Today, May 25, the European Union (EU) will begin enforcing the much-anticipated general data protection regulation (GDPR), which places strict requirements on organisations that handle the personal data of EU residents and extends new rights to EU residents over their data.
Adopted in April 2016, organisations around the world have been given a two-year transition period to make their business GDPR-compliant, but according to recent research, most organisations outside the EU are nowhere near ready.
A February report from global professional services firm EY revealed that a mere 18 per cent of Australian firms have a plan in place to comply with the new legislation.
Still, that is slightly better than the 13 per cent of firms in the Americas and 12 per cent of firms in Asia-Pacific that said the same. In comparison, 60 per cent of European firms said they have a plan in place to comply with the new legislation.
The implications of this lack of preparedness are significant, since non-compliant firms face penalties of up to 4 per cent of their worldwide turnover, or €20 million ($31.7 million), whichever is higher.
Deakin University lecturer in the faculty of business and law, Claudio Bozzi, believes this sense of complacency among Australian organisations is due to the fact that many companies falsely believe they are not affected by the GDPR.
“It’s probably surprising how many retailers will be impacted, and the compliance effort is going to be more burdensome than they might realise,” Bozzi tells IRW.
“It’s not just a question of changing consent forms online or posting new privacy or cookie policies. Those changes are merely formal,” he says.
A single set of rules
The GDPR replaces what was once a patchwork of different data protection and privacy laws across the EU with a single set of rules that applies to every member state. It requires any organisation that offers goods or services to consumers in the EU or monitors their behaviour to comply with these rules, no matter where the organisation is located.
Even though most Australian retailers do not have bricks-and-mortar stores in the EU, many retailers do have a presence in the EU online, and many have some EU-based followers on social media, who they may be retargeting with digital advertising.
Starting May 25, such retailers – dubbed ‘data controllers’ by the GDPR – must obtain consent before collecting any personal data from EU residents, and they will no longer be allowed to use long, illegible terms and conditions agreements to do so. Under the new rules, consent must be given in an easily accessible form, in clear and plain language and with the purpose for data collection attached to that consent.
Retailers will also be required to encrypt or tokenise personal data of EU residents that is stored, so it cannot be attributed to a specific individual. And they must inform the supervisory authority within 72 hours after becoming aware of a data breach.
If retailers pass on personal data of EU residents to customer service platforms, cloud software providers or other third-party vendors – ‘data processors’ in the language of the GDPR – those firms will need to comply with the new rules too.
The GDPR also grants EU residents certain ‘rights’ to their data, including a right of access, meaning data controllers must provide an overview of the categories and purposes of the data being processing, how it acquired the data and who it shared the data with, as well as a copy of the actual data, upon request.
The regulation also gives EU residents the right to have their personal data erased on any one of a number of grounds and the right have their data transferred from one system to another without interference from the data controller.
All of this will take a great deal of cooperation between data controllers (retailers) and processors (technology partners) and a level of technological sophistication that many Australian retailers, especially smaller businesses, have not previously needed, according to Bozzi.
“You have to think about the implications of these rights. There might be links to affected data or copies of affected data, back-ups, that are dispersed throughout multiple folders. If you’re trying to be very streamlined and contain customer data in a way that makes it portable and delete-able, you’re going to have to retool entire systems,” he says.
Redbubble leads the way
Melbourne-based online art marketplace, Redbubble, is among the estimated 33 per cent of Australian organisations, according to EY partner in digital law Alec Christie, that may be subject to the GDPR on Friday.
Redbubble’s in-house lawyer, Paul Gordon, who is leading the compliance initiative, says he has spent a significant amount of time working with every functional team across the business to become GDPR-ready over the past 12 months.
“Our in-house team has also worked extensively with Redbubble’s EU external legal advisers through this compliance initiative,” Gordon tells IRW.
One of the most basic changes Redbubble has made relates to the level of detail it provides about the collection and use of customer data on each of its local language sites.
But the e-commerce company has also worked with its technology partners, many of which are based in the US, to ensure it meets the new requirements around the transfer of customer data outside the EU, including verifying ‘Privacy Shield’ certification for relevant suppliers.
While only a portion of Redbubble’s customers fall within the jurisdiction of the GDPR, the company has chosen to apply the principles of the legislation across the entire business.
“Like many other businesses we see the GDPR as the new global standard in privacy regulation,” Gordon says.
Indeed, Bozzi believes it is only a matter of time before Australia and other countries outside the EU adopt GDPR-level policies, if only to simplify the reality of cross-border shopping and data sharing.
“Data and data processing are clearly global processes, so there’s a real incentive to harmonise laws around data,” Bozzi says.
“We know the internet is a borderless zone and internet users are becoming increasingly concerned about what’s happening with their data.”