Notifiable Data Breaches, GDPR and why they’re important to your business
This month I’m going to raise two similar new pieces of legislation that Australian businesses should be aware of. While they are not strictly IT related – their importance transcends any particular business unit.
- The first is the Notifiable Data Breaches scheme, which has been in force since the 22nd of February this year.
- The second is the EU General Data Protection Regulation which will apply from the 25th of May 2018. Below is a brief overview of these new requirements, and what they mean for your business.
The Notifiable Data Breaches scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm. It applies to Australian Government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million or more. If a data breach has occurred you must report this to the individuals involved as well as to the Office of the Australian Information Commissioner. You must also publicly display that there has been a data breach on your website.
What does this mean for you? While the government will not take legal action against you, individuals or other entities may do so. You should ensure all personal information you store is well protected.
Read more about the scheme here
The EU General Data Protection Regulation (GDPR) applies to the data processing activities of businesses, regardless of size, that process any personal data with an establishment in the EU, it also applies to the data processing activities of businesses outside the EU, where the processing activities are related to:
- offering goods or services to individuals in the EU
- monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU.
The additional requirements of the GDPR stipulate that a business must:
- demonstrate that they comply with all the principles set out in the GDPR
- implement appropriate technical and organisational measures, including data protection policies, to ensure and be able to demonstrate that processing complies with the GDPR
- implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities
- and that the individual ‘has given consent to the processing of his or her personal data for one or more specific purposes’
What does this mean for you? If your business operates within the EU or sells products and/or services to citizens in the EU you must comply with the GDPR. Sanctions can be enforced by supervisory authorities with the power to impose administrative fines for contraventions by controllers or processors, with fines of up to €20 million or 4
If you would like to discuss IT compliance strategies for the NDB or GDPR in more detail, please feel free to get in touch.