Understanding GDPR: Opportunities and Risks

Understanding GDPR: Opportunities and Risks

Consumer, Uncategorized

In this post on understanding GDPR, we’ll look at the following:

  • Data Disruption
  • Regulation in the age of Data
  • The GDPR Opportunity?
  • What are the Next Steps?

The post forms the commentary by our regulatory specialists on a recent webinar on understanding GDPR conducted for our clients and interested parties. Below is the video content of the webinar:

Introducing Anne Wardell – Compliance Quarter Regulatory Specialist

Anne is a former of the Victorian Bar with over thirty years’ experience as a lawyer. She was also the National Director of Insolvency at the ATO and a Deputy Registrar of the Federal Court of Australia.
She was an insolvency specialist acting for liquidators, banks and the Official Receiver, before moving into compliance and regulations.
She has advised energy retailers in relation to license and exemption applications and delivered webinars on the Embedded Network regime.

Understanding GDPR – The coming flood of data by 2020


The Ring of Regulation

  1. Customer Information
  2. APP’s
  3. Privacy Acts States & Territories
  4. Notifiable Data Breach Scheme
  5. GDPR
  6. Special Information
  7. Privacy Act Cth

Customer Information

Privacy Act

  • Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable;
  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

GDPR’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, generic, mental, economic, cultural or social identity of that natural person;

Privacy Act 1988 (Cth)

  • Commonwealth legislation that governs collection of personal information by
  • Australian Government agencies (and the Norfolk Island administration) and
  • All businesses and not-for-profit organisations with an annual turnover more than $3 million
  • Credit reporting bodies
  • Businesses that sell or purchase personal information.
    This is not an exhaustive list.


A European Union regulation that will govern the collection of personal information in the European Union and will cover Australian businesses if they have some connection to the European Union.

Commences 25 May 2018

Australian Privacy Principles (APP’s)

The APP’s are contained in Sch 1 of the Privacy Act 1988 (Cth) and set out the mechanics of complying with the Privacy Act, they cover:

  1. the open and transparent management of personal information including having a privacy policy
  2. an individual having the option of transacting anonymously or using a pseudonym where practicable
  3. the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
  4. how personal information can be used and disclosed (including overseas)
  5. maintaining the quality of personal information
  6. keeping personal information secure
  7. right for individuals to access and correct their personal information

Notifiable Data Breach Scheme (NDB)

The NDB will commence on 22 February 2018 and requires organisation covered by the Privacy Act to notify any individuals likely to be at risk of serious harm by a data breach.

This notice must include recommendation about the steps that individuals should take in response to the data breach. The Australian Information Commissioner (Commissioner) must also be notified.

Organisations will need to be prepared to conduct quick assessments of suspected data breached to determine if they are likely to result in serious harm.

Regulation in the Age of Data

  • More data than ever
  • Meaning for Regulation and Regulators
  • Relationship between Regulation and Trust

Regulation > Business < Big Data

understanding GDPR

Data Protection Officer (DPO)

A DPO will need to be appointed where the core activities require regular and systematic monitoring of data subjects on a large scale.
A DPO must have expert knowledge of data protection law and practices.
The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

See Art’s 37 to 39 GDPR (link to GDPR Homepage)

The data protection officer shall have at least the following tasks:

  1. to inform and advise the controller of the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
  2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; • to cooperate with the supervisory authority;
  4. to act as the contact point for the supervisory authority on issue relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
  5. Productivity Commission Report on Data Availability and Use

Some recommendations:

  • A new right for consumers to access and share their data.
  • A new data sharing and release structure that can be “dialled up or down” according to different risks associated with different types of data.
  • The designation of National Interest Datasets that have the capacity to deliver community benefits across a range of sectors.
  • Accreditation of public bodies to be sector-based national data Accredited Release Authorities.
  • Passing of a new Data Sharing and Release Act to enable the authorising environment for the proposed reforms.

The GDPR Opportunity?

  1. When does GDPR apply to Australian Entities?
  2. Who are the main players under GDPR?
  3. What do you need to do about data?
  4. Is it possible to differentiate by Compliance and Custodianship?

