Many Australian organisations are realising that they have to become compliant with the new EU General Data Protection Regulation (GDPR) either because they are covered and are scared of the huge penalties, their clients are requiring it or they’ve realised it’s a good thing for business. GDPR compliance can be very challenging, particularly for small to medium businesses with limited internal resources and budgets.
Ringrose Siganto has worked with many Australian businesses developing GDPR compliance roadmaps and helping them establish the main elements of a compliant privacy program. This Guidance Note outlines our top 5 practical tips to ease the way for Australian organisations looking to become GDPR compliant.
Top 5 Tips for GDPR Compliance:
Make sure key staff understand what it’s about and what they need to do.
Know your data: Identify what information you’ve got and decide if it’s personal data (PD).
Develop a data flow map for each group of PD, record where it is and who has access to it.
Delete any personal data that is out of date or which you don’t need.
Use a checklist to manage your suppliers and sub-processors (who will have been identified as part of Tip 3).
Tip 1: Stakeholder awareness session
We’ve found the most effective way to kick off a GPDR compliance program is to spend a couple of hours with the key stakeholders talking about the privacy principles, what privacy regulation covers and some of the specific GDPR provisions. Your heads of sales, product development, marketing, customer support, finance and legal already have full time jobs and usually don’t have more than a couple of hours to quickly come up to speed with the intent and direction of the GDPR.
An introductory session helps key stakeholders form a consistent view about key issues and identify any major issues and areas for focus. It can also be used as the basis for an organisational Privacy Risk Assessment (an important piece of any GDPR compliance program) and tick the awareness training box at least for key stakeholders.
Tip 2: Know your personal data
One of the most important, and often the most difficult question for organisations to answer is: What personal data are we collecting and/or processing? Is a telephone number and IP address personal data? What about location data? Unique device identifiers? Browsing data?
The GPDR provides more direction than the Australian privacy laws and refers to on-line identifiers (for example) specifically as being personal data. However, under both regimes the definition of what is ‘personal data’ is often ultimately contextual and will differ between different types of organisation. Setting up some criteria for determining what your organisation is going to treat as personal data is an important threshold step for any GDPR compliance program.
Once you’ve decided what you’re going to treat as PD, try and categorise the main groups of personal data your organisation deals with. These groups might include, for example, customer information retained in your CRM system, contact information used by the support team and marketing data shared with marketing support providers.
Other matters worth considering at this stage are de-identification and pseudonymisation. If you are using either technique, be clear about what you regard as sufficient for either as there are important differences.
Tip 3: Know where your personal data is and who has access to it
The GDPR requires certain controllers and processors to maintain records, including processing registers. Regardless of whether these obligations apply, it is a good idea to record somewhere how you collect and process personal data. What you have and what you do with it, and having that recorded somewhere, are foundational components of any privacy management program.
We use the following questions to help develop a data flow map. For each data set that you collect (see Tip 2), ask the following:
- Who is collecting personal data (you, a partner, direct or indirect)?
- How is the personal data collected?
- What is the purpose of the collection?
- Who is accountable for the personal data (every processing activity should have an owner)?
- Where is the personal data stored?
- Who has access to the personal data?
- Is the personal data disclosed to or shared with anyone e.g. third parties or data processors?
- Does the system share data with other systems?
Tip 4: Delete, delete, delete
Before working out what to do with all the PD you collect and process, work out what you can get rid of. Establishing retention, archiving and deletion guidelines for all your organisational data is a good idea for many reasons not just because it’s required as part of your privacy compliance obligations (e.g. saves storage costs, reduces the impact of data breaches).
The guidelines will cover things like emails, which are usually chock full of personal information but often get overlooked, and business records.
For the information you keep, you should have specified deletion points for all your PD data sets and ways of enforcing these points (e.g. strict limits on email storage, central filing of documents, regular review of customer information). It’s a pain and staff don’t like doing it (we’ve all got hoarders who hate to delete anything) but take the hit now as part of your privacy program. Trust us, it really works!
Remember, you have an obligation to make sure that the personal information you retain is accurate. So, don’t keep it if you can’t ensure it’s up-to-date.
Tip 5: Manage your suppliers/sub-processors
It can be really tricky and time-consuming checking that you have appropriate contractual terms in place with all your suppliers/sub-processors plus, where they are located outside of the EU, whether you can transfer PD to them. This is where the data flow map you prepared earlier becomes really useful. The map should help you identify all the third parties you might need to check out, plus the types of PD you are sharing with them. This in turn helps you establish a plan to manage them all, prioritised based on the amount or sensitivity of data you share with them or the risk in the processing they conduct on your behalf.
Once you’re got a plan, you can tick them off as you confirm that you’ve checked the contractual terms and made sure that there is a legitimate basis for transferring PD to them. If you’re a processor, your clients are going to be really interested in the sub-processors you use and you need to be able to re-assure them that you’ve properly checked them out.
There are lots of other things to think about but, based on our experience, following these top 5 practical tips will get your GDPR compliance program off to a great start.
How can we help?
Join our webinar:
What the new EU Data Protection Regulation means for Australia
- Initial review and assessment of EU GDPR implications for your business
- Development of a roadmap for compliance
- Establishing Data Processing Agreements as required
- Provision of outsourced Data Protection Officer Services
- and more
About the Authors
Dr Jodie Siganto PhD LLM CISSP CIPM
Jodie Siganto graduated as a lawyer and after 8 years in private practice became in-house counsel for Dr Siganto graduated as a lawyer from the University of Queensland and after 8 years in private practice became in-house counsel for Tandem Computers followed by roles with Unisys Asia and Dell based in Singapore. She returned to Australia in 2000, founding Bridge Point Communications (specialists in data networking and security) with two other colleagues. Since then, she has specialised in providing information security and privacy consulting and trainings. Dr Siganto completed her PhD on privacy and information security practice in 2014.
Edward Ringrose BA LLB MPA CIPM
Ted Ringrose has provided legal and regulatory advice to IT, media and telecommunications companies and national governments and their agencies in Europe, Asia and Australia. He has assisted his clients to expand their businesses, restructure their operations and conclude transactions with their suppliers, customers, peers and competitors. He has advised multi-national corporations of their regulatory and legal obligations, including privacy compliance, across markets in Asia and Australia.
Ted read history and law at the University of Queensland and is a Master of Public Affairs from the University of Sydney. He has held senior positions in broadcasting and telecommunications companies and in law firms in Europe, Asia and Australia. After many years working in the cable communications industry in London for subsidiaries of Bell Canada International, he became broadcasting and telecommunication law consultant to the Government of the Hong Kong SAR. He has been General Counsel Asia Pacific for MCI WorldCom (now Verizon), which counted OzeMail as a subsidiary, and was a partner of Ashurst Morris Crisp (now Ashurst) in Singapore and of Squire Sanders in Hong Kong. Most recently Ted was a senior lawyer at Optus working on its most significant projects.
Top 5 Tips for GDPR Compliance:
- Make sure key staff understand what it’s about and what they need to do.
- Know your data: Identify what information you’ve got and decide if it’s personal data (PD).
- Develop a data flow map for each group of PD, record where it is and who has access to it.
- Delete any personal data that is out of date or which you don’t need.
- Use a checklist to manage your suppliers and sub-processors (who will have been identified as part of Tip 3).