Unless you’ve been living under a rock recently, you have probably at least heard about this new big thing in the privacy world called ‘GDPR’ … and maybe you have even wondered whether it matters to you. But once you realised it is a new European privacy law, did you mentally switch off? Well folks it’s time to switch back on, sit up straight and pay attention, because EU privacy law is going to impact on Australian organisations, whether we like it or not. Some of us will be directly regulated, others only indirectly affected, but there will be an impact nonetheless.
So first, the headline facts. GDPR stands for General Data Protection Regulation. It is a new privacy law which will apply from May 2018 across all 28 EU member states – including the UK for now, and likely even post-Brexit too. The GDPR will replace the current set of differing national privacy statutes with one piece of legislation, and will offer a one-stop-shop approach when dealing with the privacy regulators across those 28 countries. So the GDPR is about harmonising privacy law across the EU, and streamlining its application. That’s the fairly impressive carrot.
The stick is impressive too: fines for failing to comply with the GDPR will reach up to €20M, or 4% of a company’s annual global turnover, whichever is the greater. Oh yeah, these new penalties are aimed squarely at the Facebooks and Ubers and Googles – behemoths who could previously afford to shake off smaller fines as the price of doing business.
While those potential penalties are startling enough, the other kicker is the new, expanded reach of GDPR, well beyond European land borders. The privacy rules in the GDPR apply to any organisation which offers goods or services (including free services) to, or monitors the behaviour of, “data subjects in the Union”. That is EU-legalese for “anyone inside the EU” – not just citizens.
Your organisation does not need to have any physical or legal presence in the EU to be directly regulated. If you offer your goods or services to people in the EU, you will be required to comply with the GDPR. So if you are a retailer selling Aussie cossies to Greta of Germany, you will need to comply. If you are a travel agent booking tours to Uluru for Bertrand from Belgium, ditto.
Even for those of us not directly regulated by the GDPR, there will be indirect impacts. Europe has raised the bar in terms of expectations about privacy protection, and the rest of the world is likely to follow.
Take for example the Accountability principle, which requires organisations to be proactive. This means that if you don’t have an effective privacy compliance program, you can be found in breach of your data protection obligations even if you don’t suffer a data breach.
Although by no means a European invention – our APP 1 has the same objective – the financial penalties attached to the GDPR are intended to kick-start proper privacy governance in even the most heel-dragging organisations. No surprise then that Elizabeth Denham, the UK Information Commissioner, has described the Accountability principle as a “game changer”:
“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”
To help achieve this, the GDPR embeds a requirement to do ‘data protection by design’, or as we tend to know it, Privacy by Design (PbD). In our view, the GDPR will be the stimulus for plenty of talk about PbD – but it needs to be more than just a hollow set of catchy promises.
Turning PbD into a reality poses significant challenges for any organisation. There is a cultural divide between the lawyers who are comfortable with principles-based fuzzy law and concepts like ‘within reasonable expectations’, and the system engineers who need to code for decision-making in a binary fashion. Even the central tenets of PbD are fuzzy: what is a solution architect actually supposed to do if she is told to ‘embed privacy into the design’?
(Well, actually, here at Salinger Privacy we have developed eight Privacy Design Strategies, which offer clearer guidance for system designers. And now, just in time for you to get ready for Privacy Awareness Week, we have launched new online training modules on this topic: how to identify privacy risks in projects, and how to resolve those risks. Our objective is to turn abstract privacy principles into concrete design strategies, so that privacy officers and system designers can work together to deliver on the promise of PbD.)
The GDPR also has a strong focus on getting reactive strategies right. Although data breach notification (DBN) requirements have been around in the United States for some years now, and Australia has just passed its own DBN laws, the GDPR ramps up the pressure further, by setting a default 72-hour timeframe on notifying the relevant regulator. However the GDPR also offers escape clauses for organisations that have “appropriate technical and organizational measures” in place to protect data. We predict the result will be bigger infosec spends on data loss prevention technologies.
There are other ways in which I am already seeing the influence of the GDPR in Australia, such as new thinking about the right of consumers to data portability from the Productivity Commission. And last month on behalf of iappANZ I was one of four panellists discussing the impact of the recent Privacy Commissioner v Telstra case, when discussion inevitably turned to comparisons with the GDPR. The GDPR skips straight past the is-this-data-‘about’-an-individual dilemma in Australian privacy jurisprudence, by defining ‘personal data’ more simply as “any information relating to an identified or identifiable natural person”.
Finally, the GDPR was carefully drafted to reject the old binary “either it’s personal information or it’s not” approach to de-identification, in favour of recognising that de-identification is a risk management tool, not a perfect end-state. Further, the GDPR explicitly refers to “taking into consideration the available technology” when testing for (re)identifiability, meaning that considering a dataset in isolation is not enough. This more nuanced and pragmatic approach is influencing contemporary thinking on the topic, including our own introductory guide to de-identification techniques.
So whether your organisation will be directly regulated by GDPR or not, I predict that privacy professionals across Australia will be feeling its positive influence for years to come.
P.S. If you would like more information about the scope of the GDPR requirements and its impact on information security programs, see the GDPR White Paper from janusNET. For an overview of the GDPR from a legal perspective you can download a guide from Hunton & Williams. Or for the official guidance from the EU privacy regulators, see the guidelines being progressively released by the Article 29 Working Party, as advisors to the European Commission.
Image (c) Shutterstock