Board members are often involved in both their association and full time work, and it can often be difficult to keep up to date with pertinent information on what is happening in the sector and what new policies might affect your organisation. Therefore, we have written this guide to help summarise the new EU General Data Protection Regulations, which took affect on the 25th May 2018.
The GDPR is intended to improve data security across the EU and provide its citizens with greater rights, and control over how their data is stored and used. This may affect Australian organisations that:
- supply goods or services to, or monitor, individuals in the EU through an online presence; or
- process personal data in connection with the activities of an EU establishment (which is undefined, but seems to require effective and real exercise of activity through stable arrangements), including where this is done via a data center of a service provider located in the EU.
(Wedutenko & Baldwin 2018)
According to the Office of the Australian Information Commissioner (OAIC 2016, p. 3) a few examples of this may include:
- an Australian business with an office in the EU
- an Australian business whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in euros
- an Australian business whose website mentions customers or users in the EU
- an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
Below is a summary of these new policies, followed by how they might differ to current Australian laws on the issue. While we have tried to be thorough this is not an extensive list and anyone particularly concerned about how these laws affect them should do further reading on the issue (to be found in the ‘additional information’ section).
Controller: Is an individual or organisation that determines the purposes and means of the processing of personal data. Meaning that they determine how and why the data is used (e.g. an association controls the personal data of its members)
Processor: Processes personal data on behalf of the controller (an example of this would be a database system such as Currinda or Membes)
Accountability and Governance:
The changes to Accountability and Governance policies surrounding the use and storage of an individual’s data is intended to improve the security of the data (ensuring that organisations have the proper measures in place to minimise the risk of data being stolen or misused), ensure that organisations are complying by GDPR rules and that they are held accountable for their role in customer privacy. According to OAIC (2016, p. 4) this would require an organisation to:
- Demonstrate that they comply with the ‘Principles relating to the processing of personal data’ – this is referred to as the ‘accountability principle’ (Article 5).
- Ensure and demonstrate through the implementation of appropriate technical and organisational measures, including data protection policies, that their processing activities comply with the GDPR (Article 24).
- Implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities – this is referred to as ‘data protection by design and by default’ (Article 25).
- Appoint data protection officers to monitor and advise on compliance with the GDPR and with internal privacy policies and procedures (Article 37) for certain businesses.
- Undertake a compulsory data protection impact assessment prior to data processing, where a type of processing is likely to result in a high risk for the rights and freedoms of individuals (Article 35).
Mandatory Data Breach Notification:
As illustrated above, the safe storage/use of data, and importance of individual privacy is a serious concern for the GDPR. Thus if a breach of privacy is discovered:
- Data controllers must advise the relevant supervisory authority of a data breach within 72 hours of becoming aware of the breach unless the breach is unlikely to impact the rights and freedoms of individuals.
- Data processors must notify the controller of a breach without undue delay (Article 33).
- In addition, when a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must notify the individual without undue delay (Article 34).
OAIC (2016, p. 6)
Overseas transfers of personal data:
OAIC (2016, p. 8) also describes how these expanded security measures apply to the transfer of personal data overseas.
- Under the GDPR, personal data may be transferred outside the EU to countries or international organisations that provide an adequate level of data protection.
- The GDPR sets out in detail the factors the EU Commission is to consider when deciding whether a third country or international organisation ensures an adequate level of protection (Article 45).19
- The European Data Protection Board is required to provide the Commission with an opinion assessing the adequacy of a country or organisation’s level of data protection (Article 70(1)(s)).
Apart from protecting data security a secondary focus for the GDPR was improving the controls that individuals have over their own data including improving consent, privacy notices and improving rights for individuals.
In order to improve personal control the GDPR has created a new definition of informed consent, which according to OAIC (2016, p. 6) must be:
- Freely given
- An unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing’ (Article 4(11)).
- Individuals must be able to withdraw consent at any time.
However, there has been some confusion around Article 6(1) that allows organisations to process data if it is in the legitimate interest of the subject. Specifically, according to Miles (2018):
From Article 6(1) of GDPR, legitimate interest can be used to process records if:
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (ex: if the data subject is a child)
Many marketers are wrongly taking this article to mean that according to example E that they can process data because it is in their legitimate business interests to do so. This is not an accurate interpretation of the clause. Miles (2018) summarises it best in their example of buying a pizza where you have provided the organisation with your details to complete the transaction:
“I expect Joe’s Pizza to deliver my pizza (hot, please) so therefore I also expect Joe’s Pizza to process my order and charge my credit card. But that’s where my expectation ends—so if Joe’s Pizza started sending me special promotions, sold my data to another company, or began tracking my pizza purchases for their rewards program, they would be using my data in ways that I would not reasonably expect, and that would have more than a minimal impact on my privacy. The ICO addresses this scenario, saying if the customer “would not reasonably expect the processing or if it would cause unjustified harm, their interests are likely to override your legitimate interests.” Did you catch that? “Their interests override…” In other words, if you use the customer’s data in an unexpected way or a way that goes beyond your initial reason for gaining access to it, the GDPR supervisory authorities will likely take a big slice of your financial “pie” – which as we all know can add up to a lot of dough!”
