The data protection system in Australia is going to witness a drastic change with the GDPR, General Data Protection Regulation, coming into force in May 2018. As the regulation states, any company that has access to personal data related to citizens of EU, irrespective of the fact it is present in EU countries or not, must comply with this new system.
The new regulations of data protection as per the EU GDPR includes strict requirements to obtain consent from individuals residing in EU to access their data. Earlier data collection consent could be obtained by any person who is 13 or above; however, as per the current terms, they should be 16 years or older to give their consent.
GDPR states if the data is no longer used, it should be deleted by an organisation. Moreover, they must also delete if the person, who had earlier given their consent, has revoked it. If any organisation has suffered a security breach incident, they must notify the EU government within 72 hours. Organisations that have access to sginificant amounts of data related to EU citizens is required to hire a Data Protection Officer.
If an organisation fails to comply with the said regulations, they will be charged a fine of 4% of their global revenue or €20m (over $30 million AUD), whichever is higher.
GDPR’s Impact on Australian Companies
Business entities in Australia, which are concerned with offering goods or services to residents of EU or monitoring their behaviour will be affected by EU GDPR implementation. These companies may include that are associated with exporting goods in EU, providing financial services in that particular region or have direct clients in EU.
The biggest impact of EU GDPR that is going to be on Australian companies is that they will no longer have full control over digital data. Any Australian business that gathers and/or analyse EU citizen’s consumer data will be affected by the new law.
Steps to be taken by Impacted Organisations in Australia
Organisation working in Australia, which have access to EU citizen’s data must take the following steps in order to comply with the regulations set by EU GDPR:
- Any such business entity, which has access to personal data of EU citizens must have a risk-based methodology in place to manage their privacy.
- They need to identify the data they are processing. For this purpose, they should form and implement effective policies and strategies. Moreover, they also need to identify the channels through which they are accumulating and sharing the said data.
- These companies must also keep in consideration data breach notifications on regular basis. Failing to do so may land them in difficult situations as they will be charged a heavy fine.
- Moreover, they also need to assess the obligation of hiring a Data Protection Officer, who will be responsible for supervising data protection strategies, which they will be implementing.
To comply with the above requirements an organisation should design their Information Security Management System to comply with the requirements of ISO 27001.