GDPR – What’s with all the emails?
That’s because on May 25, 2018 the European Union’s General Data Protection Regulation (GDPR) came into force. Whilst these regulations were introduced to consolidate privacy regulations across the EU, they have global ramifications and will set the tone for tighter data privacy controls and accountability to come.
What’s this got to do with me?
From May 25, 2018 Australian business of any size may need to comply with the GDPR if they:
- have an office in the EU;
- operate a website that targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros;
- operate a website that mentions customers or users in the EU;
- track individuals in the EU (including citizens and temporary residents) on the internet and use data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
Why is this a good thing?
With cybercrime reaching near unstoppable proportions, introducing legal requirements around the concept of “privacy by design” is ultimately in the best interests of users. GDPR and other regulations will mandate the inclusion of data protection from the outset in the design of new systems, and build onto existing processes to minimise data collection and retention and limit access to personal data.
In its simplest form, the essential message of privacy by design is: Don’t collect what you can’t protect.
The GDPR, in particular, raises the bar by mandating:
- Obtaining consent to use and collect data via free, unconditional, plain English consent mechanisms;
- Data breach reporting within 72 hours;
- The Right to Access: User rights to access information about who, what and how personal information is being processed;
- The Right to be Forgotten: User rights to have their personal data erased or processing halted;
- Data Portability: User rights to obtain personal data concerning them and transmit it to other data controllers;
- Where required, the appointment of Data Protection Officers to manage and notify on data processing activities in larger multi-jurisdictional organisations.
Why are all these service providers emailing me?
You are receiving lots of emails about GDPR because organisations, service providers and technology platforms you currently transact with, use or access now have a responsibility to:
- Ensure they have obtained your consent via a clear and easily accessible mechanism that includes full disclosure of the purpose of their data collection, use and processing activities.
- Make users’ consent as easy to withdraw as it is to give through renewed opportunities to “opt-in” or “unsubscribe”.
How does this relate to services I use through Maxsum?
Some of our third-party providers may email you either:
- to request consent to continue processing data on behalf of Maxsum, and/or
- to notify you, as they are legally required under their policies, of their updated privacy and data collection and use policies under the GDPR.
How does the GDPR relate to the Australian Privacy Act and the Notifiable Data Breaches (NDB) Scheme?
The GDPR and the Australian Privacy Act share many common requirements for organisations to be able to demonstrate:
- A privacy by design approach
- Compliance with the privacy principles and obligations
- Transparent information handling practises.
However, there are several notable differences where requirements under GDRP do not have an equivalent under the Privacy Act.
Australian business will need to seek their own legal advice to determine whether they need to comply with GDPR and seek specialised legal, business technology and compliance advice in relation to their data handling practices.
For an overview of how the Australian Privacy Act differs from GDPR, view the GDPR and Australian Privacy Act Comparison Table
(Source: Office of the Australian Information Commissioner)
Want to read more:
- Risk Management vs. Innovation in Your Technology Strategy - At an Australian Institute of Company Directors lunch in 2017, ex-Telstra and current CSIRO head David Thodey was asked a question during Q&A about his advice for organizations balancing risk management against their need to innovate within a technology strategy.
- Notifiable Data Breaches Scheme – Response Planning 101 - February 22, 2018 was a big day in Australia’s data compliance history. Although it probably wasn’t marked on your calendar – it certainly was on ours, because it means all new things for very broad swathe of Australia’s business community.
- Data privacy and process compliance upheaval in 2018 - 2018’s Big Three Data Deal-Breakers Two things you can rely on post-holiday season in Oz – Hot-cross buns hitting the supermarket shelves on Jan 2, and a stream of articles and