The European General Data Protection Regulation (GDPR) - Part two: Seven simple steps you can take now to comply with the GDPR
In our previous article, we outlined the GDPR and how it may apply to your Australian business, starting from 25 May 2018.
In this article, we look at seven steps your business can take now to assess its compliance with the GDPR, and make changes.
Article 27 of the GDPR requires that, if a business does not have an office in the EU, the business must appoint a representative in an EU member state if it:
An exception applies where the processing of personal data is occasional, and does not include (on a large scale) processing of special categories of data (such as personal data revealing political opinions, union member or genetic data) or personal data relating to criminal convictions and offences; and is unlikely to result in risk to the rights and freedoms of natural persons.
If your business is required to appoint an EU representative, your representative will be your main contact person in the EU, for both individuals whose data you collect or process (“data subjects”) and privacy regulators (the GDPR calls these “supervisory authorities”).
The intention behind this requirement is that individuals and regulators would prefer to speak with someone who is local (or at least closer to them, in terms of similar geography and time zone), perhaps speaks the same language, and understands their local customs and expectations.
In a further article, we will look at the role of a representative in greater detail, as well as the key issues you should take in account when recruiting and appointing a representative.
We have seen a lot of misinformation flying around about this issue. As you will see below, most private sector companies will not need to appoint a DPO.
A DPO is responsible for overseeing data protection strategy and compliance with GDPR requirements. This includes:
The list goes on…
Article 37 of the GDPR requires a business to appoint a DPO if (relevantly) it carries out, on a large scale:
(a) systematic monitoring of individuals (for example, online behaviour tracking); or
(b) processing of “special categories of data” or data relating to criminal convictions and offences.
Item (b) is perhaps self-explanatory, that is, if you think this applies to your business, it probably does.
Item (a) could be a topic of an entire article! But for the present purpose, it may help you to ask these questions about your business:
In a further article, we will take a closer look at the role of DPO’s, and considerations for appointing a DPO for your business.
This will ensure they include appropriate obligations on the supplier or partner to comply with the GDPR in relation to personal data they process for you; and to assist your business to comply with its own GDPR obligations.
This will help clearly communicate to your customers how you will use any personal data collected in compliance with the GDPR.
The GDPR requires that personal data be processed lawfully, fairly and in a transparent manner (Article 5). “Processing” personal data is lawful when (among other reasons in Article 6):
This includes how data is collected, used, transferred, stored and deleted or de-identified, and how a business would respond to a data breach, or a request to either access, erase or stop processing data. As a starting point, you may wish to review what personal data your business collects, how and from whom the collection happens, how personal data is stored and for how long, and who it is shared with.
The GDPR does not require companies to store data within the EU. Instead, it requires companies to implement appropriate safeguards in line with EU law, before they export personal data from the EU for hosting or processing.
For businesses that are part of a company group, one of these appropriate safeguards is to enter into the European Commission’s Standard Contractual Clauses with its other group companies to which the data is transferred. An advantage of this type of arrangement is that the terms of the agreement can also be enhanced to allow information which has a link to a particular country, in accordance with that country’s privacy laws. For example:
The start of the GDPR on 25 May 2018 is just around the corner, and you should ensure your organisation is taking steps to get its “data” house in order.
If you would like guidance on how the GDPR applies to your business, how to prepare for it, and to comply with the GDPR when sharing data among your business, its partners and suppliers, please contact one of our GDPR professionals.