The last article you need to read about how GDPR might impact Australian businesses
Published 19 June 2018
You very likely received a flurry of emails about it in late May / early June, but here we take a closer look at what the EU’s General Data Protection Regulation (GDPR) legislation is and how it might affect Australian organisations.
What is GDPR?
General Data Protection Regulation (GDPR) was approved by EU Parliament in 2016 and came into force on May 25 2018. GDPR is a new EU regulation which updates outdated privacy and data protection laws for the digital age. It is similar to the Notifiable Data Breach scheme under the Privacy Act 1998, which came into effect in Australia in February 2018.
Could Australian businesses be impacted?
If your business has a connection to the European Union, it is likely to fall under the remit of GDPR. Australian businesses, regardless of size, may need to comply if they have a presence in the EU, offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
The Office of the Australian Information Commissioner (OAIC) has said that it is committed to internationally coordinated approaches to privacy, such as GDPR, and is therefore likely to work with EU regulators to enforce GDPR in Australia where necessary.
Fines and penalties related to GDPR are headline grabbing thanks to their size and scope. Business that fall foul of the legislation may be subject to fines of up to €20 milion or 4% of annual global turnover – whichever is greater. For comparison, fines for serious and repeat interference with privacy within Australia can reach up to $420,000 for an individual, whilst a body corporate can see fines five times as large with the current maximum set at $2 million.*
What should I have in place to comply?
As there is some cross-over between Australia’s Privacy Act and GDPR, many businesses will already be well set-up in the event of a data breach. However, now is a good time to refresh yourself with your businesses cyber planning as these five steps can help assist with GDPR compliance:
Legal and compliance support. The legal and technical changes required by your organisation could be very significant and may require co-operation from all departments. Compliance cannot be achieved without the help of legal and IT security support, but everyone needs to understand what is required of them – especially concerning how data is handled.
Data audits. You will need to audit your current data protection measures, document all existing information held and ensure all data collection measures are compliant with the above. This also applies for any third-party companies your organisation currently uses who may not be compliant with the new laws.
Breach response planning. If you do not have one already, you should also ensure that your organisation has a data breach plan in place, that individuals involved in the plan know their roles, and that the plan is practiced regularly, to ensure that you can react to a breach and notify the Information Commissioner’s Office (ICO) within 72 hours. For Australian businesses, they may also have to notify OAIC under the Notifiable Data Breach scheme. You can download Gallagher’s free guide to creating a breach response plan here.
Security alert system. It is worth considering implementing a security alert system to spot data breaches as quickly as possible, in order to prevent further damage.
Data protection officer. If your organisation processes large quantities of personal and/ or sensitive personal data, you should also consider appointing a Data Protection Officer who will be responsible for how your organisation handles data – this role can be filled internally (though they must be independent of other roles) or by an external company.
Whilst this is only a small fraction of the work needed to be done to ensure compliance with GDPR legislation, it is a good reminder following two years of inactivity since GDPR was announced in 2016.
If you are concerned about how GDPR could potentially impact your business, or have any other questions around your cyber risk and insurance, contact our specialist team of cyber insurance brokers who will be able to help you understand the legislation further and how it could impact your business.
*All figures current to June 2018 and may be subject to change.
To the extent that any material in this email may be considered advice, it does not take into account your objectives, needs or financial situation. You should consider whether the advice is appropriate for you and review any relevant Product Disclosure Statement and policy wording before taking out an insurance policy.