.
- Demonstrate your compliance with the core GDPR principles by implementing the appropriate technical and organisational measures.
- Understand and develop procedures for breach reporting.
How does this GDPR affect the Notifiable Data Breach scheme?
The good news for Australian businesses is, if you've recently overhauled your procedures in line with the Notifiable Data Breaches scheme, you're already on track to complying with GDPR requirements in this area. New Zealand businesses will have a little more leg-work to do in order to meet these requirements, as the notification for data breaches is recommended rather than mandatory.
The GDPR states that when a breach results in a risk to the individual's rights and freedoms, they must be informed within 72 hours of first becoming aware of the breach. Organisations should also alert the GDPR supervisory authority, a commission made up of representatives from every member state. Note that in the event of a breach, it's also essential to notify the Australian Information Commissioner or the Office of the Privacy Commissioner (for New Zealand). It's imperative that your organisation has the right processes in place to notify both the individual as well as the relevant authorities.
What are the benefits of undertaking a compliance course in GDPR requirements?
Running GDPR compliance courses for your staff is a great way to ensure you are covered across the board. Such a course will allow you to:
- Understand the difference between EU individuals and EU businesses you may work with.
- Differentiate between 'data controller' and 'data processor'.
- Gain a working knowledge of the differences in types of data.
- Know the exact obligations of a company required to comply with the GDPR.
- Navigate scenarios in which you'll need to decide how to act.
- Understand the notification requirements and processes.
Failure to comply can result in fines of up to AU$30 million or 4 per cent of your global annual turnover. In an age where data is all important, complying with the GDPR is not just about protecting your bottom line – it's also about building trust with your customers and creating a digital environment where people feel safe. If your organisation is affected by the GDPR and requires a little help getting on top of it all, get in contact with Safetrac today.