How Europe's GDPR will affect Australian organisations
In May 2018, the General Data Protection Regulation (GDPR) will come into play, requiring organisations around the world that hold data belonging to individuals from within the European Union (EU) to provide a high level of protection and explicitly know where every ounce of data is stored.
Organisations that fail to comply with the regulation requirements could be slapped with administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The laws do not stop at European boundaries, however, with those in the rest of the world, including Australia, bound by the GDPR requirements if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
The GDPR and the Australian Privacy Act 1988 share many common requirements, including to implement a privacy-by-design approach to compliance; to be able to demonstrate compliance with privacy principles and obligations; and to adopt transparent information handling practices.
There are a bunch of differences, too, with the appointment of a data protection officer to each organisation one significant requirement under the GDPR.
Speaking at the Data + Privacy Asia Pacific conference in Sydney on Wednesday, Australia's Privacy and Information Commissioner Timothy Pilgrim explained that although Australian law doesn't mandate having a data protection officer inside an organisation, the GDPR does, so organisations trading in the EU need to ensure they have an individual charged with the responsibility.
"These are key issues that you need to start thinking about if you are dealing or trading in Europe," Pilgrim said.
He also recommends Australian organisations use the opportunity to ensure they are compliant with their requirements under the Privacy Act, such as having good governance in place and undertaking privacy impact assessments.
"There are a lot more similarities than difference and that's what we need to draw on," he said.
The GDPR is a somewhat consent-based law, with Article 17 of the regulation titled the Right to Erasure -- the right for an individual to be "forgotten" by an organisation that holds their data.
"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay," the GDPR states.
It also states that an individual can correct any misinformation held on them.
Under Australian law, Pilgrim explained that an organisation doesn't even require specific consent for the general collection of personal information unless it is collecting sensitive information, let alone the mandate to erase the trace of an individual.
Under the GDPR, individuals are protected against being subject to determinations based on automated systems without human intervention. As such, practices employed by organisations similar to what the Australian Department of Human Services had adopted with its Centrelink automated debt recovery project may find themselves in deep water.
Simon Entwisle, Deputy Commissioner of Operations for the United Kingdom's Information Commissioner's Office (ICO), clarified the GDPR also covers an outsider who is in Europe.
"Anyone in Europe is covered and it's not just citizens either ...if you're in Europe and subject to some heinous data protection issue, then you're covered by the GDPR," he explained.
The GDPR is centred on the individual and their rights, and places a hefty responsibility on organisations. In Entwisle's words, it clarifies the definition of personal data, it makes consent more specific, it's supposed to result in transparency and accountability, it places obligations on data controllers and data processes, and charges them with additional responsibilities too.
With $26.9 billion in revenue for 2016, Entwisle put social media giant Facebook on notice for adhering to the GDPR rules.
As Brexit pushes ahead, the UK is still bound by the GDPR for as long as it is a part of the EU; however Entwisle noted the ICO -- the independent body set up to uphold information rights in the UK -- only receives data breach notifications on a voluntary, not compulsory, basis.
In an effort to legislate around informing Australians of when their privacy has been breached, the federal government finally passed its data breach notification laws at its third attempt in February that will see people be alerted of their data being inappropriately accessed come February 2018 under the Privacy Amendment (Notifiable Data Breaches) Act.
The legislation is restricted to incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at "real risk of serious harm".
Notification laws apply only to companies covered by the Privacy Act, and sees intelligence agencies, small businesses with turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.
Organisations have 30 days to declare the breach; under the GDPR, organisations have 72 hours to notify authorities after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
One of the major tasks for all the data protection authorities around Europe at the moment is to gear up the resources to deal with the GDPR.
"It's massive, we're looking to increase our staff by about 15 percent or something like that," Entwisle explained. "It's a big deal and there are some massive challenges."
Speaking with ZDNet earlier this year, Louis Tague, Australia and New Zealand managing director at Veritas Technologies, said only 30 percent of local businesses meet the requirements to comply with the GDPR and that they are either not aware of the implications of GDPR or potentially underestimate the effort needed to be compliant under the directive.
According to survey findings released by Dell Technologies in October, nearly 90 percent of businesses in Asia Pacific know little or nothing about the EU's upcoming regulation, while another 93 percent did not have any plan in place for when the GDPR regime kicks off.
Article 5 of the GDPR says that organisations must be able to demonstrate they comply with all the principles relating to the processing of personal data; organisations must also implement appropriate technical and organisational measures, including data protection policies, to ensure and be able to demonstrate that processing complies with the GDPR under Article 24; and Article 25 stipulates that organisations must implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities -- "data protection by design and by default".