Australian businesses may need to comply with the GDPR if they are:

  • An Australian business with an office in the EU.
  • An Australian business whose website targets EU customers, for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euro[8]
  • An Australian business whose website mentions customers or users in the EU[9]
  • An Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preference, behaviours and attitudes [10]

A Controller must only use processors that provide sufficient guarantees, that they will implement appropriate technical and organisational measures that ensure compliance with the GDPR and protect the rights of the data subject (Article 28[1])

The Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purpose and means of such processing are determined by Union or Member Stata law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor means a natural or legal person, public authority, agency or other body which processed personal data on behalf of the controller;

OAIC recommendations

  1. Australian businesses should determine whether they need to comply with the GDPR and if so, take steps now to ensure their personal data handling practices comply with the GDPR before commencement. Source: Privacy business resource 21
    A privacy impact assessment (PIA) is an important component in the protection of privacy, and should be part of the overall risk management and planning processes of APP entities.

Fines under the GDPR

4% of annual turnover OR €20 million whichever is the greater

What are the next steps?

  • Understand what you collect
  • Examine your role under GDPR
  • Make structural changes
  • Demonstrate and show compliance

Call To Action Slide – Where Do I Start

White Paper – you can sign up using the pop-up window or email us for a copy

Data Readiness Assessment; please visit our FREE GDPR Readiness Questionnaire to provide some vital information to allow us to give you an initial assessment of where you stand and the next steps.

Summary for understanding GDPR

  1. Be aware of the introduction of the GDPR and NDB Scheme.
  2. Understand what role your organisation has.
  3. Review any vendor contracts to ensure they will comply.
  4. Appoint a Data Protection Officer if required.
  5. Review data collection process and modify where necessary to comply.

Commentary and analysis by Compliance Quarter’s Anne Wardell were featured in a recent article on GDPR by the CNS Group in the UK – you can view the article here.

Greater Regulation of Embedded Networks in 2018

Greater Regulation of Embedded Networks in 2018

AU Energy Compliance

Today we look at two new publications that will impact the regulation of embedded networks in 2018.

This month saw the release of the Australian Energy Market Commission’s (AEMC) final report on the Regulation of Embedded Networks along with the publication of Version 6 of the Electricity Network Service Provider Exemption Guideline (draft) by the Australian Energy Regulator (AER).

regulation of embedded networks
Photo by Seb Zurcher on Unsplash
By Connor James, Compliance Quarter.

Electricity Network Service Provider Guideline

As readers will be aware, in the Eastern States, anyone who engages in an electricity distribution activity must either be registered with the Australian Energy Market Operator as an electricity network service provider or must gain an exemption from that requirement. Exemptions are granted by the AER.

On 17 November 2017, the AER published a new exemption guideline, version 6. This new draft guideline should be read by all existing exempt operators.

The new draft guideline goes into further detail about microgrids and local energy sales:

“The AER is supportive of the concepts of microgrids and private trading but we caution there are significant regulatory hurdles which must be overcome before a microgrid or private selling of excess electricity can be implemented. We will work with proponents to develop models that respect and enhance the rights of customers to access new energy options but our ability to facilitate microgrids is limited by the constraints of the current regulatory framework.”

Other changes within version 6 include clarification about the requirement of exempt sellers with respect to life-support customers (which goes without saying as being important), clarification about who pays for a metering upgrade or installation, and clarification about embedded networks that include embedded generation.

With respect to embedded generation, version 6 notes that additional requirements will apply to a generator, battery or inverter type installation where there is an aggregate capacity measured at the connection point of greater than 5MW output. All such systems require review by the Australian Energy Market Operator (AEMO).

Submissions can be made on the draft guideline prior to COB Monday 15 January 2018.

The AEMC Final Report

The AEMC notes that there are now over 200,000 embedded network customers and a growing number of exempt energy sellers.

These energy sellers are bringing innovation that has not been seen previously. Energy sellers within embedded networks often include embedded generation and energy storage as part of their product. Overall, this has resulted in increased complexity and difficulty for the regulator in determining the appropriate regulatory setting.

The AEMC examined the existing regulatory framework against issues faced by consumers and the benefits of embedded networks:

“These benefits can include the promotion of innovation in products and services that can help manage energy costs in embedded networks such as embedded generation and demand management services.”

Consistent with the AER’s submission to the AEMC review, the AEMC found the existing regulatory framework is not fit for purpose.

“However, the current regulatory arrangements for embedded networks are resulting in some customers not being able to access competitive prices or important consumer protections. There are also insufficient monitoring and enforcement powers for the Australian Energy Regulator (AER), leading to a lack of clarity that embedded network operators are meeting their obligations as suppliers of an essential service. While some embedded networks are providing benefits to energy consumers they may not receive in a standard supply arrangement, often they do not.”

