What is the General Data Protection Regulation (GDPR) and how does it apply to my business?
Have you ever visited a website recently and seen a pop-up asking you to allow cookies? It can be especially annoying on a mobile device when it takes up a portion of the screen.
But what’s it about? Haven’t cookies been around forever?
Cookies enable a website to serve you a personalised experience. They can save details about your device, the browser you use and where you've been on the site.
Why all the focus now?
It’s all to do with the General Data Protection Regulation (GDPR) that the European Union (EU) brought into effect in May 2018 regarding the data of EU individuals. And it’s sent businesses worldwide scurrying to update their privacy policies.
But it’s not just cookies. In fact, they are only mentioned once. The entire regulation has changed the way businesses collect and use the personal data of EU citizens.
And although it’s an EU regulation, the GDPR has had a global impact. And it may apply to your business.
What exactly is the GDPR?
The GDPR or the General Data Protection Regulation is a regulation created to protect the individuals of the European Union. It allows those individuals control over how their data is handled. If any data collected by an organisation can personally identify an individual, then it falls under the GDPR. It also allows individuals to have a say about the retention of their data, what can be kept and what they’d like destroyed.
Common terms under the GDPR are ‘data controllers’ and ‘data processors’. Data controllers collect the data and pass it, with instructions, to data processors. The roles can overlap, where the data controller can also be the data processor.
Weren’t individuals protected before?
They were, but the European Union comprises 28 nations and all had varying data handling acts. The GDPR brings all those acts into one, making it easy for users and businesses to understand their rights and responsibilities across the nations of the European Union.
The GDPR heroes individuals’ rights regarding their data, following years of security breaches and unencrypted data falling into the wrong hands.
One well-known example is the breach of Sony’s PlayStation Network in 2011, where 77 million users had their personal details stolen. Sony was criticised for not only its slow reporting of the matter, but for not encrypting user data.
What rights does a person have under the GDPR?
Some rights include:
Right of access by the data subject - Article 15
Individuals can ask if their personal data is being processed, have access to that data, the details of storage, who’ll have access and how it was obtained.
Right to rectification - Article 16
Individuals have the right to rectify incomplete or inaccurate data.
Right to erasure - Article 17
Individuals have the right to be forgotten - erasure of their personal data from the collector and third-party processors.
Right to restriction of processing - Article 18
Individuals can object to the processing of their data.
Right to data portability - Article 20
Individuals can request for their data to be exported for the purpose of transferring it to another controller of their choice, without hindrance.
Does it apply to my business?
Your business will need to comply if:
- Your business has an office in the EU
- Your Australian website allows EU individuals to purchase a product or service in their own language, with payment in euros
- Your Australian website refers to customers in the EU
- Your Australian business tracks and uses techniques to analyse and profile EU individuals using data obtained over the internet
Basically, your business falls under the GDPR if it collects or handles the data of any EU citizen.
My business abides by the Australian Privacy Act - isn’t that enough?
It’s not if your business is accountable to the GDPR. The Federal Government introduced the Australian Privacy Act in 1988, before the internet became mainstream. And while the Australian Privacy Act has had amendments, the GDPR goes further in protecting individuals’ rights to privacy and issuing hefty fines for non-compliance and data breaches.
Some main Privacy Act/GDPR differences include:
Who it applies to:
Data processing activities of businesses, regardless of size, that are data processors or controllers.
Australian Privacy Act
Most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.
What it applies to:
Personal data – any information relating to an identified or identifiable natural person.
Australian Privacy Act
Personal information (PI) – information or an opinion about an identified individual, or an individual who is reasonably identifiable.
Applies to data processors or controllers:
- With an establishment in the EU, or
- Outside the EU, that offer goods or services to individuals in the EU or monitor the behaviour of individuals in the EU
Australian Privacy Act
Applies to businesses:
- Incorporated in Australia, or
- That ‘carry on a business’ in Australia and collect personal information from Australia or hold personal information in Australia.
Individual rights include:
- Right to erasure.
- Right to data portability.
- Right to object.
Australian Privacy Act
No equivalents to these rights. However, businesses must take reasonable steps to destroy or de-identify PI that is no longer needed for a permitted purpose. Where access is given to an individual’s PI, it must generally be given in the manner requested. Source: Australian Government Office of the Australian Information Commissioner
What are the penalties for EU businesses that fail to comply or suffer a breach?
The GDPR penalties for EU businesses can be severe with up to €20 million or 4% of annual global turnover for infringing on articles in the GDPR.
Have any fines been issued under the regulation?
Yes, at great cost.
Britain’s data watchdog plans to fine British Airways $AUD329 million for a data breach that exposed the names and payment details of nearly 500,000 customers.
The Danish Data Protection Agency issued a taxi company with a $AUD259,392 fine over late deletion of phone numbers that could identify people.
And it’s not only big businesses or internet firms related. The Austrian Data Protection Authority fined an Austrian café $AUD7,764 because its CCTV camera viewed too much of a public area, with no warning to the public that it was doing so.
Can an Australian business be fined under European law?
Nicholas Blackmore, Special Counsel at Kennedys, a law firm in Melbourne, recently wrote on SmartCompany’s website that:
“The good news for Australian startups is that foreign penalties, such as GDPR fines, will not be enforced by Australian courts. As such, a startup that only has operations or assets in Australia might take the view that it can safely ignore the GDPR. That would be a mistake for two reasons. Firstly, an outstanding GDPR fine could hinder your startup from doing business in Europe in the future. Secondly, while foreign penalties are not enforceable in Australia, orders for compensation from certain European courts are. European consumers who suffer loss due to your breach of the GDPR could be awarded damages by a European court, and then seek to enforce that court order against you in Australia.”
Even though he mentions startups, his advice can apply to any existing business, no matter its size, or the size of its client base.
It sounds complicated, have any businesses decided not to do business with EU individuals?
It can be complicated and some US businesses blocked the EU from accessing their websites when the GDPR came into effect. Not because they were specifically breaking the law, but because of the expense of being GDPR compliant and liable to heavy fines if found in breach.
These sites included major newspapers including the Chicago Tribune, New York Daily News, Dallas Morning News, and the Los Angeles Times. Some have said they will comply, while others have said it’s not worth the expense.
Can Australia learn from the GDPR?
Australian businesses and governments could be more transparent with how individuals’ data is stored and used. A recent story in the Sydney Morning Herald disclosed how the Department of Human Services used Medicare data to recruit bipolar patients for a research company. Some patients then accused their psychiatrists of sharing their details.
Professor Gordon Parker, one psychiatrist falsely accused of sharing data, responded:
“I had no idea [the DHS] kept such a database on people dispensed lithium, and I suspect many don’t know Medicare is holding this private, identifying data”
How can I comply?
For starters, look at implementing or changing the following policies in your business:
- Information Security Policy - Is your information secured by hardware, software, encryption, access control, locks and human resources?
- Information Security Awareness and Training - Are your current and new employees updated on risks that can affect organisation and customer information?
- Cryptography and Encryption - Is all client and company data protected by industry-standard encryption?
- Information Classification and IT Acceptable Use Policy - Do your employees use company resources for business purposes only?
- Clear Desk/Clear Screen Policy - Are sensitive documents locked away at night? Do employees lock their computers when leaving their desks?
- Documented Change Management Process - Are IT infrastructure changes approved and documented before implementation?
- Documented Logging and Monitoring Process - Do you know when data and secure areas are being accessed and by whom?
- Documented Physical Access Control Policy - Are employee-only areas secure? Are workstations and servers containing sensitive information secured with select access?
- Internal Assessments/Audits - It’s fine to document a policy, but adherence is key. Are the policies being followed?
For further reading, you can download your own copy of the GDPR. It’s available in 24 languages.
Finally, this post is to give you an idea of the impact the GDPR can have on your business. It isn’t a substitute for legal advice. We are IT professionals and are still navigating this regulation and its application. Speak with your legal advisor about your business’s responsibilities and the rights of your EU customers.
Digital Bridge is a Melbourne website design agency specializing in creating custom website solutions for Australian businesses. Email us to discuss your next web project.