Date posted: 29/06/2018 5 min read

Seven steps to comply with new data laws

Organisations which do not comply with new data protection laws in the EU and Australia can face tough penalties. Here’s a checklist to avoid falling foul of the new data rules.

In Brief

  • The European Union’s (EU) new data protection legislation took effect on May 25
  • The GDPR impacts Australian businesses that collect and store information that relates to people who are located within the EU
  • Non-compliance with the GDPR can result in massive financial penalties

By Jamie White

We have updated our Privacy Policy to comply with the European Union’s new data privacy law, the General Data Protection Regulation (GDPR).

Email inboxes around the world are being filled with words similar to those above. So what do you need to know to comply?

The new GDPR data protection legislation which took effect on May 25 requires businesses to protect the personal data and privacy of citizens in the EU. 

The GDPR includes requirements similar to those contained in this year’s Australian Privacy Act, as well as extra measures to foster transparency around data management. Here are seven things you can do now to assist with GDPR compliance: 

1. Decide if the GDPR applies to your business  

The GDPR applies to any business or organisation that stores any personal information that relates to a person located within the EU. Personal information is any information relating to an identified, or identifiable, natural person. For example, a person’s name, email address, phone number, identification number, online identifier, location data and, potentially, pseudonyms.

2. Identify and document the data that you hold  

Investigate the data that you currently store. Identify data that relates to any person located within the EU, where the data is held, how it's processed and who may access it. This information should be thoroughly documented.   

Compliance is unlikely to occur if you do not know about the data that you store.

3. Establish whether consent has been obtained  

Consent for any data processing must be specific and auditable. Therefore, you should ensure that consent is simple and transparent. You should maintain clear records of all consent obtained from clients who are EU citizens and other EU contacts. The consent requirements under the GDPR provide a timely requirement for you to contact current data subjects, to request new permission to store and use their personal information.

4. Ensure your Privacy Policy complies  

If your business is required to comply with the GDPR, you must ensure that you have a GDPR-compliant Privacy Policy in place. This may mean obtaining a new policy, or updating an existing one. Whatever the case, a GDPR-compliant Privacy Policy must address requirements such as the legal basis for processing personal information, consent and the various rights of data subjects.

Related: Get cyber secure

Learn how to comply with the new Australian privacy law and improve your cyber security.

5. Raise awareness  

Ensure that all staff members within your business understand the content of the Privacy Policy, the obligations of your business under the GDPR, as well as their individual responsibilities for ensuring compliance.

6. Appoint a Data Protection Officer  

Appointing a Data Protection Officer (DPO) is only required in limited circumstances (for example, public authorities or organisations that undertake large-scale monitoring of individuals). However, it would be wise to designate a DPO who is trained in data governance and who will help keep compliance with the GDPR on track. Implementing a crisis plan to manage risk is also recommended.

7. Report data breaches  

The GDPR rule to report data breaches is similar to that required by Australia’s new Notifiable Data Breaches scheme, which came into effect in February 2018. That is, entities that fall within the scope of the Australian Privacy Act have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach. 

 

The GDPR rule to report data breaches is similar to that required by Australia’s new Notifiable Data Breaches scheme, which came into effect in February 2018.
Jamie White Owner of Pod Legal

 

Penalties for non-compliance

Penalties for non-compliance with the GDPR are massive. Penalties include a fine in an amount that is up to the greater of 20 million Euros (about A$31 million), or 4% of annual turnover for the prior year.   If you do not wish to comply with the GDPR, then you must delete, or destroy, all information stored about a person who is located within the EU. You should also carefully review any third party apps and software that you use in your business and, if required, stop using any app or software that triggers any requirement for GDPR compliance. 

When to see a lawyer

Complying with the GDPR rules is complex. Therefore if there’s any doubt as to your compliance obligations under the GDPR, obtaining advice from a lawyer is a prudent step to take. It could save your business from facing substantial financial penalties, public distrust and reputational damage, which businesses often cannot survive.

Jamie White is one of Australia's leading intellectual property and technology lawyers and owner of Pod Legal, an innovative and award-winning law firm with offices in Melbourne and on the Gold Coast.