GDPR compliance beyond Europe
GDPR comes into effect in May 2018 and one of the buzz phrases you might have heard is
the right to be forgotten
But there is much more you need to know and the effects are far reaching beyond Europe.
What Assessments are needed?
Data protection impact assessments (DPIAs) or Privacy Impact Assessment (PIAs) are required by GDPR.
A D/PIA must be carried out prior to the implementation of the technology, project, activity or process and ideally as early as practical in the design process.
The D/PIA will also need to be updated and/or steps repeated as the process develops, particularly if issues are identified which may affect the severity or likelihood of risk to the data protection rights of affected individuals.
GDPR Assessment Requirements
GDPR article 35(7) lists the minimum requirements a DPIA must provide and contain:
- a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes
- an assessment of the risks to the rights and freedoms of data subjects
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
A DPIA report must also contain
- purposes of processing
- the stakeholders
- categories and types of private data processed in the system
- characterization of types of data flows (e.g. is the data transferred?)
These descriptions should be clear. Clarity is valued in DPIA. Do not take any opportunity to document ambiguity for business benefit, it will only work against your efforts to be deemed compliant.
Australian business considerations
You should ensure that the entity fits into these GDPR scopes before starting a DPIA.
According to OAIC: consultation-draft-australian-businesses-and-the-eu-general-data-protection-regulation
Australian businesses that may be covered include:
- an Australian business with an office in the EU
- recital 23 - an Australian business whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in euros
- recital 23 - an Australian business whose website mentions customers or users in the EU
- recital 24 - an Australian business that tracks individuals in the EU on the Internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours, and attitudes - (section 6)
If the entity fits into these GDPR scopes you would need to consider the whole OAIC guidance.
To check whether you need to also comply with the Privacy Act, you can complete the privacy checklist for small business found on the OAIC website here.
You may not need to do anything
So you've identified that your business must comply but what exactly does that mean?
It may mean you need to complete a few additional tasks, or none at all. It all depends on your current privacy posture.
If you currently complete a PIA or DPIA on a project by project basis to meet the privacy obligations of your country (Such is the case in Australia), you do not need to change a thing about this practice.
However to meet the obligations of GDPR and you do not currently complete either a PIA or DPIA you must be prepared to do so for all previous and future projects.
Accountability and governance
Both accountability and governance are key concepts in GDPR (Article 5, 24, and 25 speak to them) and are required if you wish to be compliant. Having an appointed CISO and thus a Security Steering Committee Policy is a great start as it provides a level of accountability and governance however a well considered ISMS or alternatively seek standards accreditation such as ISO/IEC 27014:2013 are assurances well considered also.
In all cases where privacy data is collected you should now be seeking consent from the individual not only that you may use their data but exactly how you intend to use the data now and into the future. If you intend to share their data with any other entities this must also be consented too. And if any of these change you must obtain consent anew.
The GDPR includes a new definition of consent, which states that it must be freely given, specific, informed, and an unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing (Article 4(11)).
Consent is not freely given if the individual has no genuine or free choice or is unable to refuse or withdraw consent at any time (Article 7 and recital 42). Businesses also need to make the withdrawal of consent as easy as giving consent, and, before individuals give consent, must inform individuals about this right to withdraw consent (Article 7(3)).
Specific requirements apply in relation to children’s consent if an individual below 16 years.
At the time of writing; in four days, Australia enters into a new era where mandatory data breach notifications are enforcible.
Having been lawful legislation for 12 months, Australian businesses have enjoyed a grace period for which they hopefully spent becoming compliant. Which is actually a simple process to start; by creating a data breach response plan and ongoing practice/drills to remain relevant.
So it is no extra effort for Australian businesses to comply with GDPR as the breach notification obligations are aligned. Outside Australia however you may still need to establish a data breach response plan if you wish to be complaint with GDPR.
The right to erasure
Known as the
right to be forgotten, where the individual withdraws their consent you must delete their data. Additionally where the information is no longer necessary for the purpose for which it was collected and there is no other legal ground for processing their data, you must also delete the individuals data.
There is no equivalent "right to erasure" under the Privacy Act in Australia, however APP 11.2 requires an APP entity that holds personal information to take reasonable steps to destroy the information or to ensure it is de-identified if the information is no longer needed for any purpose permitted under the Privacy Act; which is aligned to the second right of GDPR. If you have already demonstrated your compliance to APP 11.2 and have also provided the means for individuals to withdraw consent, then you are already aligned to this obligation of GDPR.
The GDPR gives supervisory authorities the power to impose administrative fines for contraventions, with fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater for certain types of contraventions (Article 83(5)).
Basically, you don't want to be unprepared. Many businesses such as online advertisers, recruitment agencies, and sales consultants should take a moment and consider their practices - any individual may be protected by European laws and therefore you are responsible for your businesses compliance to GDPR.
Where can I get help or more information?
- Find a GRC Information Security Consultant (GRC = Governance, Regulation, and Compliance) like myself to guide you through the process and provide assistance to complete each step with you and your business objectives.
- OAIC Consultation draft for Australian businesses to comply with GDPR
- UK ICO website GDPR guidance
- European Commission
Follow me on Twitter @chrisdlangton
Or connect with me on LinkedIn