Summary

The Australian Government is constantly revising and strengthening data privacy regulations in order to ensure consumers have rights to the way their personal data is used by businesses. This is especially important given the rising threat of cyber attacks and security breaches in our society. Nevertheless, data privacy laws impact businesses that rely on the processing of personal information as part of their day-to-day operations. In order to comply with such laws, organisations need to implement privacy policies and foster the right culture for securely managing information.

Businesses that operate in Australia need to comply with the Australian Privacy Principles (APPs), a cornerstone of the Privacy Act 1988 (Privacy Act). Additionally, businesses that trade outside of Australia also need to be aware of the European Union (EU) General Data Protection Regulation (GDPR). The GDPR is far more comprehensive in assigning rights to consumers and is influencing the development of data privacy regulations worldwide.

In response to developments in data privacy regulations in Australia and overseas, the General Data Protection Agency (trustgdpa.com), has developed a comprehensive platform to help businesses achieve and maintain compliance.

GDPA’s platform provides a range of resources for privacy and security policy development, reporting and training, delivered via the cloud, i.e. “Data Privacy Compliance as a Service”. Pricing is via subscription, suitable for businesses large and small. It can be a cost effective alternative to employing full time data privacy subject matter experts.

Australian Privacy Principles

The Privacy Act defines 13 APPs governing standards, rights and obligations around:

• – the collection, use and disclosure of personal information
• – an organisation’s governance and accountability
• – integrity and correction of personal information
• – the rights of individuals to access their personal information

The APPs bring Australian data protection regulations a step closer to the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR is far more comprehensive in defining consumer data rights and the obligations on businesses. The regulation was established in May 2018.

European Union’s General Data Protection Regulation

Businesses that trade in the EU (referred to as Data Controllers under the GDPR) must:

Organisations that process personal data are also required to employ a Data Protection Officer, further adding to administration costs.

Consumers (referred to as Data Subjects under the GDPR) have the right to request a copy of the data collected by a Data Controller and the right to have their data erased under certain circumstances.

Businesses must report data breaches to authorities within 72 hours if they have an adverse effect on user privacy. Penalties resulting from violations of the GDPR can be quite high. These can be in the order of €20 million in some cases.

The GDPR has become a model for many national laws outside EU. For example, the California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR.

Data Privacy Legislation Impacts on Australian Businesses

To comply with the APPs, business should, as a minimum:

• – Train staff on consumer data privacy protection
  • (Note that data breaches resulting from human error accounted for 34% of breaches reported in the first half of 2020 according to the OAIC Notifiable Data Breaches Report, January-June 2020)
• – Be available, on request, to prove compliance to Australian authorities
• – Adhere to data security standards and privacy guidelines
• – Continually review privacy and security policies and business processes to ensure ongoing compliance

In summary, Australian businesses will need to be aware of how consumer data privacy regulations will impact them. Each business will need to consider the scale of consumer data collection, processing and storage and the addressable market (i.e. local or global).

GDPA’s Data Privacy Compliance Solution

The General Data Protection Agency (trustgdpa.com) offers businesses a solution that includes a suite of resources for managing compliance with privacy regulations. An online hosted privacy policy, with registers for helping businesses manage data breaches and respond to requests by individuals concerning their personal information, comes standard with the service. The service dashboard includes a workflow that enables businesses to execute the necessary steps for achieving and maintaining compliance, such as undertaking cyber security audits, developing cyber security policies and scheduling periodic reviews. The GDPA service is available on a yearly subscription basis.

About GL ICT Consulting

GL ICT Consulting is a GDPA partner. For more information about GDPA’s data privacy compliance service offering please email us at info@glict.consulting.

References

OAIC

Further information on data privacy regulations can be found at the Office of the Australian Information Commissioner (OAIC) site. Some references are provided below:

Australian Privacy Act 1988
Australian Privacy Principles
Australian entities and the EU General Data Protection Regulation (GDPR)
Organisations that have responsibilities under the Privacy Act

Attorney General’s Department

The Australian Government’s review of the Privacy Act 1988, which closed at the end of 2020, can be found at the following link:

Review of the Privacy Act 1988

Department of Home Affairs

The Australian Government recently announced consultation for strengthening the cyber security of Australia’s digital economy, which complements the review of the Privacy Act 1988, can be found at the following link:

Strengthening Australia’s cyber security regulations and incentives