Last week I joined the fray of the hundreds of thousands of people talking about GDPR and the technicalities surrounding the changing requirements of managing personal data. It went very deep into the legislation and some impacts to businesses.Today I am taking a different look at the GDPR and Notifiable Data Breach Scheme in Australia. If you want to get caught up on the details you can read the last post HERE.  A brief look of the two pieces of legislation are below.

General Data Protection Regulation (GDPR)

GDPR is an EU legislation based on the idea of personal data ownership and putting control of your data back with individuals. There are several key aspects of the legislation.

  • The law applies to any worldwide company if they process or interact with personal data of EU citizens. This also applies to online services that are available to EU citizens like websites and marketing materials.
  • Personal information is extensive and includes: names, home addresses, telephone numbers, email addresses, bank details, social media information, medical information, and IP addresses.
  • Note the storing of email addresses and IP addresses can include marketing subscriptions like newsletters, online stores, and marketing subscriptions
  • GDPR acts as a single set of rules for all EU member-states.
  • Companies are required to provide reasonable notice about data retention time & contact information for the company.
  • Companies are required to design any systems with privacy and data protection in mind (i.e. .not sharing information to 3rd parties & security measures etc.)
  • Most importantly, it is the responsibility and liability of the company to demonstrate compliance, even if a third party is processing data like a marketing platform.
  • Users are required to provide consent for any data collection and processing activities.

Notifiable Data Breach Scheme

The NDBS is a brand new Act passed in Australia recently. This focuses on data breaches and requires companies to notify both the government and individuals around data loss. The key aspects of the legislation are:

  • Applicable to governmental agencies, business and non-for-profit organisations with an aggregated turnover of more than $3 million per year, credit reporting agencies, medical firms etc.
  • Not all data breaches require notification. Certain types of breaches are exempt from reporting, and any breach without serious risk of harm.
  • An organisation suspecting or knowing of a data breach must undertake actions to assess the harm and risk of the breach
  • The commissioner and individuals affected are required to be notified, including details of the breach, recommended actions the individuals should take, and any mitigation measures to be put in place.
  • A fine of up to $2.1 million is applicable for data breaches

A Confused Public

Unfortunately for everyone, the GDPR and the NDBS both have mandates with significant grey area. This has caused significant confusion for businesses, software providers, and end users. On the first day of the GDPR being enforceable Facebook and Google were sued for 8.8 billion euros of lawsuits surrounding the collection and management of data.Long story short, people are still wrapping their heads around the new laws.For businesses owners, the most critical question and one I am forever asked, is what exactly do I have to do to comply? Well, it’s not as simple as black and white. The tech and consulting communities are working together to better understand the far reaching impact of the legislation and what is required to be fully compliant.

What Does This Practically Mean?

There are many steps to fully complying with these regulations, some easy to implement, some more difficult. I have been working with several businesses on compliance for the last several months who have complex requirements. Through these processes we have created a best practices approach to comply with the regulations.

Examples of Requirements

  • Website updates to include GDPR compliance
  • Privacy policy including GDPR and other compliance notifications
  • Opt-in cookie policy and acceptance popup
  • Marketing automation notification
  • Clear outlines of data captured and stored, including reasons for capture
  • Listing of all systems and locations personal data is stored
  • Data breach policy and procedures
  • Personal data request procedure and policy
  • Data loss mitigation processes and policies

The Five Step Process:

  1. Audit ALL business systems including website/marketing/CRM/finance/Operations tools for
    1. Their compliance with GDPR
    2. Data breach policies
    3. Proactive, security focused stance
  2. Identify what personal data you store, how it is captured, and how you secure the data
    1. Identify the types of personal data
    2. Identify the storage and transfer methods
    3. Identify data disposal
  3. Identify risks of data loss/breach/inappropriate access and create risk analysis document including
    1. Technology
    2. Human error
    3. Maliciious actors
    4. 3rd party data disclosure
    5. Transfer of data
  4. Create and implement a strategy to mitigate/minimize risks
    1. Work with suppliers to ensure GDPR compliance of all systems and processes including client facing systems like websites
    2. Create a data breach notification and response process
    3. Work with your technology partners to improve security controls and systems to minimize risk to data and systems
  5. Create a proactive, continuous improvement lifecycle to analyze and investigate new risks and monitor the status of current controls
This sounds like a lot of effort but it’s actually pretty simple to implement if you work with key suppliers. Here at Iconic Growth our technical team, Iconic Tech, work with all of our clients to proactively adhere to GDPR regulations and actively monitor & secure systems against data loss. Working closely with our advisory and consulting team we work through the lifecycle process with you and deliver complete compliance solutions. All compliance projects start with a thorough business audit with one of our team to identify risks and current compliance status. Our advisors then work with your key business stakeholders to identify personal data collection and key systems within the business to paint a picture of your risk profile across internal and external systems. All risks are captured and action plans drawn up. Our advisors work closely with our tech team and your existing suppliers to mitigate risk, bring your business into compliance, and implement policies and procedures to minimize data loss and breach risks.

Key Outcomes

  • Business audit and solution recommendation guide
  • Risk identification and analysis in risk register document
  • Identification of personal data capture and process workflows
  • Solution plan for compliance
  • Solution delivery and risk mitigation across all business systems and processes
  • Creation of process and policy documentation for personal data storage and retrieval
  • Handover to internal teams for ongoing control processes

An added benefit of an in-depth audit and analysis is the opportunity to create review current systems and practices and refresh/update to meet business requirements. Our team work with your through this process and take the hassle out of these processes.

Feeling Overwhelmed? Want to Know More?

It can be a daunting task to be compliant with GDPR but lots of businesses have minimal exposure to some of the regulations. All websites and marketing tools must be compliant with GDPR but many businesses are exempt from NDBS. It all depends on your unique business situation.If you want to know more, have a question, or want some further advice around this or other topics contact me directly via the links below or call our office on +61 3 9034 5220. Don’t go it alone when there are so many variables. Speak to the experts who can make you compliant and help grow your business.

Connect with me via:
Phone: +61 4 0525 9005
Email: jacob@iconicgrowth.com.au
LinkedIn: https://www.linkedin.com/in/thatdoogieguy
Instagram: @thatdoogieguy