The Australian Government is constantly revising and strengthening data privacy regulations in order to ensure consumers have rights to the way their personal data is used by businesses. This is especially important given the rising threat of cyber attacks and security breaches in our society. Nevertheless, data privacy laws impact businesses that rely on the processing of personal information as part of their day-to-day operations. In order to comply with such laws, organisations need to implement privacy policies and foster the right culture for securely managing information.
Businesses that operate in Australia need to comply with the Australian Privacy Principles (APPs), a cornerstone of the Privacy Act 1988 (Privacy Act). Additionally, businesses that trade outside of Australia also need to be aware of the European Union (EU) General Data Protection Regulation (GDPR). The GDPR is far more comprehensive in assigning rights to consumers and is influencing the development of data privacy regulations worldwide.
In response to developments in data privacy regulations in Australia and overseas, the General Data Protection Agency (trustgdpa.com), has developed a comprehensive platform to help businesses achieve and maintain compliance.
GDPA’s platform provides a range of resources for privacy and security policy development, reporting and training, delivered via the cloud, i.e. “Data Privacy Compliance as a Service”. Pricing is via subscription, suitable for businesses large and small. It can be a cost effective alternative to employing full time data privacy subject matter experts.
Australian Privacy Principles
The Privacy Act defines 13 APPs governing standards, rights and obligations around:
- – the collection, use and disclosure of personal information
- – an organisation’s governance and accountability
- – integrity and correction of personal information
- – the rights of individuals to access their personal information
The APPs bring Australian data protection regulations a step closer to the European Union’s (EU) General Data Protection Regulation (GDPR). The GDPR is far more comprehensive in defining consumer data rights and the obligations on businesses. The regulation was established in May 2018.
European Union’s General Data Protection Regulation
Businesses that trade in the EU (referred to as Data Controllers under the GDPR) must:
- – disclose any data collection,
- – declare the lawful basis and purpose for data processing,
- – state how long data is being retained and
- – state if it is being shared with any third parties inside or outside of the European Economic Area (EEA).
Organisations that process personal data are also required to employ a Data Protection Officer, further adding to administration costs.
Consumers (referred to as Data Subjects under the GDPR) have the right to request a copy of the data collected by a Data Controller and the right to have their data erased under certain circumstances.
Businesses must report data breaches to authorities within 72 hours if they have an adverse effect on user privacy. Penalties resulting from violations of the GDPR can be quite high. These can be in the order of €20 million in some cases.
The GDPR has become a model for many national laws outside EU. For example, the California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with the GDPR.
Data Privacy Legislation Impacts on Australian Businesses
To comply with the APPs, business should, as a minimum:
- – Train staff on consumer data privacy protection
- (Note that data breaches resulting from human error accounted for 34% of breaches reported in the first half of 2020 according to the OAIC Notifiable Data Breaches Report, January-June 2020)
- – Be available, on request, to prove compliance to Australian authorities
- – Adhere to data security standards and privacy guidelines
- – Continually review privacy and security policies and business processes to ensure ongoing compliance
In summary, Australian businesses will need to be aware of how consumer data privacy regulations will impact them. Each business will need to consider the scale of consumer data collection, processing and storage and the addressable market (i.e. local or global).
GDPA’s Data Privacy Compliance Solution
About GL ICT Consulting
Further information on data privacy regulations can be found at the Office of the Australian Information Commissioner (OAIC) site. Some references are provided below:
Attorney General’s Department
The Australian Government’s review of the Privacy Act 1988, which closed at the end of 2020, can be found at the following link:
Department of Home Affairs
The Australian Government recently announced consultation for strengthening the cyber security of Australia’s digital economy, which complements the review of the Privacy Act 1988, can be found at the following link: