Read: Contact Magazine Winter 2018
The General Data Protection Regulation (GDPR), which took effect on 25 May 2018, aims to address this critical area by providing clear guidance and protocols to organisations that collect, use and store the personal information of European Union nationals.
While directly governing the European Union, the new requirements have implications for businesses and operators in other countries, including Australia.
Broadly, the GDPR will impact Australian organisations with operations in the EU and those that provide goods and services within and to the EU, including online businesses and those monitoring the activity of individuals in the EU.
Fortunately, there are many similarities between the GDPR and Australia’s Privacy Act 1988, which will limit the extent of the impact on affected Australian businesses. However, while both policies follow a ‘privacy by design’ approach, the GDPR differs in several important ways for which there are presently no exact provisions under the Privacy Act. These are:
- the right to be erased, allowing individuals to have information and content about them deleted and unsearchable;
- the right to object to the processing of one’s own data, allowing individuals to prevent their information from being used for scientific or historic research, marketing and other purposes;
- the right to data portability, allow individuals to access and / or authorise the transfer of their data from one organisation to another; and
- the definition of consent, which must be voluntarily granted, represent a true choice and be bound to a specific purpose.
As a consumer, the new regulations mean greater protections and control of individuals’ personal information and how it’s used by organisations. For organisations, it is likely to change the way they manage the personal information relating to their customers.
Assessing the impact to your business
When assessing the impact to your business there are three key areas to consider.
- Impact assessment: Assess your organisation’s current data practices including collection methodology, storage, use and access, and how these factors fit within Privacy Act 1988 and GDPR frameworks.
- Policy and governance: Address risk areas identified in step one and remediate potential areas that may be non-compliant. Governance frameworks should apply to both digital and manual processes dealing with data collection and handling. This process should also include the development of an incident response plan to minimise the impact of a data breach on your customers and organisation.
- Training and awareness: It is critical to ensure your key stakeholders are aware of any changes that may affect them. Relevant personnel should undertake training in data collection and handling to ensure they are aware of the new requirements, as well as what to do in the event of a compliance breach. Likewise, clients should be informed of relevant changes to your organisation’s practices related to collection and storage of personal data, and should be considered in the incident response plan developed during step two.
Under GDPR, fines for contraventions are a maximum of €20 million or four percent of an organisation’s annual global turnover (whichever is greater), strongly incentivising the establishment of compliant practices.
While many data and customer management and communication platforms have built-in protocols to comply with requirements of both the Australian Privacy Act 1988 and the GDPR, it’s important businesses meet the required standards across their organisation.
Accordingly, the recent change in requirements makes it an opportune time to reassess the practices of your organisation in relation to the collection and management of customers’ personal information.