GDPR is a regulation, drawn up and governed by European Union (EU) law, brought into effect since May 25th, 2018, that contains requirements for how identifiable information of individual people should be processed.
The intended purpose of GDPR is to put the control of personal data into the hands of the owner of the data: the individual citizen of the EU. Citizens should be able to easily find out which of their data is held by which business involved in the European Single Market, and to prevent such data from being abused. The impact of the regulation extends to all member states of the European Union.
You need to take stock of the data your organisation has gathered. This includes data stored in third party cloud based platforms, such as Dropbox or Google Drive, customer resource systems and email repositories.
If your organisation stores outdated personal data, you should consider how relevant that data is to your business objectives, and purge data that no longer serves a purposeful role toward this end.
Whether gathered for the purpose of fulfilling a contract, or other legal requirement or obligation, or just for the purposes of marketing, consent is required to process personal data in any way. Make sure you have acquired the necessary consent from all parties.
If your organisation possesses personal data from an individual, and they request the data to be provided to them, amended or moved elsewhere, then you must comply.
Fines will be enforced, mostly to those who blatantly ignore GDPR regulations, make absolutely no effort to implement the requirements, or of course wittingly abuse its statutes. There is also danger of being targeted if there is a large breach of personal data from within your enterprise.
There is implication that regulators will show mercy to organisations that make visible efforts toward compliance. Fines can reach up to 4 percent of a companies annual turnover, or 20 million Euros, should the accused be found culpable.
Compliance is not a once-off concern. Businesses must ensure that they continue to meet the requirements (from 25th May, 2018 onwards) in order to maintain compliance with the regulation.
According to the Office of the Australian Information Commissioner, the regulation applies to any Australian business that offers goods or services in the EU, or monitor behavior of citizens of the EU. Since there are many EU citizens residing in Australia, the GDPR compliance should not be ignored.
The GDPR adds legislation over and above the already existing Australian Privacy Act of 1988, however shares some common qualifications. Namely that a ‘privacy by design’ approach must be taken, compliance to the regulations principles & obligations must be demonstrable, and that businesses must adopt transparent practices in handling personal information. An example of a requirement that is new and unique to GDPR, would be the ‘right to be forgotten’.
If there was any doubt as to whether action should be taken in light of GDPR, then it should be shed, and a plan of action put together.
In the spirit of transparency, ethical treatment of the general public, and protecting a businesses own interest, each organisation, no matter how small, should be taking action toward GDPR compliance.
Martech Today offers a clear and concise list toward ensuring GDPR compliance, looking at aspects such as privacy communications, managing consent, and preventing data breaches.