Last week I joined the fray of the hundreds of thousands of people talking about GDPR and the technicalities surrounding the changing requirements of managing personal data. It went very deep into the legislation and some impacts to businesses.Today I am taking a different look at the GDPR and Notifiable Data Breach Scheme in Australia. If you want to get caught up on the details you can read the last post HERE. A brief look of the two pieces of legislation are below.
General Data Protection Regulation (GDPR)
GDPR is an EU legislation based on the idea of personal data ownership and putting control of your data back with individuals. There are several key aspects of the legislation.
- The law applies to any worldwide company if they process or interact with personal data of EU citizens. This also applies to online services that are available to EU citizens like websites and marketing materials.
- Personal information is extensive and includes: names, home addresses, telephone numbers, email addresses, bank details, social media information, medical information, and IP addresses.
- Note the storing of email addresses and IP addresses can include marketing subscriptions like newsletters, online stores, and marketing subscriptions
- GDPR acts as a single set of rules for all EU member-states.
- Companies are required to provide reasonable notice about data retention time & contact information for the company.
- Companies are required to design any systems with privacy and data protection in mind (i.e. .not sharing information to 3rd parties & security measures etc.)
- Most importantly, it is the responsibility and liability of the company to demonstrate compliance, even if a third party is processing data like a marketing platform.
- Users are required to provide consent for any data collection and processing activities.
Notifiable Data Breach Scheme
The NDBS is a brand new Act passed in Australia recently. This focuses on data breaches and requires companies to notify both the government and individuals around data loss. The key aspects of the legislation are:
- Applicable to governmental agencies, business and non-for-profit organisations with an aggregated turnover of more than $3 million per year, credit reporting agencies, medical firms etc.
- Not all data breaches require notification. Certain types of breaches are exempt from reporting, and any breach without serious risk of harm.
- An organisation suspecting or knowing of a data breach must undertake actions to assess the harm and risk of the breach
- The commissioner and individuals affected are required to be notified, including details of the breach, recommended actions the individuals should take, and any mitigation measures to be put in place.
- A fine of up to $2.1 million is applicable for data breaches
A Confused Public
Unfortunately for everyone, the GDPR and the NDBS both have mandates with significant grey area. This has caused significant confusion for businesses, software providers, and end users. On the first day of the GDPR being enforceable Facebook and Google were sued for 8.8 billion euros of lawsuits surrounding the collection and management of data.Long story short, people are still wrapping their heads around the new laws.For businesses owners, the most critical question and one I am forever asked, is what exactly do I have to do to comply? Well, it’s not as simple as black and white. The tech and consulting communities are working together to better understand the far reaching impact of the legislation and what is required to be fully compliant.
What Does This Practically Mean?
Examples of Requirements
- Website updates to include GDPR compliance
- Marketing automation notification
- Clear outlines of data captured and stored, including reasons for capture
- Listing of all systems and locations personal data is stored
- Data breach policy and procedures
- Personal data request procedure and policy
- Data loss mitigation processes and policies
The Five Step Process:
- Audit ALL business systems including website/marketing/CRM/finance/Operations tools for
- Their compliance with GDPR
- Data breach policies
- Proactive, security focused stance
- Identify what personal data you store, how it is captured, and how you secure the data
- Identify the types of personal data
- Identify the storage and transfer methods
- Identify data disposal
- Identify risks of data loss/breach/inappropriate access and create risk analysis document including
- Human error
- Maliciious actors
- 3rd party data disclosure
- Transfer of data
- Create and implement a strategy to mitigate/minimize risks
- Work with suppliers to ensure GDPR compliance of all systems and processes including client facing systems like websites
- Create a data breach notification and response process
- Work with your technology partners to improve security controls and systems to minimize risk to data and systems
- Create a proactive, continuous improvement lifecycle to analyze and investigate new risks and monitor the status of current controls
- Business audit and solution recommendation guide
- Risk identification and analysis in risk register document
- Identification of personal data capture and process workflows
- Solution plan for compliance
- Solution delivery and risk mitigation across all business systems and processes
- Creation of process and policy documentation for personal data storage and retrieval
- Handover to internal teams for ongoing control processes
An added benefit of an in-depth audit and analysis is the opportunity to create review current systems and practices and refresh/update to meet business requirements. Our team work with your through this process and take the hassle out of these processes.