Will Europe’s new data laws affect you?

The European Union (EU) is rolling out a reformed legal framework to help protect the rights of EU citizens to a private life. The reforms comprise two instruments which will become effective from May 2018:

• The General Data Protection Regulation (GDPR), which is designed to enable individuals to better take control of their personal data;
• The Data Protection Directive, under which the police and criminal justice sectors will ensure that the data of victims, witnesses and suspects of crimes are duly protected in the context of a criminal investigation or a law enforcement action.

Although the reforms are taking place in Europe, organisations that deal with any personal details of a EU citizen will need to comply with the regulations or be subject to fines — which can be as high as the greater of 4% of the entity’s global gross revenue or €20 million. Additionally, the GDPR will also give data subjects (ie, impacted individuals) a private right of action in EU courts, under which they can claim monetary damages for harm caused by the processing of their personal data.

Any Australian entities that have establishments in the EU, offer goods and services in the EU or monitor the behaviour or information of individuals in the EU need to comply. The individuals’ data may be of a customer, an employee, a contractor, a student, a supplier — basically any individual who is an EU citizen, no matter where they reside.

Even a small organisation with only a web-based presence would need to comply if an EU citizen can access their site and provide their personal information.

Specifically, Australian businesses that may have to comply include:

• those with an office in the EU;
• those whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in euros;
• those whose website mentions customers or users in the EU; and
• those that track individuals in the EU on the internet and use data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.

Australian businesses that have EU citizens as employees will also need to comply. Organisations should also consider that whilst they may not process any EU citizens’ data today, this can always change in the future, and may be unexpected or unplanned.

Many Australian organisations will already have governance processes in place to comply with the Australian Privacy Act 1988, which does share some common requirements with the forthcoming GDPR requirements. However, there are also some differences, especially in terms of certain rights of individuals, which are not covered in the Australian Privacy Act 1988.

One of the rights of an individual within the GDPR is the ‘right to be forgotten’. This right to erasure gives individuals a right to require data controllers to delete their data in certain circumstances, including:

• where the information is no longer necessary for the purpose for which it was collected; and
• where the individual withdraws their consent and there is no legal ground for processing their data.

Another right individuals will have is for ‘portability’ of their data, which involves being able to request that their information should be provided in a format to allow it to be ‘ported’ to another organisation.

GDPR covers all data — structured and semi-structured — as well as all of the unstructured data that an organisation may have collected, which can include emails, photos, recordings and so on.

All legacy data that an organisation has is included, in addition to new data captured after the introduction of GDPR. So while organisations may be putting new governance processes and rules in place to apply as data is collected in real time, they will also need to deal with all the data that already exists. Volumes of data that have been captured as ‘big data’ initiatives in the hope of discovering trends or patterns will also need to comply.

Organisations should consider the relevance and need for all this legacy or big data history and whether it needs to be kept at all — deletion may be a better option, saving storage space and avoiding costs in ensuring the data can comply with GDPR.

Many organisations will already have data privacy rules and procedures in place; however, it will be prudent for them to review the requirements of GDPR and take any necessary steps to improve or update their privacy rules and procedures to ensure they do completely comply with GDPR.

Unfortunately, data breaches are reported on a frequent basis. According to the Breach Level Index, at least 5,911,431,891 data records have been lost or stolen since 2013. Of these, only 4% were ‘secure breaches’ where encryption was used and the stolen data was rendered useless.

The Breach Level Index indicates that in the first half of 2016, there were 76 incidents reported in the Asia–Pacific region, which was 8% of the worldwide total of 772. Notably, within the Asia–Pacific, Australia reported 22 incidents, which was the highest number in the region. India was the second highest with 13 incidents.

Whilst consumers in Australia are unlikely to know anything about the EU GDPR, they are likely to value organisations that comply with it and offer individuals the same rights offered to EU citizens, such as the right to be forgotten.

Organisations should invest to embrace the GDPR standards and ensure they comply, as there is an upside in being able to better protect data records, potentially avoiding expensive or embarrassing data breaches. There is also the important removal of the risk of receiving hefty fines for not complying with the GDPR. Organisations should consider complying with the GDPR to be a mandatory responsibility.

Organisations should also assess exactly how the GDPR is likely to affect them — especially in terms of processing data relating to EU citizens, both now and in the future — and determine what technical and organisational changes are needed to be able to comply with the GDPR.

They should also deploy technical solutions that are likely to be needed, in order to ensure all forms of data retained or processed by the organisation will comply with the GDPR requirements. To this end, unless already in place, data protection officers should be appointed as required.

Peter Hall is an IBRS adviser who covers enterprise infrastructure and management, with more than 34 years of executive experience in companies such as Hewlett-Packard, Blade Network Technologies, IBM and Lenovo.

Image courtesy fdecomite under CC BY 2.0

Follow us on Twitter and Facebook