The recommendations in the final report are wide-ranging. Recommendations are focused on three areas: a. Improving access to competition, b. Elevating embedded networks into the national framework, and c. Better regulation of new and legacy embedded networks.

regulation of embedded networks

The implementation of these recommendations will be significant from the perspective of embedded network operators. Embedded network operators should be considering the changes coming in 2018 and acting now to ensure that they can continue to run their business.

We will publish a separate article in the coming days, going to further detail on the AEMC report, in the meantime please feel free to contact us if you wish to discuss the regulation of embedded networks.

A new Consumer Data Right for 2018: What we Know So Far

A new Consumer Data Right for 2018: What we Know So Far

Consumer, Uncategorized

On 26 November the Federal Government announced its intention to legislate a national Consumer Data Right next year, following the recommendations of the Productivity Commission (which you can view here).

In today’s article we look at what we currently know about this proposed data right and suggest how it relates to existing data rights and other changes proposed by the Government.

consumer data right
Photo by Pana Vasquez on Unsplash
By Dr Drew Donnelly, Compliance Quarter.

What we know so far

The Government will announce its formal response to the Productivity Commission’s Inquiry Report Data Availability and Use (PC Report) in a few weeks time, so this announcement is a ‘sneak peek’, with more detail to be released shortly. Nevertheless, there are a few things that we know from the Government’s comments to date:

  • This follows the recommendations of the Productivity Commission with respect to a proposed consumer right, so is likely to have similarities with that proposed right
  • It will be established sector-by-sector, beginning with the energy, telecommunications and banking sectors.
  • Utilities will be required to provide standard, comparable, easy-to-read digital information, that third parties can readily access.

The consumer data right as recommended by the Productivity Commission

The Productivity Commission recommended a Comprehensive Consumer Right which would enable consumers to:

  • share in perpetuity joint access to and use of their consumer data with the data holder
  • receive a copy of their consumer data
  • request edits or corrections to it for reasons of accuracy
  • be informed of the trade or other disclosure of consumer data to third parties
  • direct data holders to transfer data in machine-readable form, either to the individual or to a nominated third party (See PC Report, recommendation 5.1).

So, what is consumer data?

According to the Productivity Commission, consumer data is digital data, provided in a machine-readable format, that is:

  • held by a product or service provider
  • identified with a consumer
  • associated with a product or service provided to that consumer.

Participants in an industry would determine the scope of consumer data relevant to their industry through a ‘data-specification agreement’. These agreements would also set out transfer mechanisms and procedures for the security of data.

These agreements would require approval by the Australian Competition and Consumer Commission, which would then register them (See PC Report, recommendation 5.2).

Of course, at this stage, we do not know to what extent the Government’s proposed right would reflect the recommendations in the PC Report.

Don’t the Privacy Act and the GDPR already provide access to such information?

Both the Privacy Act 1988 and the General Data Protection Regulation (for businesses that have dealings with EU customers) provide a data access right. But this right relates to accessing personal information or data. Consumer data includes personal information or data, but it is a wider category. For example, it may include data created from consumers’ online transactions or internet activity or data purchased about a consumer, which cannot be used to identify a person, and therefore does not count as personal information or data. The precise scope of consumer data will depend on the industry in question and the content of the agreements that apply in that industry.

How does this relate to other Government reviews?

Recently, the Government separately announced its intention to introduce mandatory comprehensive credit reporting (http://sjm.ministers.treasury.gov.au/media-release/110-2017/). This will mean access to a richer credit data set for potential lenders. It is likely that that bank of credit information will constitute part of that individual’s consumer data that they have a right to access under the new consumer right

The Government also announced earlier this year the introduction of an ‘Open Banking Regime’ (for more information see https://compliancequarter.com.au/open-banking-regime-fintech/). The review looking at how a regime would be implemented is due to report back by the end of the year. The Open Banking Regime would seek to “increase access to banking product and consumer data by consumers and third parties, if the consumer consents”. Note the proposal that this regime would go beyond rights of consumer access to include third parties.

While we will have to wait until the Government’s formal response to the PC Report to find out the essential details of the regime, let us know if you need advice on how you might respond to the proposed consumer right into your 2018 compliance program.