There is a lot of confusion among Australian organisations over the scope and extent of their compliance with the new data protection laws introduced by the European Union. Questions that we have been asked include: Does it affect our organisation? If so, does it affect our entire organisation’s operations? What are the consequences of non-compliance? What practical things can we do to comply? In my first post for 2017, one of the largest trends I called out was the need for organisations to establish Data Protection Programs. In the Asia-Pacific, there are many drivers for this, including now the extraterritorial scope of the new European Union General Data Protection Regulation (EU GDPR). Why organisations in Australia should care. Organisations in Australia have recently undergone changes to comply with the Australian Privacy Principles and/or Privacy (Credit Reporting) Code introduced in 2014. In Australia, a breach of the Principles could result in: A fine of up to $1.8 million An enforceable undertaking Investigation by the Office of the Australian Information Commissioner (OAIC) Paying damages to an individual. Non-compliance with the EU GDPR could have a far greater impact, resulting in: A fine of up to €20 million or 4% of global turnover, whichever is greater Banning cross-border transfers Banning processing activities Being subjected to investigatory audits including access to premises and data Warnings or reprimands Liability for damages. Non-compliance with the EU GDPR could also impact an organisation’s local and global reputation. EU Customers will expect a new standard of data protection, and organisations should seek to comply with the new laws to meet these expectations. What is applicable to organisations in Australia? These tough new EU GDPR data protection laws will be effective in May 2018 and will include organisations outside the EU, such as Australia, which: Offer goods and services in the EU Offer goods and services to EU data subjects Monitor the behaviour of EU data subjects Australian organisations with a presence in the EU that have any of the above criteria will need to comply with the EU GDPR. For organisations that do not have a clear presence in the EU, there are other ways to indicate that it is offering services to EU customers, and therefore need to comply with the EU GDPR. These could include: Your website offers a translation in an EU language You accept payments in a currency of a country from the EU Your website does not have a .com.au domain You host/process data on behalf of an organisation based in the EU or an Australian organisations offering goods or services to EU data subjects. It is important to note that there are scenarios with grey areas including how penalties will be enforced where organisations in Australia do not have a main establishment in the EU. However, it must be understood that under the EU GDPR, an individual has rights to information (to be covered in a subsequent post) that an Australian organisation may be asked to comply with. Many organisations will not know how many of their customers are EU data subjects, posing a further challenge when assessing risk exposure. Where do we start? For our clients in Australia, it is important to adopt a pragmatic approach to ensure compliance with the EU GDPR. You might, however, consider complying with the EU GDPR requirements when conducting all your activities to streamline your protocols and standards, and business processes, and avoid the risk of not complying with the EU GDPR. The following five steps can start to build your roadmap to compliance with the EU GDPR: Identify your organisation’s products/services/ data processing activities, if any, that require compliance with the EU GDPR: conduct an audit of the products/services/data processing activities that have, or may have, exposure to EU customers. You may also consider identifying and assessing key risk factors to further identify risk exposure and prioritising work efforts. Determine which country would be considered your lead data protection authority: Get in touch with them and research the Regulator’s expectations. This will also be your key point of contact for complaints, disputes and any other matters. If you do operate in more than one country in the EU, the law does not preclude from other country’s data protection regulators contacting you directly. Conduct a data protection gap analysis of the products/services/data processing activities identified in Step 1: with the EU GDPR; and any other EU countries’ laws that you may have a large exposure to that could pose a large non-compliance risk. You might develop a privacy matrix, to be updated in the long term, which can be used as a quick reference to identify risk exposure. You may decide to take this further and calculate a risk exposure score for new/existing activities. Based on the risks identified in the gap analysis, create or update your Data Protection Program, including developing an EU GDPR Roadmap. You may find that you are already complying with many of the principles under the EU GDPR. You should then identify effective resources to implement the Roadmap. Most Data Protection Programs will contain a number of streams of work and may require new technology and culture change to ensure scalable compliance. For example, consider sourcing tools to streamline pseudonymisation, a new requirement under the EU GDPR, which involves inserting artificial identifiers (or pseudonyms) into personally identifiable information to avoid linkage, without information that is held separately. There are streams on your roadmap which we would recommend your organisation is involved in rather than external resources as longer term, operationally, you may choose not to manage all of these risk externally.