On Friday, May 25th, 2018 the European Union (EU) General Data Protection Regulation 2016 (GPDR) surrounding Personally Identifiable Information (PII) was applied globally to all EU-based business and EU citizens.
EU countries have drafted local laws to enforce GDPR standards to replace existing legislation, for example, the UK Data Protection Act (1998) so the GDPR standards for UK citizens will survive Brexit.
To continue trading uninterrupted, Australian companies that are under the following categories should be aware of the GDPR and its standards:
- Are headquartered in EU member nations
- Trade with companies in the EU
- Store or process data about customers who are also EU citizens
Companies that fall into these categories will need to be GDPR compliant. Precedents for this type of international trade compliance requirements are set by Sarbaines Oxley (SOX) or HIPAA when dealing with financial and health industries in the United States, although GDPR applies to all EU government and industry sectors.
GDPR has strict requirements on PII data, non-compliance can incur a €20 million fine or 4% of global revenue. GDPR primary standard comprises:
- Pseudonymising or anonymising collected PII data
- Stating the reason PII data is being collected
- Gaining consent from persons over 16 whose personal data is being collected, or a legal guardian for those under 16
- Deleting personal data that is no longer used for the purpose it was collected
- Deleting personal data on withdrawal of consent
- Appoint a Data Protection Officer for companies that deal with enormous amounts of personal data
As some recent parliamentary resignations have revealed, Australians holding dual citizenship with EU countries are commonplace and even the citizenship holder may be unaware of their citizenship status.
Visibility & jurisdiction outside the EU
The Notifiable Data Breaches (2017) amendment of the Australian Privacy Act (1988) will increase the transparency of PII data breaches in Australia to GDPR enforcement, and companies may become liable within the EU for exposing EU citizen’s PII in Australia.
EU citizens knowing their rights may report non-compliances (e.g. refusal to delete their PII data on request) to the GDPR office with the same result.
The implications for owners or officers of a company not trading with the EU responsibly for PII breaches under GDPR when visiting EU countries for tourism or conferences are complex and not completely explained, and are likely to be situationally dependent.
To avoid significant business interruption or cessation companies connected to the EU that are not yet compliant with GDPR should:
- Urgently undertake a risk assessment and gap analysis
- Prioritise their security and privacy policies and procedures towards meeting GDPR requirements
For more information on the GDPR and how it affects your business speak with the experts from Agilient today.
References
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679
https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation
https://www.out-law.com/en/articles/2018/may/new-data-protection-act-finalised-uk/
https://www.computerweekly.com/news/252441814/New-UK-Data-Protection-Act-not-welcomed-by-all
https://www.stickman.com.au/impact-of-eu-gdpr-laws-on-australian-companies/ (2016)
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#cite_note-5