Australian companies with customers or subscribers in the European Union have a slight leg up on much of the world when it comes to complying with the EU’s new General Data Protection Regulation (GDPR). But there is still immediate work to be done.
Because of the pioneering Australian Privacy Act (APA) of 1988, Australian companies already abide by some privacy rules found in the wide-ranging GDPR, which take effect in May.
- A privacy by design approach to compliance
- Demonstrated compliance with privacy principles and obligations; and
- Transparent information handling practices.
That is more of a head start than many countries in moving toward GDPR compliance. But it is not sufficient to meet all GDPR guidelines, which Australian companies must do if they have even one customer residing in the European Union.
Among the notable differences between the APA and GDPR that will require additional steps for Australian companies:
- Incorporating the so-called right to be forgotten, which allows consumers to ask that their information be wiped from databases;
- Establishing a data controller responsible for all database maintenance and compliance; and
- Redefining “personal data” to comply with the GDPR definition, which includes names, identification numbers, location data, online identifiers or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the consumer.
The Australian Office of the Information Commissioner, which enforces national digital privacy standards, recommends that companies adopt GDPR measures if they are more stringent than the Australian standards.
Doing so will “improve consumer trust through enhanced privacy practices and allow for more consistent internal privacy practices, procedures and systems across the business,” the commissioner’s office says in its General Data Protection Regulation Guidance for Australian Businesses.
Creating this broader alignment makes a lot of sense for business moving forward, as we already have seen other nations, such as Russia, China and Singapore, taking steps to regulate companies’ personal data collection and use.
In addition, because penalties for noncompliance with GDPR can be so harsh – up to 4 percent of gross revenue – it is wise to protect revenue and the brand’s good name.
A solid Customer Information and Access Management (CIAM) platform can help companies keep pace with the new regulatory requirements, typically a more efficient alternative to handling data compliance internally.
Either way – whether you are in Australian firm or based anywhere else in the world – it’s time to get started if you expect to meet the GDPR deadline of May 2018.
By Luke Coley