In our previous article, we outlined the GDPR and how it may apply to your Australian business, starting from 25 May 2018.
In this article, we look at seven steps your business can take now to assess its compliance with the GDPR, and make changes.
1. Determine whether your business needs to appoint a representative in the EU
Article 27 of the GDPR requires that, if a business does not have an office in the EU, the business must appoint a representative in an EU member state if it:
- offers goods or services to people in the EU; or
- monitors the behaviour of people in the EU.
An exception applies where the processing of personal data is occasional, and does not include (on a large scale) processing of special categories of data (such as personal data revealing political opinions, union member or genetic data) or personal data relating to criminal convictions and offences; and is unlikely to result in risk to the rights and freedoms of natural persons.
If your business is required to appoint an EU representative, your representative will be your main contact person in the EU, for both individuals whose data you collect or process (“data subjects”) and privacy regulators (the GDPR calls these “supervisory authorities”).
The intention behind this requirement is that individuals and regulators would prefer to speak with someone who is local (or at least closer to them, in terms of similar geography and time zone), perhaps speaks the same language, and understands their local customs and expectations.
In a further article, we will look at the role of a representative in greater detail, as well as the key issues you should take in account when recruiting and appointing a representative.
2. Determine whether your business needs to appoint a Data Protection Officer (DPO)
We have seen a lot of misinformation flying around about this issue. As you will see below, most private sector companies will not need to appoint a DPO.
A DPO is responsible for overseeing data protection strategy and compliance with GDPR requirements. This includes:
- educate the business and its employees about compliance requirements;
- train staff involved in data processing;
- conduct audits to ensure compliance and proactively address potential issues;
- act as the point of contact between the business and “supervisory authorities”;
- monitor performance and provide advice on the impact of data protection efforts;
- maintain records of data processing activities; and
- communicate with data subjects about how their data is being used, their rights to have their personal data erased, and what measures the business has put in place to protect their personal data.
The list goes on…
Article 37 of the GDPR requires a business to appoint a DPO if (relevantly) it carries out, on a large scale:
(a) systematic monitoring of individuals (for example, online behaviour tracking); or
(b) processing of “special categories of data” or data relating to criminal convictions and offences.
Item (b) is perhaps self-explanatory, that is, if you think this applies to your business, it probably does.
Item (a) could be a topic of an entire article! But for the present purpose, it may help you to ask these questions about your business:
- Is the data collection or data processing activity part of the core activity of your business, or necessary to achieve its goals? If yes, your business will be required to a DPO. Alternatively, if the collection or processing is a support function such as payroll or IT support, it is unlikely your business will need to appoint a DPO.
- Is the activity undertaken on a large scale? Unfortunately, the GDPR does not define "large scale”. Instead, you must consider the number of data subjects concerned, either as a specific number or as a proportion of the relevant population. For example, a hospital’s processing of patient data or a search engine’s behavioural ad targeting is more likely to occur on a large scale. An online shop which processes only a few or tens of EU customer orders is unlikely to be considered a large scale.
- Does the data collection or processing activity include regular and systemic monitoring? This is also undefined in the GDPR, but the legislative guidance indicates that activities likely to fall into this category include:
- providing telecommunications services; email retargeting;
- data-driven marketing activities; location tracking;
- CCTV monitoring; and
- Internet-of-Things (IoT) connected devices.
In a further article, we will take a closer look at the role of DPO’s, and considerations for appointing a DPO for your business.
3. Review your contracts with third party suppliers (e.g. outsourcing, independent contractors)
This will ensure they include appropriate obligations on the supplier or partner to comply with the GDPR in relation to personal data they process for you; and to assist your business to comply with its own GDPR obligations.
This will help clearly communicate to your customers how you will use any personal data collected in compliance with the GDPR.
5. Identify your business’s specific lawful basis for processing (handling) personal data
The GDPR requires that personal data be processed lawfully, fairly and in a transparent manner (Article 5). “Processing” personal data is lawful when (among other reasons in Article 6):
- the data subject consents to the processing. Valid consent is active (not by default, inaction or pre-ticked boxes), not bundled with other terms in agreements, not contingent on a provision of services (unless it is strictly necessary to provide the service); and able to be withdrawn (and the data subject is notified of this);
- processing is necessary for the performance of a contract to which the data subject is a party, or are in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person; or
- processing is necessary for compliance with a legal obligation to which the controller is subject.
6. Consider your business’s activities and procedures to identify how it processes personal data
This includes how data is collected, used, transferred, stored and deleted or de-identified, and how a business would respond to a data breach, or a request to either access, erase or stop processing data. As a starting point, you may wish to review what personal data your business collects, how and from whom the collection happens, how personal data is stored and for how long, and who it is shared with.
7. Put appropriate safeguards in place for exporting or transferring personal data outside the EU
The GDPR does not require companies to store data within the EU. Instead, it requires companies to implement appropriate safeguards in line with EU law, before they export personal data from the EU for hosting or processing.
For businesses that are part of a company group, one of these appropriate safeguards is to enter into the European Commission’s Standard Contractual Clauses with its other group companies to which the data is transferred. An advantage of this type of arrangement is that the terms of the agreement can also be enhanced to allow information which has a link to a particular country, in accordance with that country’s privacy laws. For example:
- your Australian business will have obligations under the Privacy Act 1988 (Cth) which requires data with an “Australian link” to be treated in accordance with the Australian Privacy Principles, not the GDPR; and
- the local laws in other jurisdictions (such as Switzerland, Germany, United States, etc.) may require personal data to be treated differently than under GDPR so that your business complies with the requirements in that legislation.
The start of the GDPR on 25 May 2018 is just around the corner, and you should ensure your organisation is taking steps to get its “data” house in order.