The Office of the Australian Information Commissioner (OAIC) has published new guidance for Australian businesses on the European Union’s General Data Protection Regulation (GDPR) requirements.
From 25 May 2018 Australian businesses of any size may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they monitor the behaviours of individuals in the EU.
The GDPR and the Australia Privacy Act 1988 share many common requirements, including to:
- Implement a privacy by design approach to compliance
- Be able to demonstrate compliance with privacy principles and obligations
- Adopt transparent information handling practices.
- The importance of consent when dealing with personal data.
There are also some notable differences between the Australia Privacy Act and the GDPR that could trip up an unwary business:
- The ‘right to be forgotten’ which require the deletion of their data upon request, does not have an equivalent right under the Privacy Act.
- Any size of Australian businesses may need to comply with the GDPR (as opposed to the limited exemptions from the Australian law for small business with an annual turnover of $3 million or less).
- Data controllers and data processors are not familiar to many Australian businesses, but these are fundamental for complying with the GDPR. You will need to identify which term applies to your business and most likely appoint a representative in an EU Member State to field communications from the EU regulator and individuals.
- Under the GDPR, data controllers must notify the authorities of a data breach within 72 hours of becoming aware of the breach. Under Australia’s new mandatory data breach notification laws (effective 22 February 2018), an entity will have to notify Australia’s Information Commissioner and affected individuals as soon as practicable which will in most cases be a more generous time frame than the 72 hours required by GDPR.
- Australian businesses need to be aware of the fact that the relationship between a data controller and a data processor (as those terms are understood under the GDPR) needs to be recorded in a contract containing certain mandatory clauses.
- Under the GDPR, an individual can require a data controller to provide the individual’s data in a commonly-used, machine readable format so that it can be ported to a new data controller.
Australian businesses should take steps now to ensure their personal data handling practices comply with the GDPR before commencement.
Who will the GDPR apply to?
The GDPR applies to the data processing activities of businesses, regardless of size, that are data processors or controllers with an establishment in the EU. Generally speaking, a controller says how and why personal data is processed and a processor acts on behalf of the controller. Where a business has ‘an establishment’ in the EU, activities of the business that involve processing personal data will need to comply with the GDPR, regardless of whether the data is actually processed in the EU.
Examples of Australian businesses that may be covered by the GRPR include:
- An Australian business with an office in the EU
- An Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros
- An Australian business whose website mentions customers or users in the EU
- An Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviors and attitudes.
For further reading of the Privacy business resource 21, click here.
Boosting GDPR Compliance
The volume of data being created, changed, stored and shared is growing exponentially. There are thousands of different file extensions and file types. Files are accessed and stored in a multitude of network and cloud repositories. Hidden inside, confidential data could be just about anywhere.
To make matters worse, organizations are inundated with “dark data”, typically unstructured, unidentified and unclassified. Dark data is continuously created, modified and stored during regular business activity, but cannot be reused or governed according to privacy and data-protection regulations like GDPR.
MinerEye’s automated information governance puts the vast volumes of data, even dark data, into order, rendering it protectable and reusable and compliant with regulations.
Introducing VisionGrid™ For Enterprises
The MinerEye solution incorporates a 3-step automated process for the identification, classification, and tracking
of sensitive information assets across data sources.
GDPR Use Cases Supported By MinerEye
Does not depend on human actions or definitions, but leverages Artificial Intelligence to learn, discover, continuously map, track, and protect personal data
Page L 119/3 , (15)
|Right of Access
Continuously tracks and reports on personal data based on multiple identifiers that enable quick and easy access by category/data subject
Page L 119/12, (63)
Uses byte-level analysis to find and match genetic data to natural persons
Page L 119/6, (34)
Continuously scans vast volumes of data for PII, restoring classifications and protections even after incidents
Rapidly identifies and automatically enforces established categories of personal data
Article 15. 1. (B)
Identifies all data and tracks its origin and life-cycle for rectification of inaccuracies and timely deletion, and periodic review
Page L 119/7, (39)
| Data Transfers
Data segregation capabilities enable automatic data tracking across geographic boundaries
Page L 119/19, (101)
Protection & Rectification
Continuously scans and finds where data resides and has changed, enabling erasure of extraneous data minimization and pseudonymization
Articles 25, 5d
Enables fast and simple impact assessment over large volumes of data without necessitating subject matter expertise
Page L 119/16, (84)