06 Aug 2019 News

What is the General Data Protection Regulation (GDPR) and how does it apply to my business?

Have you ever visited a website recently and seen a pop-up asking you to allow cookies? It can be especially annoying on a mobile device when it takes up a portion of the screen. 

But what’s it about? Haven’t cookies been around forever?  

Cookies enable a website to serve you a personalised experience. They can save details about your device, the browser you use and where you've been on the site. 

Why all the focus now?

It’s all to do with the General Data Protection Regulation (GDPR) that the European Union (EU) brought into effect in May 2018 regarding the data of EU individuals. And it’s sent businesses worldwide scurrying to update their privacy policies. 

But it’s not just cookies. In fact, they are only mentioned once. The entire regulation has changed the way businesses collect and use the personal data of EU citizens. 

And although it’s an EU regulation, the GDPR has had a global impact. And it may apply to your business. 

What exactly is the GDPR?

The GDPR or the General Data Protection Regulation is a regulation created to protect the individuals of the European Union. It allows those individuals control over how their data is handled. If any data collected by an organisation can personally identify an individual, then it falls under the GDPR. It also allows individuals to have a say about the retention of their data, what can be kept and what they’d like destroyed.

Common terms under the GDPR are ‘data controllers’ and ‘data processors’. Data controllers collect the data and pass it, with instructions, to data processors. The roles can overlap, where the data controller can also be the data processor. 

Weren’t individuals protected before?

They were, but the European Union comprises 28 nations and all had varying data handling acts. The GDPR brings all those acts into one, making it easy for users and businesses to understand their rights and responsibilities across the nations of the European Union.

The GDPR heroes individuals’ rights regarding their data, following years of security breaches and unencrypted data falling into the wrong hands.

One well-known example is the breach of Sony’s PlayStation Network in 2011, where 77 million users had their personal details stolen. Sony was criticised for not only its slow reporting of the matter, but for not encrypting user data.

What rights does a person have under the GDPR?

Some rights include:

Right of access by the data subject - Article 15

Individuals can ask if their personal data is being processed, have access to that data, the details of storage, who’ll have access and how it was obtained.

Right to rectification - Article 16

Individuals have the right to rectify incomplete or inaccurate data.

Right to erasure - Article 17

Individuals have the right to be forgotten - erasure of their personal data from the collector and third-party processors.

Right to restriction of processing - Article 18

Individuals can object to the processing of their data.

Right to data portability - Article 20

Individuals can request for their data to be exported for the purpose of transferring it to another controller of their choice, without hindrance.

Does it apply to my business? 

Your business will need to comply if: 

Basically, your business falls under the GDPR if it collects or handles the data of any EU citizen.

My business abides by the Australian Privacy Act - isn’t that enough?

It’s not if your business is accountable to the GDPR. The Federal Government introduced the Australian Privacy Act in 1988, before the internet became mainstream. And while the Australian Privacy Act has had amendments, the GDPR goes further in protecting individuals’ rights to privacy and issuing hefty fines for non-compliance and data breaches.

Some main Privacy Act/GDPR differences include:

Who it applies to:

GDPR

Data processing activities of businesses, regardless of size, that are data processors or controllers.

Australian Privacy Act

Most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.

What it applies to:

GDPR

Personal data – any information relating to an identified or identifiable natural person.

Australian Privacy Act 

Personal information (PI) – information or an opinion about an identified individual, or an individual who is reasonably identifiable. 

Jurisdictional link

GDPR

Applies to data processors or controllers:

Australian Privacy Act

Applies to businesses:

Individual Rights

GDPR

Individual rights include:

Australian Privacy Act

No equivalents to these rights. However, businesses must take reasonable steps to destroy or de-identify PI that is no longer needed for a permitted purpose. Where access is given to an individual’s PI, it must generally be given in the manner requested. Source: Australian Government Office of the Australian Information Commissioner

What are the penalties for EU businesses that fail to comply or suffer a breach? 

The GDPR penalties for EU businesses can be severe with up to €20 million or 4% of annual global turnover for infringing on articles in the GDPR.

Have any fines been issued under the regulation?

Yes, at great cost.

Britain’s data watchdog plans to fine British Airways $AUD329 million for a data breach that exposed the names and payment details of nearly 500,000 customers.

The Danish Data Protection Agency issued a taxi company with a $AUD259,392 fine over late deletion of phone numbers that could identify people.

And it’s not only big businesses or internet firms related. The Austrian Data Protection Authority fined an Austrian café $AUD7,764 because its CCTV camera viewed too much of a public area, with no warning to the public that it was doing so.

Can an Australian business be fined under European law?

Nicholas Blackmore, Special Counsel at Kennedys, a law firm in Melbourne, recently wrote on SmartCompany’s website that:

“The good news for Australian startups is that foreign penalties, such as GDPR fines, will not be enforced by Australian courts. As such, a startup that only has operations or assets in Australia might take the view that it can safely ignore the GDPR. That would be a mistake for two reasons. Firstly, an outstanding GDPR fine could hinder your startup from doing business in Europe in the future. Secondly, while foreign penalties are not enforceable in Australia, orders for compensation from certain European courts are. European consumers who suffer loss due to your breach of the GDPR could be awarded damages by a European court, and then seek to enforce that court order against you in Australia.”

Even though he mentions startups, his advice can apply to any existing business, no matter its size, or the size of its client base.

It sounds complicated, have any businesses decided not to do business with EU individuals?

It can be complicated and some US businesses blocked the EU from accessing their websites when the GDPR came into effect. Not because they were specifically breaking the law, but because of the expense of being GDPR compliant and liable to heavy fines if found in breach.

These sites included major newspapers including the Chicago Tribune, New York Daily News, Dallas Morning News, and the Los Angeles Times. Some have said they will comply, while others have said it’s not worth the expense.

Can Australia learn from the GDPR?

Australian businesses and governments could be more transparent with how individuals’ data is stored and used. A recent story in the Sydney Morning Herald disclosed how the Department of Human Services used Medicare data to recruit bipolar patients for a research company. Some patients then accused their psychiatrists of sharing their details.

Professor Gordon Parker, one psychiatrist falsely accused of sharing data, responded:

“I had no idea [the DHS] kept such a database on people dispensed lithium, and I suspect many don’t know Medicare is holding this private, identifying data”

How can I comply?

For starters, look at implementing or changing the following policies in your business:

For further reading, you can download your own copy of the GDPR. It’s available in 24 languages.

Finally, this post is to give you an idea of the impact the GDPR can have on your business. It isn’t a substitute for legal advice. We are IT professionals and are still navigating this regulation and its application. Speak with your legal advisor about your business’s responsibilities and the rights of your EU customers.

Digital Bridge is a Melbourne website design agency specializing in creating custom website solutions for Australian businesses. Email us to discuss your next web project.