Protecting your Australian-European customer data
Customer privacy is no longer just a legal, compliance or security issue. It has become a strategic topic at a boardroom level and even more so with the EU General Data Protection Regulation (“EU GDPR”).
Customer privacy is no longer just a legal, compliance or security issue; it has become a strategic topic at a boardroom level and even more so since the final text of the EU General Data Protection Regulation (“EU GDPR”) was released on 16 December 2015.
This regulation now has a global territorial scope and will automatically come into force in two years, in 2018, after it is passed through Parliament, replacing the existing legislation. These changes will have a profound impact on the operational and control risk environment of organisations with EU citizens as customers and operations within the EU. Organisations should not underestimate the time it will take to comply with these changes.
For organisations in Australia with business divisions based in Europe, understanding the new requirements that the EU GDPR introduces will be paramount to managing risk exposure. These potential risk exposure areas include:
- Privacy governance
- Obligation to appoint a Data Protection Officer
- The right to ‘erasure’
- Data breach notification
- Risk analysis and data protection impact assessments
- Consent management
- Cross border data transfers
- Sensitive information
- Data notification or collections notice.
Organisations will need:
- To be more proactive and have a risk based approach to privacy
- A more adapted approach towards finding out where and which data they are processing or sharing.
Are you prepared for the EU GDPR?
- Does your organisation know when to conduct privacy impact assessments?
- Does your organisation have metrics to measure privacy compliance?
- Does your organisation have a process in place to respond to questions from your customers and third parties?
- Has your organisation appointed a Privacy Officer?
What can you do to prepare?
- Create a cross-functional team within your organisation
- Understand the data you hold and where it comes from
- Understand the purpose information is collected for
- Understand which third parties hold your customer data.
The new EU GDPR document spans over 200 pages and will take some time to understand. For a “first impression” from a global perspective, please read our article on First impressions of the General Data Protection Regulation. Our Privacy and Data Protection team will keep you posted of the developments affecting the regulatory framework of privacy and personal data protection in Australia, and can be reached for further information on how best to get prepared in a pragmatic way.