Understanding GDPR: Opportunities and Risks

In this post on understanding GDPR, we’ll look at the following:

• Data Disruption
• Regulation in the age of Data
• The GDPR Opportunity?
• What are the Next Steps?

The post forms the commentary by our regulatory specialists on a recent webinar on understanding GDPR conducted for our clients and interested parties. Below is the video content of the webinar:

Introducing Anne Wardell – Compliance Quarter Regulatory Specialist

Anne is a former of the Victorian Bar with over thirty years’ experience as a lawyer. She was also the National Director of Insolvency at the ATO and a Deputy Registrar of the Federal Court of Australia.
She was an insolvency specialist acting for liquidators, banks and the Official Receiver, before moving into compliance and regulations.
She has advised energy retailers in relation to license and exemption applications and delivered webinars on the Embedded Network regime.

Understanding GDPR – The coming flood of data by 2020

• AVG. INTERNET USER > 1.5 GB OF TRAFFIC / DAY
• AUTONOMOUS VEHICLES > 4 TB OF DATA / DAY
• CONNECTED AIRPLANE > 5 TB OF DATA / DAY
• SMART FACTORY > 1 PB OF DAYA / DAY
• CLOUD VIDEO PROVIDERS > 750 PB OF VIDEO / DAY

The Ring of Regulation

1. Customer Information
2. APP’s
3. Privacy Acts States & Territories
4. Notifiable Data Breach Scheme
5. GDPR
6. Special Information
7. Privacy Act Cth

Customer Information

Privacy Act

• Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable;
• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not.

GDPR’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, generic, mental, economic, cultural or social identity of that natural person;

Privacy Act 1988 (Cth)

• Commonwealth legislation that governs collection of personal information by
• Australian Government agencies (and the Norfolk Island administration) and
• All businesses and not-for-profit organisations with an annual turnover more than $3 million
• Credit reporting bodies
• Businesses that sell or purchase personal information.
  This is not an exhaustive list.

GDPR

A European Union regulation that will govern the collection of personal information in the European Union and will cover Australian businesses if they have some connection to the European Union.

Commences 25 May 2018

Australian Privacy Principles (APP’s)

The APP’s are contained in Sch 1 of the Privacy Act 1988 (Cth) and set out the mechanics of complying with the Privacy Act, they cover:

1. the open and transparent management of personal information including having a privacy policy
2. an individual having the option of transacting anonymously or using a pseudonym where practicable
3. the collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
4. how personal information can be used and disclosed (including overseas)
5. maintaining the quality of personal information
6. keeping personal information secure
7. right for individuals to access and correct their personal information

Notifiable Data Breach Scheme (NDB)

The NDB will commence on 22 February 2018 and requires organisation covered by the Privacy Act to notify any individuals likely to be at risk of serious harm by a data breach.

This notice must include recommendation about the steps that individuals should take in response to the data breach. The Australian Information Commissioner (Commissioner) must also be notified.

Organisations will need to be prepared to conduct quick assessments of suspected data breached to determine if they are likely to result in serious harm.

Regulation in the Age of Data

• More data than ever
• Meaning for Regulation and Regulators
• Relationship between Regulation and Trust

Regulation > Business < Big Data

Data Protection Officer (DPO)

A DPO will need to be appointed where the core activities require regular and systematic monitoring of data subjects on a large scale.
A DPO must have expert knowledge of data protection law and practices.
The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

See Art’s 37 to 39 GDPR (link to GDPR Homepage)

The data protection officer shall have at least the following tasks:

1. to inform and advise the controller of the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
2. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
3. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35; • to cooperate with the supervisory authority;
4. to act as the contact point for the supervisory authority on issue relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
5. Productivity Commission Report on Data Availability and Use

Some recommendations:

• A new right for consumers to access and share their data.
• A new data sharing and release structure that can be “dialled up or down” according to different risks associated with different types of data.
• The designation of National Interest Datasets that have the capacity to deliver community benefits across a range of sectors.
• Accreditation of public bodies to be sector-based national data Accredited Release Authorities.
• Passing of a new Data Sharing and Release Act to enable the authorising environment for the proposed reforms.

The GDPR Opportunity?

1. When does GDPR apply to Australian Entities?
2. Who are the main players under GDPR?
3. What do you need to do about data?
4. Is it possible to differentiate by Compliance and Custodianship?

Australian businesses may need to comply with the GDPR if they are:

• An Australian business with an office in the EU.
• An Australian business whose website targets EU customers, for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euro[8]
• An Australian business whose website mentions customers or users in the EU[9]
• An Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preference, behaviours and attitudes [10]

A Controller must only use processors that provide sufficient guarantees, that they will implement appropriate technical and organisational measures that ensure compliance with the GDPR and protect the rights of the data subject (Article 28[1])

The Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purpose and means of such processing are determined by Union or Member Stata law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Processor means a natural or legal person, public authority, agency or other body which processed personal data on behalf of the controller;

OAIC recommendations

1. Australian businesses should determine whether they need to comply with the GDPR and if so, take steps now to ensure their personal data handling practices comply with the GDPR before commencement. Source: Privacy business resource 21
   A privacy impact assessment (PIA) is an important component in the protection of privacy, and should be part of the overall risk management and planning processes of APP entities.

Fines under the GDPR

4% of annual turnover OR €20 million whichever is the greater

What are the next steps?

• Understand what you collect
• Examine your role under GDPR
• Make structural changes
• Demonstrate and show compliance

Call To Action Slide – Where Do I Start

White Paper – you can sign up using the pop-up window or email us for a copy

Data Readiness Assessment; please visit our FREE GDPR Readiness Questionnaire to provide some vital information to allow us to give you an initial assessment of where you stand and the next steps.

Summary for understanding GDPR

1. Be aware of the introduction of the GDPR and NDB Scheme.
2. Understand what role your organisation has.
3. Review any vendor contracts to ensure they will comply.
4. Appoint a Data Protection Officer if required.
5. Review data collection process and modify where necessary to comply.

Commentary and analysis by Compliance Quarter’s Anne Wardell were featured in a recent article on GDPR by the CNS Group in the UK – you can view the article here.