The European General Data Protection Regulation (GDPR) came into force on 25 May 2018. We have now seen 12 months since the commencement of the GDRP. Though a revolutionary regional instrument, it imposes obligations on businesses across the globe. In its one year of application, the GDPR has drastically changed the data protection and privacy landscape. With almost 90,000 data breach notifications since its inception, we take a look back at privacy lessons of the past 12 months.
Who must comply?
One of the key lessons to take away from GDPR regime has been the wide scope of its application. It’s important to know that if you process data in the EU the GDPR may capture your business. The GDPR will impose obligations on your business if you offer goods and services to or otherwise monitor the behaviour of EU citizens. Offering goods and services to EU citizens can include business activities such as:
- offering the price of goods in Euros;
- having an office in the EU;
- mentioning users or having customers in the EU;
- allowing your website to be readily translated into a European language other than English.
Appoint a Privacy Officer/DPO
The second lesson of the GDPR has been the importance of Data Protection Officers (DPOs) in the protection privacy. Whilst the Australian privacy regime advocated for the appointment of organisational privacy officers, the GDPR has made it abundantly clear just how important this role is. Having a DPO or Privacy Officer role in your organisation helps ensure GDPR compliance and gives your customers an expert point of contact for any questions arising about a business’ use and management of personal information.
Be prepared to contain a breach
From Google’s massive €50 million fine we’ve learnt the importance of containment. If a business suspects that it has experienced a data breach, you need to take immediate steps to try and:
- stop it; and
- minimise it’s impact.
Failing to stop the spread of harm to other users/customers may result in larger penalties. After arguably the biggest privacy case of the year, France’s privacy watchdog hit Google with enormous fines for using user data in targeted advertising without their explicit permission. Due to automatically ticked checkboxes, the privacy breach affected thousands of French users. This also suggests the larger the organisation, the greater the responsibility for ensuring the protection of customer’s personal information. Google’s prominent market position was cited as one of the reasons they were handed such a hefty fine.
Obtain specific consent for all uses and disclosures
Another thing we have learnt from the Google case is that general consent will not fly under the GDPR regime. One of Google’s big mistakes was having a singular checkbox asking users to consent to the processing of their information by Google. The French Commission criticised this, saying that to be GDPR compliant, specific consent is required for each purpose in which individual’s personal information is collected and used.
To help keep on top of your privacy obligations, contact Griffin Legal. We can help you better understand the GDPR and create a working privacy framework for your business.
To learn more about your organisation’s privacy obligations, please contact us here.