In a world increasingly fuelled by data, privacy rights have taken centre stage.
A pivotal player in this privacy revolution is the General Data Protection Regulation, or GDPR as it is commonly known.
This groundbreaking law, brought into effect by the European Union on May 25, 2018, fundamentally changed the landscape of data privacy and reshaped the way organisations handle and protect personal data.
So this only applies to organisations in Europe, right?
Wrong. The focus of GDPR is on personal data, not geography.
It doesn’t matter if your organisation is located in one of the remotest regions of the country, the GDPR applies to any and every organisation.
If you're a business owner or manager, this article lists the Top 7 things you need to know about GDPRs impacting businesses, both big and small, and how it is shaping the future of digital privacy.
We've said it once, and we'll say it again... The GDPR isn't just for businesses based in the European Union.
The scope of the General Data Protection Regulation (GDPR) is far-reaching, covering all organisations that process the personal data of individuals residing in the European Union (EU) and European Economic Area (EEA), regardless of the organisation's location.
This means that any company, from a Silicon Valley tech giant to a small e-commerce business in Australia, is subject to the rules of the GDPR if they hold or process the personal data of individuals in the EU or EEA, or if they monitor the behaviour of individuals in these regions.
For example, if a U.S.-based technology company provides a software service to clients in the EU, the company must comply with the GDPR. This is true even if the company doesn't have a physical presence in the EU.
Similarly, if an Australian company uses tracking cookies on its website to monitor the online activities of visitors that could be from the EU, the company is also subject to the GDPR.
This global reach is a distinguishing feature of the GDPR and underscores its significance in the world of data protection.
User consent is one of the central tenets of the General Data Protection Regulation (GDPR). It refers to the requirement that organisations must obtain clear and explicit permission from individuals before collecting, using, or processing their personal data.
Consent under the GDPR must be freely given, specific, informed, and unambiguous. This means the individual has to take a positive action (like ticking a box), and the request for consent must be presented in a manner that is clearly distinguishable from other matters, in an intelligible and easily accessible form, using clear and plain language.
For instance, if a company wants to send marketing emails to its website visitors, it must first get those visitors to actively opt-in. This might be done through a form where the visitor can check a box saying something like, "Yes, I want to receive promotional emails from [Company]."
The form must also provide information on what kind of content will be sent, and how often, and reassure users that they have the right to withdraw their consent at any time. The days of pre-ticked boxes or assuming consent unless the user actively opts out are long gone under the GDPR.
Under the General Data Protection Regulation (GDPR), individuals, often referred to as "data subjects," have been granted a number of important rights to provide them with more control over their personal data.
These rights put the individual at the heart of data protection, shifting the power balance between individuals and organisations.
Under the General Data Protection Regulation (GDPR), certain types of organisations are required to appoint a Data Protection Officer (DPO).
In the private sector, the appointment of a DPO is mandatory if the organisation's core activities involve "regular and systematic monitoring of data subjects on a large scale" or consist of "processing on a large scale of special categories of data" such as data revealing racial or ethnic origin, political opinions, religious beliefs, or data concerning health.
You can read the European Commission's directive for more specific guidance about which organisations require a DPO HERE.
Even if your organisation is not required to have a DPO, the Privacy Commissioner in Australia has issued guidance recommending that organisations appoint a data protection officer as good practice.
The principles of "Privacy by Design" and "Privacy by Default" are core components of the General Data Protection Regulation (GDPR).
"Privacy by Design" means that organisations must consider data privacy during the design stages of all projects, along with the lifecycle of the relevant data process. It essentially calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
For example, when developing a new app, a company should build it from the ground up with privacy considerations in mind, such as using data minimisation techniques and pseudonymisation where necessary.
On the other hand, "Privacy by Default" requires that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy-friendly ones.
For instance, on a social media platform, the default setting should be that access to the profile information of a user is closed to everyone except the user themselves, and they should actively choose to share their profile information if they wish.
By embedding these principles into their practices, organisations not only adhere to the GDPR but also build trust with users by respecting and protecting their privacy.
Data breach notification is a crucial requirement of the General Data Protection Regulation (GDPR).
In the event of a data breach that is likely to result in a risk to the rights and freedoms of individuals, such as discrimination, damage to reputation, financial loss, or loss of confidentiality, the organisation must notify the appropriate supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach.
The notification must include details like the nature of the personal data breach, categories and number of data subjects and personal data records affected, possible consequences, and measures taken or proposed to mitigate its effects.
Furthermore, if the breach is likely to result in a high risk to the rights and freedoms of the individuals affected, these individuals must also be informed directly and promptly.
For instance, if a company's database is hacked and customer details are stolen, not only must the relevant data protection authority be informed within the stipulated timeline, but also the affected customers must be notified, so they can take necessary protective measures.
This requirement enforces accountability and encourages organisations to prioritise data security.
The General Data Protection Regulation (GDPR) imposes hefty fines and penalties for non-compliance, emphasising its seriousness in data protection. There are two tiers of administrative fines that can be levied.
For more serious infringements, the fine can be up to 20 million Euros or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. Lesser violations can lead to a fine of up to 10 million Euros or 2% of the company’s global annual turnover, whichever is higher.
Even if an organisation is based outside of the EU, like in Australia, it can still be fined if it processes the personal data of EU residents. For example, suppose an Australian e-commerce company sells products to customers in the EU and experiences a data breach impacting those customers' personal data.
If the company failed to report this breach to the relevant supervisory authority within the GDPR's 72-hour requirement, it could be fined under the GDPR, regardless of its location in Australia.
This highlights the global reach of the GDPR and the importance of all businesses, wherever they are, ensuring they are in compliance if they handle the personal data of EU residents.
Navigating the complexities of the General Data Protection Regulation (GDPR) can be challenging, but it's vital for any organisation handling personal data, especially of individuals within the European Union and EEA.
If you're unsure about whether your systems are GDPR-compliant, we can help.
A GDPR compliance audit can identify any gaps in your current data protection measures, recommend improvements, and guide you through the necessary steps towards full compliance.
As is the leading theme at Cyber Heroes, cybersecurity training for your staff, particularly those handling personal data, about GDPR requirements is also crucial, as they play a pivotal role in data protection.
Remember, GDPR compliance isn't a one-off task but requires ongoing effort and commitment to ensure data privacy is embedded in every facet of your business operations.
Let the GDPR be an opportunity to enhance trust with your customers by showing them how seriously you take their privacy rights.