The joys of changing Privacy Laws
There are a few privacy changes that have occured and will occur. You may be affected, so I've summarised it here. Please keep in mind I'm not your legal counsil so as always, check yours.
Australian NDB (maybe skip this if you don't operate in AU)
Changes in the Australia Privacy Act in February 2017 established the Notifiable Data Breach (NDB) scheme. The scheme is effective from 22 February 2018. From this date onwards if you suffer a breach that affects Personally Identifiable Information (PII), then you have to notify the privacy commissioner. What does this actually mean for organisations? Well if you operate in Australia and you are a:
- Australian Government agency,
- business and/or not-for-profit organisation with an annual turnover of $3 million or more,
- credit reporting bodies,
- health service providers,
- Tax File Number recipients
Then you have to have the processes and procedures in place to evaluate if a security incident is a breach of PII. What the impact will be to those whose information is affected and the steps that have been taken to remediate the issue. To determine whether a security incident is a breach you have to assess three main criteria:
- is there unauthorised access or disclosure of PII?
- is it likely to result in serious harm (Not a specifically defined term, but may include serious physical, psychological, emotional, financial, or reputational harm)?
- has the organisation been able to prevent serious harm from occurring with remedial action?
If the answer to the above is yes, then you may have a notifiable breach.
If you haven't already, make sure your organisation has the processes in place.
A good resource is the following link https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/identifying-eligible-data-breaches#what-is-a-data-breach
GDPR (probably affects most of us)
The other change is the General Data Protection Regulation (GDPR) which will be enforced from May 25 2018. So another month or so to go. (https://www.eugdpr.org/ )
GDPR affects organisation both inside the EU as well as outside of the EU. The main criteria are pretty broad. If you are selling goods or services to EU citizens, then you will have to comply. The difficulty comes into play with the last criterion which is "monitor the behaviour of, EU data subjects". This basically means if you have a web site that collects information about users of the site, you will likely have to comply. This is one reason why you are seeing those fairly intrusive "we collect cookies, give us permission" banners on more and more websites.
The penalties can be quite substantive, up to 20 million pounds. Not sure how they would collect that from "Bob's Kitchen and Toilet Brush emporium", but ultimately the risk is there.
The main changes are:
- required to notify of a breach within 72 hours,
- users must provide consent so no longer an automatic opt in or a "tick here to not do something".
- Users can obtain the information collected about them, in a machine readable format
- Right to be forgotten (this concept does not carry across too many other countries' privacy laws)
- Design for privacy (only collect what is really needed)
- Have a Data Protection Officer.
And before you ask, yes the IP address is considered PII and falls under this regulation (maybe a good argument to block all of the EU IP addresses ) .
So if you have a web site, deal with EU citizens or you do business in Australia, then you may have some privacy processes to review and update.
Cheers
Mark H - Shearwater
Comments
thanks for the post and raising awareness on GDPR. You're mostly spot on, but there are a few things that would benefit from additional information.
The Cookie banners are actually based on the Privacy and Electronic Communications (EC Directive) Regulations 2003, which will be replaced with the new e-privacy directive. The e-privacy directive is supposedly coming into force at the same time as GDPR but that's not certain yet (afaik).
Regulatory penalties under GDPR depend on the type of violation and is split in 2 levels. The first is 2% of global annual turnover of the company (not just subsidiary) or 10m Euros (not Pound, although at this rate it's soon on par anyway). The second level is the much quoted 4% or 20m Euros; this would come into play where the infringements are under GDPR Article 83.5.
Breach notifications are split in two 'recipients'; the Data protection authority and the data subjects. Notification requirements and time windows depend on the type of infringement. If there is no risk to data subjects, they generally don't need to be notified. The 72 hours is for DPO notifications.
You're correct that consent must be informed, specific and given freely, but it is worth noting that consent is not the only (legitimate interest, etc) or even the most desirable option to justify processing of personal data.
Data portability and right to erasure is not given in all cases, it depends on the reason for processing. For example, data portability right only applies when you are processing personal data based on consent or in order to perform a contract.
The Data Protection Officer requirement depends on several factors, but in a nutshell, not every company needs one (e.g. depending on processing activities, jurisdiction)
Anonymous
Mar 6th 2018
6 years ago
Thanks for expanding the summary :-)
M
Anonymous
Mar 6th 2018
6 years ago