In May 2018 the European Union (EU) enforced new data privacy laws, which aimed to protect EU citizens’ online data while reshaping companies’ approach to data privacy on a global scale.
The General Data Protection Regulation (GDPR) introduced policies surrounding consent, access and erasure of data as well as data breach penalties for all companies processing personal data of subjects residing in the EU. With fines up to 2% of a company’s global turnover, the GDPR has unsurprisingly led to companies that service EU citizens reforming their data handling policies, storage and infrastructure in order to become compliant.
While the GDPR was introduced in the EU, the Australian government is starting to move in a similar direction. The Notifiable Data Breach (NDB) scheme was introduced in February 2018 with significant penalties for data breaches and non-compliance. With increasing public concern around data privacy, Australian organisations need to start to plan for further tightening of data protection and privacy laws in Australia that will bring us closer to the EU’s GDPR laws.
What is GDPR?
The most significant effect of the GDPR is the established and prioritised rights of data subjects including their right to;
- Be Informed – Conditions of consent are stricter with companies no longer able to use legal jargon in their terms and conditions. Consent must be informed, given in an accessible form and able to be retracted.
- Access – Subjects must be able to access all data a company holds pertaining to them and have the right to ask where, and for what purpose, data is being held or used.
- Rectify – Subjects have the right to ask for their personal data to be amended, either partially or in full.
- Erase – Subjects have the right to ask for full erasure of all their personal data including and for a company to cease further dissemination of data or processing by third parties.
Additionally, the severity of penalties for data breaches has increased considerably, making compliance essential for any company dealing with Personally Identifiable Information (PII).
What are the Consequences?
Organisations operating in the EU (which includes non-EU companies collecting EU citizens’ data, or EU companies collection non-EU citizens’ data) who are in breach of GDPR can be fined up to 2% of their global turnover for the preceding financial year or 10 million euros – whichever is greater.
While the NDB in Australia is less severe, penalties of up to $10 million (or 10% of the company’s domestic annual turnover) still apply to all businesses and not-for-profits with annual revenue exceeding $3 million, and all health care providers, credit providers, credit reporting bodies and entities that trade in personal information.
In the first year of GDPR over $89 million in fines have been handed down with over 206,000 cases and 94,622 individual complaints… - IAPP
How to Prepare for Tighter Online Privacy Laws
Whilst laws at the same level as GDPR may not have arrived in Australia, organisations can start to prepare for the inevitable changes to put the foundations in place for future compliance.
An initial audit of will determine your existing level of compliance to Australian privacy laws as well as provide a baseline of your current data handling competency.
An audit would include a review of your infrastructure to make sure you are able to access and control all data that you collect (or data that is collected on your behalf), examining how you classify your data to identify PII and a review of your existing policies and procedures relating to data collection, handling, storage and usage.
When making decisions on your Marketing Technology (MarTech) stacks you should try to avoid setting up fragmented multi-platform solutions – while these can be integrated for compliance, it can be difficult and costly to implement and maintain. Where possible you should try to centralise your MarTech stack to simplify and unify your data handling processes.
All-in-One Content Management Systems (CMSs) exist to integrate content management, ecommerce and digital marketing in one solution. Various enterprise platforms such as Kentico, Sitecore and Episerver offer an all-in-one option and, with careful selection based on your company’s unique needs, this can be configured to ensure both ease of data handling law compliance as well as optimal data security.
Once you’ve identified the gaps or shortcomings of your data handling processes, you’ll need to amend each policy, process or system to mitigate the risk of a data breach. This will include:
- Altering (or creating) data handling policies
- Ensuring you’re able to access all stored data
- Ensuring you’re able to amend, erase or provide access to all stored data if requested by a data subject
- Providing data handling training for all staff involved in these processes
- Creating a procedure for the event of a data breach
PwC surveyed 200 companies with more than 500 employees and found that 68% planned on spending between $1 and $10 million to meet the GDPR regulation’s requirements.
If you’re not overly familiar with what your data handling responsibilities are, we recommend you seek guidance from those who do. Many digital agencies will offer consulting services and provide expertise on auditing, centralising and amending data handling policies, procedures and systems. Look for an agency who has data handling certifications and extensive experience working with data on an international level.
If you’re concerned about your company’s compliance with Australian or European data privacy laws, please get in touch to hear from one of our data experts.