General Data Protection Regulations: How are Australian businesses affected?
From 25th May 2018, Europe’s General Data Protection Regulations (GDPR) come into effect. While these new regulations are European based, Australian businesses, and more specifically, Australian companies that have offices in Europe, offer goods for sale in Europe (including online) or collect personal data of individuals that live in Europe, must comply with the GDPR regulations or risk substantial fines.
What are Europe’s General Data Protection Regulations exactly?
The new General Data Protection Regulations introduce new requirements for data protection across the EU. These new regulations replace current protection rules on personal information and unify all current laws on data protection across Europe.
The new laws are designed to provide legal certainty for all individuals and businesses in the EU regarding the collection of personal data. They also aim to improve consumer trust in services delivered online.
The GDPR and the Australian Privacy Act have some similarities
Both EU and the Australian Privacy Act encourage methods of personal data collection that are transparent and makes businesses accountable. They share common requirements including:
- implementation of a privacy by design approach to compliance
- being able to demonstrate compliance with privacy principles and obligations
- adoption of transparent information handling practices with a requirement for privacy impact assessments under certain circumstances
- data breach notification requirements in some instances under both laws.
These laws aim to provide consumers with confidence that their private and sensitive data is protected. Both EU and Australian laws require businesses to deploy measures that will ensure compliance with specified privacy principles.
To which Australian businesses does GDPR apply?
The GDPR regulations classify businesses as either data processors or data controllers. Data controllers say how and why personal data is processed, and a data controller is responsible for processing the data on behalf of the controller. The specific Australian businesses these regulations apply to include:
- Australian companies with offices in the EU
- an Australian company with a website that targets EU customers and offers delivery of goods to the EU. These websites enable customers to order in a language other than English and take payment in Euros
- an Australian website than mentions customer or users in the EU
- an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals based on preferences, behaviours and attitudes.
Australian businesses that fall under the above but do not have offices in the EU are required (in certain circumstances) to appoint a representative that is established in an EU member state. This representative provides a point of contact for supervisory authorities and customers in the EU on all issues related to GDPR and data processing.
How businesses and consumers will benefit
The new regulations aim to provide customers with confidence that their data will be protected. It also gives customers control over how their data will be used for marketing purposes. Additional consent is now required to be in place with customers required to opt-in to receive marketing communications rather than being automatically subscribed to a marketing list.
For businesses, the regulations elevate the protection of personal data to a business priority and highlight the need to protect the organisation against data breach and to secure personal data.
How does GDPR impact payment service providers?
Under the GDPR, payment service providers are considered data processers. The increased security measures required by the GDPR require data controllers to use secure payment processing methods to ensure protection against data breach.
To comply with GDPR, payment service providers must:
- process data legally for the specific purpose of enabling a transaction
- collect data only for legitimate purposes
- retain data for no longer than necessary
- ensure data is secure through appropriate technical and organisational measures
- review data processing activities and maintain records of these activities
- ensure appropriate processes are in place for identifying, reviewing and reporting data breaches.
Is your customers’ personal data adequately protected?
An essential first step to reduce your risk of data breach is scanning for sensitive data. Sensitive data scanning can identify any sensitive data types that are not secure across your organisation.
As both GDPR and Australian laws require notification of data breach, finding and securing any unsecured data will significantly reduce the risk of data breach ensuring you comply with this aspect of GDPR.
If sensitive data is found, it can be secured through methods such as encryption, secure cloud storage and tokenisation. This ensures the information is not identifiable and rendered useless to cybercriminals.
Where to from here?
Australian businesses concerned about the GDPR and if they need to comply should seek legal advice. If you have concerns regarding the security of your payment systems and processes, credit card storage or would like to conduct an enterprise data scan to find any sensitive data, please contact us on 1300 975 630.