Article

GDPR: Is Your company ready?9 min read

Mike Soden April 30, 2018

Data privacy is a right everyone is entitled to. Businesses need to be aware of their responsibilities and the risks associated with not understanding what’s involved, especially with the May 2018 changes being introduced via the EU General Data Protection Regulation (GDPR). 

Cambridge Analytica reports show social media giants like Facebook are taking customer’s rights for granted and are infringing on users’ data and privacy. This breach of trust has led to highly-personal information being sold to anti-social elements.

Incidents like this have mobilised international authorities to create stringent regulations, designed to protect the data privacy of customers.

EU’s bold reply

With digital data protection policies being questioned after the Facebook incident, many governmental and international organisations have started strengthening their data privacy rules and digital regulations. One such set of regulations that the EU has put forth is the EU General Data Protection Regulation (GDPR).

With the regulation coming into enforcement in the next few months, companies need to scramble to make themselves compliant. With a completely new digital ecosystem, companies need to decide how best to navigate the choppy waters of an ever-changing digital environment.

Understanding GDPR

What is GDPR?

The European Union’s Digital Data Protection Directive (1995) is in the process of being replaced by a more stringent and rule-heavy regulation. This regulation, called the EU General Data Protection Regulation (GDPR) 2016/679, is designed to cover data protection and data privacy. The regulation has been designed to protect all EU web users from digital malpractices by restricting and controlling the export of data both within and outside the EU.

The GDPR is an attempt by the EU to provide customers and Internet users complete control over the information they publish on the Internet. The regulation is also an attempt to simplify international business within the EU.

Parties covered under the GDPR are:

  • Companies which have facilities located within the EU
  • Companies which provide goods and services to EU members
  • Companies which monitor the movement and data usage of EU residents

The GDPR was adopted on 27 April 2016 and will be made enforceable from 25 May 2018.

Tackling GDPR in Australia

Although not part of the EU, Australian may soon find itself having to comply with the requirements of the GDPR. One of the largest global markets, Australia is both serving and being served by EU members. Many websites in the country are in EU languages like French and German and most businesses have divisions dedicated to serving EU markets.

Home-grown Australian businesses and overseas companies setting up facilities in Australia need to understand how the GDPR works to conduct compliance-conformant business in the country.

Some of the rules of the GDPR resonate and reflect the requirements of the Australia Privacy Act 1988. These rules include:

  • Each company must use the privacy by design approach to design all its products, services and processes
  • Each company must remain compliant with all EU directed obligations, rules and regulations
  • Each company must implement a transparent process of data sharing and usage by keeping all stakeholders in the loop about data management

In terms of these specific rules, Australian businesses needn’t worry about policy restructuring. However, there are also certain rules that are completely new to Australian businesses and which happen to be confusing.

For example, the Right to Erasure is a rule that grants users the option to have website administrators remove any personal data of theirs from the web. Any data that has been unlawfully collected and processed or which violates any of the data privacy rules of the EU member states must be removed from the source by the administrator. However, administrators have no obligation to remove this data if the customer’s demand impinges upon their right to freedom of expression and information.

Conflicting rules like this can create a tricky situation for businesses. A line needs to be drawn to identify what constitutes as data privacy infringement and what doesn’t. Another question that needs to be answered is – what GDPR rules should we follow and how? This could be where Australian businesses face a challenge.

Impact of EU GDPR enforcement on Australian businesses

Cyber security is a huge concern for Australians. 2017 alone saw more than six million Internet users falling prey to cyber security frauds.

 With such a tense atmosphere in the country, you would think the GDPR would be a welcome relief for Australian businesses.  But, as it turns out, it’s not. The enforcement of the EU GDPR acts as a double-edged sword.

As of now, the Australian data privacy regulation is quite business-friendly. But, compliance with the GDPR entails the adoption of technology and processes that are so stringent that they may turn out to be a very serious trade barrier, discouraging non-EU businesses from interacting with Australia. 

However, non-compliance is hardly the solution here. Not following the requirements of the GDPR can lead to steep penalties amounting upwards of AU$31.2 million and reaching as high as 4% of the global GDP.

