Biggest Changes to Data Privacy - Is Your Business Compliant with GDPR?
From today, 25 May 2018, any Australian company with customers in the European Union (EU), including the UK, must comply with the EU’s General Data Protection Regulation (GDPR) requirements. As well as bricks and mortar stores, the GDPR applies to online businesses that market to EU consumers.
Many businesses have been preparing to avoid the heavy penalties imposed by this new international standard designed to protect personal data. If you’re still unclear if your business is compliant, it’s not too late to get up to speed.
EU GDPR Compliance Checklist for Australian Businesses
- Do you have notification processes in place?
Companies will now only have 72 hours to report a data breach, which is a drastic change to time frames with most businesses currently taking on average 2 months to report a breach. You will need to report the breach to the customer’s country of residence, making it essential you have clear reporting procedures in place.Businesses should have already updated their data response plans in preparation for the Notifiable Data Breaches (NDB) scheme, which came into effect in 2018 under the Privacy Act 1988. However there are some differences between the two, so you should update where necessary to account for GDPR.
- Do you know how your data is stored?
Do you know where your critical information is kept, how it is handled and who has access to it? Set up clear processes and a thorough understanding of how data is transmitted both in-house and to outside parties.
- Have your customers given proper consent?
Maximum penalties will be applied to companies who fail to acquire proper consent from their customers. A ‘privacy by design’ requirement calls for data protection from the point of collection including appropriate consent and around how the data is used. Only collect the personal data that is absolutely necessary for the business and embed security-driven processes in the workplace to protect it.
Do you have a formal destruction process in place?
The GDPR’s ‘right to be forgotten’ means organisations can’t keep personal information any longer than necessary and must remove the information if the owner withdraws their consent. You must also always consider the requirements of all relevant Australian legislation in decisions about disposing of information.
Put a formal information destruction and management process in place that will help monitor and protect information from creation to destruction. Partner with a document destruction company for secure information disposal.
Potential penalties under GDPR are serious, with the maximum fine for a privacy breach being 20 million euros or 4 percent of annual global turnover (whichever is higher). So, it is essential risk management for Australian businesses to assess how GDPR affects them.
Start Protecting Your Business
To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote.