The European Union has always favoured the protection of personal privacy over the rights of governments and law enforcement to snoop on our data. Their regulations for the protection of Personal Identifiable Information (PII) have been among the strongest in the world. But, new rules, under the General Data Protection Regulation (GDPR) which were adopted in April this year become enforceable on 25 May 2018. What does this mean for Australian businesses?
What is the GDPR?
The GDPR is really a set of different rules. These include:
- Notification: There will be a 72 hour window where companies will need to notify regulators of breaches where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
- Access: Individuals can ask for confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. They can also request a copy of the personal data in an electronic format at no cost.
- The right to be forgotten: Individuals can ask for any PII about them to be erased and for third parties that have access to that data to stop using it. In other words, consent to collect and use data can be revoked.
- Portability: If an individual receives their data from one entity, they can pass it to another.
- Privacy by design: There is now a legal obligation to build systems with privacy as a core design element.
- Data protection officers: Entities that collect, store and use PII will need to appoint Data Protection Officers - these can be internal or external personnel - who will manage the processes associated with compliance with the GDPR.
Who does the GDPR apply to?
It would be easy to put your head in the sand and think this is a uniquely EU set of rules. But, the GDPR applies to the data of all EU citizens, regardless of where it is stored.
For example, the recent Equifax breach resulted in the PII of a number of EU citizens being compromised. If the GDPR was enforceable, then it's possible Equifax could have been prosecuted and faced significant fines.
In short, even if you're an Australian business, if you have any business dealing with parties in the EU, you need to look into whether the GDPR impacts you.
The good news is, if you look at what's required of you under the GDPR, that you'll be giving your customers great protection for their PII.
Small businesses (defined as having fewer than 250 employees) may be exempt from elements of the GDPR. But it seems to me that complying with the rules makes good business sense.
The penalties for non compliance
This is where it gets ugly. If you breach the GDPR, the penalties can be substantial. Here are the penalties:
- a warning in writing in cases of first and non-intentional non-compliance
- regular periodic data protection audits
- a fine up to €10,000,000 or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- a fine up to €20,000,000 or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
Tying penalties to annual worldwide revenue makes penalties meaningful, in my view. After all, even a €20,000,000 fine is relatively inconsequential for a business that has billions of dollars in quarterly revenue.
The nitty gritty of what penalties apply in particular circumstances are in Article 83 of the legislation.
The actual legislation associated with the GDPR is quite long and filled with legalese and so many cross-references that reading it can be challenging. Here are a few resources to help you get your head around what the GDPR means and what you might need to do to be ready for it.