Digital Transformation in Government Insight #67:
A quick look at the GDPR
In May this year the EU’s General Data Protection Regulation (GDPR) came into effect. These new regulations bring stricter personal data regulations into play for organisations who have an operation in the EU or deal with EU residents’ personal data.
What is the GDPR?
The GDPR legislation was released in 2016, with the new data protection laws coming into effect on 25 May 2018. It covers personal data, which is defined in the legislation as being ‘any information relating to an identified or identifiable natural person’ (Article 4).
The GDPR aims to protect EU citizens’ personal data and give EU citizens additional rights and control over their data.
The legislation is an 88-page document that can be viewed in HTML format or downloaded as a PDF from the GDPR website. The regulation is divided into 11 chapters/sections:
Chapter 1 — General provisions
Chapter 2 — Principles
Chapter 3 — Rights of the data subject
Chapter 4 — Controller and processor
Chapter 6 — Independent supervisory authorities
Chapter 7 — Cooperation and consistency
Chapter 8 — Remedies, liability and penalties
Chapter 10 — Delegated acts and implementing acts
Chapter 11 — Final provisions
Who does GDPR apply to?
The GDPR covers the data processing activities of all organisations that are data processors or controllers:
with an establishment in the EU; or
who offer goods and services to people living in the EU; or
who monitor the behaviour of people in the EU (e.g. online profiling based on user choices/interactions on a website).
This means some Australian businesses and organisations need to comply with the GDPR, specifically Australian businesses that interact with people in the EU through one or more of the three categories above.
Of course, it also means many of the global tech giants now need to comply with the GDPR, for example companies like Google, Amazon and Facebook. For more information on this, you might like to read the ZDNet article GDPR proves that tech giants can be tamed.
How does it affect consumers and citizens?
The GDPR has been set up to provide people who live in the EU with more data privacy and more control of their personal data. For example, the GDPR sets out very specific legislation around consent (and the right to withdraw consent), data portability and notification if a data breach has occurred. See below for more information around some of the specific legislation.
The data considered ‘personal data’ has also been expanded and now includes things like online identities, identifiers like an IP address, genetic data and biometric data (see Article 4).
The GDPR includes a new, stricter definition of consent. Under the new definition, consent must be freely given, specific, informed and unambiguous (see Article 4 (11)). For example, pre-ticked boxes are not considered consent.
In addition, the withdrawal of consent must be as easy as giving consent.
Individuals must be given specific information about how their personal data will be processed, and this information must be presented in a concise and transparent way, using clear, plain language (see Articles 12, 13 and 14 for more information).
The GDPR delivers new, expanded rights for individuals, including the:
‘Right to be forgotten’ — which requires data controllers to delete an individual’s data in certain circumstances.
Right to ‘data portability’ — which requires controllers to give individuals their data in a ‘structured, commonly used, machine-readable format’.
Right to restriction of processing — individuals can restrict a controller’s use of their personal data in some circumstances.
Mandatory reporting of data breaches
Under the GDPR, if a data breach occurs, data controllers must tell the relevant authority of the breach within 72 hours of becoming aware of it (unless the breach isn’t high-risk). If the data breach causes a high risk to the rights and freedoms of an individual, the controller must also notify the individual without delay (Article 34). Exceptions to this mandatory notification requirement can be found in Article 34 (3).
The GDPR also contains expanded accountability requirements. For example data controllers must demonstrate that they comply with the principles in Article 5. They must also have data protection policies in place, and must follow the ‘data protection by design and by default’ requirement set out in Article 25. In some situations controllers and processors will need to appoint a data protection officer to specifically look after GDPR requirements. This is the case if the organisation is involved in large-scale data processing or carries out large-scale behavioural monitoring/tracking.
The GDPR also covers penalties for not meeting the requirements, with a maximum penalty of 20 million Euro or four percent of annual turnover.
The GDPR and law enforcement
It should be noted that the GDPR does not apply to law enforcement agencies. That is, the legislation doesn’t apply to law enforcement agencies that process personal data.
The Office of the Australian Information Commissioner (OAIC) has produced an excellent resource that covers how the GDPR affects Aussie businesses and highlights the similarities and differences between GDPR and the Australian Privacy Act.
ZDNet also has some great articles on the GDPR, including What is GDPR? Everything you need to know about the new general data protection regulations and a five-step checklist.
And of course if you like fairly dense legal documentation (or you need the full details with specific article numbers, etc.) read the full GDPR at the GDPR website.
Salsa Digital's take
It’s still early days yet, given the GDPR has only been in effect for four months. The organisations most affected will certainly be the global techs (e.g. think about how Amazon uses personal data to recommend purchases), but there will be many smaller organisations that must comply with the GDPR. Interestingly, the OAIC document on GDPR suggests that it will make sense for many Aussie organisations who have EU customers or users to implement GDPR across the board, and so it will have a flow-on effect on Aussies’ data privacy. This is another key way in which the GDPR affects Australians.