Additionally, the GDPR sanctions other EU member states with the power to stop a member state’s companies from conducting businesses in/with the EU on grounds of non-compliance.

The GDPR is set to have a drastic impact on the way customers are engaged and served across the EU. While the new regulation allows businesses to become more customer-conscious and user-friendly, they also add data usage restrictions which may ultimately impact the quality of service provided by the company.

Are Australian companies prepared for the EU GDPR?

The recent enforcement of the Notifiable Data Breaches (NDB) scheme has business leaders and policymakers occupied, leaving them with little room for accommodating the GDPR. A regulation that requires its own unique set-up, NDB compliance is a time consuming, highly-demanding task.

The NDB’s authorisation that Australian businesses must conduct a thorough due-diligence of any data breaches before notifying users stands in stark contrast to the GDPR’s highly-restrictive 72-hour window for notification.

According to both regulations, every business must first conduct a comprehensive data risk analysis to identify:

  • The number of touch points for collecting data
  • Types of safeguards implemented to protect data when collected, processed and disbursed
  • Nature of data usage limits
  • Nature of data breaches
  • Coverage and extent of rules which authorise employees to use data

In order to remain compliant with both regulations, Australian companies need to evaluate their data management procedures and conduct due-diligence all within the 72-hour timeframe, while collecting sufficient evidence to support their claims.

Unfortunately, a lot of small Australian businesses either do not have the knowledge or lack the technology necessary to conduct a thorough analysis of their data usage practices. This creates a problem when companies need to fulfil both the NDB and GDPR requirements. Without sufficient evidence, the NDB will not accept company reports, while crossing the 72-hour limit may result in companies getting penalised for non-conformance. For Australian businesses, meeting one regulation could mean potentially violating the other.

Tips to remain compliant with the GDPR

Involve your stakeholders

The very first thing you need to do is inform all your stakeholders about the GDPR. Educate them how the new regulation affects the business and what their role is in ensuring data privacy in data management.

Map data

Identifying data sources and all touch points which disseminate data is important. Once you know where your data comes from, who handles it and the path it takes to reach you, you can work on implementing the required controls.

Review and update the privacy policy

As per the GDPR guidelines, any company may be called forth to prove how it protects its users’ data privacy. One way to remain compliant is to hire a Compliance Consultant and have him/her understand the requirements of the GDPR.

Have the consultant review your data privacy policy and update/edit it to suit the requirements of the new regulation. Send notices to all stakeholders informing them of the change.

Identify what is lawful data processing and what isn’t

The GDPR regulation has specific restrictions, rules and addendums which need to be followed by specific industries and not by others. This creates confusion as to what ‘lawful data processing’ is for each industry. Your Compliance Consultant will be of great help here.

Change data procedures to comply with the new privacy requirements

Employ a Data Protection Officer and have him/her review how you format, disseminate, process, share and delete data across devices and take ownership of data privacy. Consider pseudonymising the data, to add an extra layer of security to your users’ personal information.

Manage consent

‘Consent’ in digital data management is a tricky thing. Often, customers are unaware that they have given companies their consent to use their personal data. To meet GDPR requirements, companies need to review and change the way they seek, process, store, distribute and manage customers’ consent.

 Most importantly, policies and procedures need to be changed and updated if the end user is a minor, with systems seeking and verifying parental/guardian consent.

Create a system to handle data breaches

If the above steps have been completed carefully, you will find your company better equipped to identify and report breaches to both the EU and the Australian authorities. Familiarising oneself with and training key personnel on all the data breach procedures can help companies be proactive in responding to threats.

Identify your lead data protection supervisory authority

Finally, if you operate in more than one EU markets, identify the point of authority whose policies and rules you are meant to follow. Knowledge of this will help you understand how the GDPR regulation applies to your company and will help you be better prepared for the future.

Want help?
Speak to us at Liquid Digital to get started with a review of your digital customer experience journey. Our team of highly-qualified and trained experts are more than happy to help, and we have special tools to get you the results you want.

Successful companies have always been looking for things to do more efficient than others.
It’s just about being better than competitors, it’s that simple.

Simple, when you know how.

Get in touch with us at Liquid Digital. Our team is here to help you grow your digital business.