The GDPR also requires data controllers to give individuals a range of prescribed information about the processing of their personal data (Articles 13 and 14).
- This information must be concise, transparent, intelligible and easily accessible, and use clear and plain language (Article 12).
- The GDPR supports combining this information with the use of standardized icons to give an easily visible, meaningful overview of processing to individuals (Article 12).
OAIC (2016, p. 7)
Expanded Rights for individuals:
The GDPR includes a range of new rights for individuals (OAIC 2016, p. 7,8)
- The right to erasure (known as the ‘right to be forgotten’) gives individuals the right to require data controllers to delete their data in certain circumstances, including where the information is no longer necessary for the purpose for which it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data (Article 17).
- There are exceptions to this right, including where data processing is necessary to exercise the right of freedom of expression and information.
- A right to ‘data portability’ – a right to receive personal data an individual has provided to an online service provider in a ‘structured, commonly used, machine-readable format’ and to transmit that data to another online service provider (Article 20)
- A right to object at any time to the processing of an individual’s personal data (including profiling). If an objection is made, the processing generally must be stopped. This right only applies to certain types of processing, such as where the legal basis for processing is legitimate business interests, or for direct marketing (including profiling). There are some exceptions that permit organisations to continue processing despite an objection – but these do not apply to processing for direct marketing (Article 21)
OAIC (2016, p. 9)
- The GDPR gives supervisory authorities the power to impose administrative fines for contraventions, with fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater for certain types of contraventions (Article 83(5)).
Summary in Regards to Australian Privacy Laws
Many of these new requirements overlap with current Australian privacy laws (for a complete summary of the Australian Privacy Principles click the link below). The most pertinent overlaps include requirements to:
- Notify individuals of the purpose for which personal data will be processed;
- Restrict processing to the purpose for which personal data was collected, except in specific circumstances;
- Store personal data securely;
- Allow individuals to access their personal data; and
- Notify regulators and individuals in the event of certain data breaches (a requirement being introduced in Australia in February 2018).
(Wedutenko & Baldwin 2018)
However, Australian Businesses should be more concerned about where these privacy laws diverge. Particularly in regards to:
- Express rights: to erasure of their personal data under certain circumstances, restrict the purpose for which personal data can be processed and withdraw consent at any time.
- Implied consent is not sufficient in most circumstances, it must be explicit and freely given.
- Data breach reporting if there is any risk to individual rights and freedoms (while is Australia it is only if it might cause serious harm).
- Businesses must conduct more extensive impact assessments and have a designated data protection officer, which are more extensive regulations than required by Australian Laws.
(Wedutenko & Baldwin 2018)
Recommendations for Australian businesses affected by GDPR
The following recommendations are suggestions only and businesses are still encouraged to seek legal advice before taking actions that might affect their organisation.
However, if you are affected by the new EU regulations, you are recommended to:
- Appoint a Privacy Officer to help manage your data security and ensure that you are complying with both Australian and EU laws.
- Assess obligation and risks.
- Develop a policy around the new regulations, including notifying members and informing the board.
- Ensure that you are complying with breach notices.
- Get confirmation from external suppliers that they are compliant.
- Monitor on an ongoing basis.
If you are interested in learning more about these new laws the articles below are great resources for further information.
Summary of Consent and Legitimate Interest
Miles, M. 2018, “Is Legitimate Interest a Legitimate Loophole for GDPR Consent?”, viewed 27 April 2018, < https://perkuto.com/blog/is-legitimate-interest-a-legitimate-loophole-for-gdpr-consent >.
GDPR and Australian businesses
OAIC 2016, “Australian businesses and the EU General Data Protection Regulation”, viewed 27 April 2018, <https://www.oaic.gov.au/resources/engage-with-us/consultations/australian-businesses-and-the-eu-general-data-protection-regulation/consultation-draft-australian-businesses-and-the-eu-general-data-protection-regulation.pdf >.
Australian Privacy Principles:
OAIC 2014, “Australian Privacy Principles”, viewed 27 April 2018, <https://www.oaic.gov.au/resources/individuals/privacy-fact-sheets/general/privacy-fact-sheet-17-australian-privacy-principles.pdf >.
Useful article summarizing what this means for Australian businesses:
Wedutenko, A. & Baldwin, M. 2018, “Australian organisations beware ‒ you could be caught by EU’s new General Data Protection Regulation”, viewed 27 April 2018, <https://www.claytonutz.com/knowledge/2018/february/australian-organisations-beware-you-could-be-caught-by-eus-new-general-data-protection-regulation >.
© The Association Specialists 2018