Greetings from Sydney!
It has been a busy week of events here in Australia, with global data privacy thought-leader Sheila Fitzpatrick speaking to sellout audiences of iappANZ members and guests in Sydney, Melbourne and Adelaide about the GDPR and, in particular, its impact on Australian organizations.
With now only 92 days remaining until the implementation of GDPR and firm resolution from EU data protection regulators that GDPR enforcement will commence from day one, Fitzpatrick has been encouraged by discussions that many organizations have been having around data privacy compliance as they prepare for GDPR. However, Fitzpatrick observed that, even today, there are still organizations that remain unaware of the implications GDPR has for their business. Many Australian organizations are still unable to understand what GDPR actually means and are confused as to whether GDPR applies to them.
Our key take-aways from Fitzpatrick’s presentation were as follows:
- If an Australian organization has any interaction with EU residents’ personal data then the GDPR will apply to them.
- GDPR requires organizations to have a data privacy compliance framework in place, which should be customized to each organization’s individual requirements. Having a well-defined data breach notification and remediation plan is an essential component.
- It’s important to know the difference between data security and data privacy. While systems and security are an important part of an organization’s privacy compliance framework, successful compliance with GDPR will be measured by the organization’s ability to clearly demonstrate to its stakeholders that it understands what data it’s collecting and how it’s processing the data.
- Privacy due diligence is important. Organizations should know what agreements they have in place with any of their third-party suppliers that collect, process or store personal data on their behalf.
- Rather than running from privacy laws, it’s important for your organization to embrace them. In so doing, you’ll turn privacy compliance into your organization’s competitive advantage, building trust with your stakeholders and strengthening your relationships with them.
- If an Australian organization hasn’t started preparing for GDPR, don’t panic — just get to work and start building your privacy compliance foundation. If you need help with this task, do your research and reach out to a qualified data privacy and governance trusted adviser.
In other Australian news this week, the long-anticipated Notifiable Data Breaches scheme comes into force today. The scheme mandates that Australian government agencies and businesses with obligations under the Australian Privacy Act must notify individuals if they are likely to be at risk of serious harm as a result of an eligible data breach involving their personal data. The notification must include recommendations about the steps individuals should take in response to the breach. The Australian Privacy Commissioner must also be notified of the breach. With concerns raised that many small businesses in Australia are unaware of the reporting requirements under the NDB scheme and the “crippling” penalties for noncompliance, the Australian Privacy Commissioner has recently published helpful guidance about dealing with a data breach. For organizations that have their data breach response plan in place already, undertaking a tabletop data breach exercise (which simulates a data breach emergency situation in an informal, stress-free setting) would be a helpful next step to assess their NDB readiness. The focus here is on regular training and familiarization with your organization’s established policies and plans.
And last (but certainly not least) the attorney general for Australia has this week announced the retirement of Timothy Pilgrim as Australian information commissioner and privacy commissioner 24 March 2018. Pilgrim commenced his role as privacy commissioner in 2010. During his time as Commissioner, Pilgrim has been widely recognized in the community for his thoughtful and considered approach to privacy and information regulation and applauded for his dedicated work helping Australia deal with local and global privacy challenges.
If you want to comment on this post, you need to login.