What exactly does the GDPR entail? How will it affect businesses in Australia? What does it even stand for? Alistair McCall, Data Strategy Director at MercerBell, gives us the rundown.

2018 has seen an explosion in the collection and use of personal data by organisations. As a result, consumers have become more savvy about the information they provide, and perhaps less trusting of companies that ask for personal data.

To help better protect the privacy of consumers in the EU, the GDPR, or General Data Protection Regulation, was introduced in May of this year. The law replaces the 1995 Data Protection Directive, which had a lack of transparency around how data should be collected and used.

The new regulation provides new standards of compliance for organisations that collect and use data belonging to citizens of the European Union (EU). So, if you’re an Australian business that processes the personal data of anyone residing in the EU, you’ll be affected. And even if the GDPR doesn’t apply to you right now, it’s a good idea to stay informed.

Individuals in the EU will find themselves with more power to demand companies reveal or delete the personal data they hold. And enforcement actions will have real teeth, with the maximum fine now reaching up to 20 million euros.

The world’s largest companies have already updated their sites to comply with the GDPR. Facebook launched a range of tools to “put people in more control over their privacy”, while Apple recently revealed a new privacy dashboard on their website. Google took a different tack, quietly updating its products and privacy policies without drawing too much attention.

The GDPR rules

  • Consent – Consent must be explicit and unambiguous, using clear language. Implied consent isn’t sufficient.
  • Penalties for breach – The maximum fine will reach up to 4% of the company’s annual turnover, or 20m euros (whichever is higher).
  • Breach notification – It’s mandatory to inform authorities and data subjects of data breaches.
  • Right to access – Consumers have a right to know what data is being held and what it’s being used for. They can also request an electronic copy of all their data.
  • Right to be forgotten – Subjects can have their personal data erased from an organisation’s systems.
  • Data portability – Organisations are required to provide the consumer with the personal information they hold on them, and must allow the consumer to pass that data onto another organisation.
  • Privacy by design – Organisations must incorporate data security and protection into the process of designing a new product or service, rather than as an addition later on.
  • Improved governance – Data controllers within organisations are required to keep records of data protection activities and must be able to demonstrate compliance on request.
  • Increased transparency – Organisations must develop accessible policies that explain how personal data will be processed and what consumer rights are.

Steps you can take here in Australia

Even if you have nothing to do with consumers in the EU, it’s always good to grow your organisation around best practice data privacy principles. This will build consumer trust and allow you to be prepared for similar regulatory changes that may affect Australia in the near future.

Here are some steps you can take today to future-proof your company:

  1. Understand GDPR and its implications on your organisation
  2. Assess the current consumer data you hold, identifying:
  3. 1. Where it’s come from and how old it is

    2. How it’s used

    3. Who uses it

    4. Where it’s stored and transmitted (if anywhere)

  4. Identify where your data policies and processes fall short of compliance and define what you need to do to fill in the gaps
  5. Develop a plan for GDPR compliance

At MercerBell, we can help guide you in the right data direction, and answer any questions you may have about the GDPR. Get in touch today by emailing alistair.mcall@mercerbell.com.au