Seven steps to comply with new data laws
Organisations which do not comply with new data protection laws in the EU and Australia can face tough penalties. Here’s a checklist to avoid falling foul of the new data rules.
- The European Union’s (EU) new data protection legislation took effect on May 25
- The GDPR impacts Australian businesses that collect and store information that relates to people who are located within the EU
- Non-compliance with the GDPR can result in massive financial penalties
By Jamie White
Email inboxes around the world are being filled with words similar to those above. So what do you need to know to comply?
The new GDPR data protection legislation which took effect on May 25 requires businesses to protect the personal data and privacy of citizens in the EU.
The GDPR includes requirements similar to those contained in this year’s Australian Privacy Act, as well as extra measures to foster transparency around data management. Here are seven things you can do now to assist with GDPR compliance:
1. Decide if the GDPR applies to your business
The GDPR applies to any business or organisation that stores any personal information that relates to a person located within the EU. Personal information is any information relating to an identified, or identifiable, natural person. For example, a person’s name, email address, phone number, identification number, online identifier, location data and, potentially, pseudonyms.
2. Identify and document the data that you hold
Investigate the data that you currently store. Identify data that relates to any person located within the EU, where the data is held, how it's processed and who may access it. This information should be thoroughly documented.
Compliance is unlikely to occur if you do not know about the data that you store.
3. Establish whether consent has been obtained
Consent for any data processing must be specific and auditable. Therefore, you should ensure that consent is simple and transparent. You should maintain clear records of all consent obtained from clients who are EU citizens and other EU contacts. The consent requirements under the GDPR provide a timely requirement for you to contact current data subjects, to request new permission to store and use their personal information.
Related: Get cyber secure
Learn how to comply with the new Australian privacy law and improve your cyber security.
5. Raise awareness
6. Appoint a Data Protection Officer
Appointing a Data Protection Officer (DPO) is only required in limited circumstances (for example, public authorities or organisations that undertake large-scale monitoring of individuals). However, it would be wise to designate a DPO who is trained in data governance and who will help keep compliance with the GDPR on track. Implementing a crisis plan to manage risk is also recommended.
7. Report data breaches
The GDPR rule to report data breaches is similar to that required by Australia’s new Notifiable Data Breaches scheme, which came into effect in February 2018. That is, entities that fall within the scope of the Australian Privacy Act have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in the breach.
The GDPR rule to report data breaches is similar to that required by Australia’s new Notifiable Data Breaches scheme, which came into effect in February 2018.
Penalties for non-compliance
Penalties for non-compliance with the GDPR are massive. Penalties include a fine in an amount that is up to the greater of 20 million Euros (about A$31 million), or 4% of annual turnover for the prior year. If you do not wish to comply with the GDPR, then you must delete, or destroy, all information stored about a person who is located within the EU. You should also carefully review any third party apps and software that you use in your business and, if required, stop using any app or software that triggers any requirement for GDPR compliance.
When to see a lawyer
Complying with the GDPR rules is complex. Therefore if there’s any doubt as to your compliance obligations under the GDPR, obtaining advice from a lawyer is a prudent step to take. It could save your business from facing substantial financial penalties, public distrust and reputational damage, which businesses often cannot survive.
Jamie White is one of Australia's leading intellectual property and technology lawyers and owner of Pod Legal, an innovative and award-winning law firm with offices in Melbourne and on the Gold Coast.