GDPR Applies to Australian Businesses Too
The new EU General Data Protection Regulation (GDPR) will soon usher in the most significant changes in global data privacy regulation to date, applying to all businesses, anywhere in the world, which process information about EU citizens.
From the 25th of May 2018, Australian businesses will be required to implement several data protection procedures in order to be compliant. The new regulations are designed to give customers the assurance that their personal details are protected.
Whilst there are some similarities with the existing Australian Privacy Act 1988 (Privacy Act), the GDPR introduces other significant changes, especially around the rights of individuals such as the ‘right to be forgotten’ which does not have an equivalent under the Privacy Act. Essentially, this requires businesses to take reasonable steps to destroy and erase personal data when it is no longer required or where the individual has requested for it to be destroyed.
With the implementation date fast approaching, here are four ways your business needs to prepare before the GDPR comes into effect:
- Information destruction
To meet the new regulations, businesses need to put in place strong document management and destruction processes to meet the ‘right to be forgotten’ of an individual. If you already have processes in place, it is recommended that these be reviewed to ensure they align with the changing requirements.
- Data security
Before the new regulations come into effect, your business should consider a review of your current safeguards, including identifying your data hotspots and areas that have a greater risk for data breaches. In addition, clear ownership should be in place to ensure that someone is responsible for data protection in your organisation.
- Policy Review
Similar to the existing Australian Privacy Act’s requirements for ‘accountability’, the GDPR principles require that organisations should have privacy protection and information handling procedures embedded in their workplace. Formal policies and procedures must be reviewed and staff should be fully trained by 25th May 2018.
- Reporting Procedures
If a data breach were to occur in which the individual’s rights or freedoms are put at high risk, an organisation must report this breach as soon as practically possible and at least within 72 hours of discovery. Your business is required to have well-understood internal policies and procedures in place around the reporting of a breach. Time is of the essence in meeting reporting requirements in the event of a breach, so staff need to know exactly what to do and when.
With extended regulatory powers to enforce penalties and huge punitive fines for non-compliance of up to €20m or 4% of annual global turnover, the new legislation needs to be taken seriously.
To find out more about how the GDPR may affect your business and how Shred-it can work with you to ensure compliance, please download our whitepaper.
Start Protecting Your Business
To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote.