One year on from the commencement of the General Data Protection Regulation in the European Union, Australian legal counsel can learn much from the experience of overseas businesses, argues a national law firm partner.
Speaking last week on The Corporate Counsel Show, Holman Webb partner Tal Williams said the GDPR legislation is “pretty similar” to Australia’s existing privacy laws, which — save for some differences and extensions — means that in-house counsel in Australia have been well placed, relative to other jurisdictions, to navigate the new regulations for their respective businesses.
“We certainly have advised a lot of clients if they are, if they need to be GDPR-compliant. When it comes to policies, practices and procedures, I think Australia has done very well in already having in place that baseline underlying compliance component that is required,” he said.
“Some of the recent cases that we might have a chat to you about later on do highlight some of those issues, and although it may not be specific in the Australian legislation, certainly if you look at the guidelines the Privacy Commissioner has issued, there are issues that are very relevant here, even if not a direct and immediate obligation under our legislation. But we’re very well placed, very well placed, indeed.”
The past 12 months has seen approximately 200,000 complaints lodged with the various regulators across Europe, Mr Williams informed.
“One of the more recent cases — and I suppose this is telling for Australia, because this is an obligation of ours — [showed that] you only keep data for as long as it’s necessary to keep that data. The Lithuanian regulator has issued a 61,000 euro fine for somebody who, amongst other things, kept data that should have been kept for 10 minutes, kept it for 216 days,” he said.
“So, if you’re a legal counsel in Australia, it’s beholden upon you, both for Australian laws and GDPR compliance, to say, ‘Why is we’ve got this data? Why do we still have information from our customers who haven’t been a customer for the last five years?’
“Asking those questions as legal counsel in Australia, I think, is very, very important. And having your business assess that is very, very important. Because although it’s not a formal obligation, there’s no set time period in Australia. It is still necessary for you to defend why it is that that data is being held. Because the longer it’s held, the more exposed it is, and if there is a breach then information that you shouldn’t have had will be disclosed and that will be a problem.”
Another lesson, Mr Williams noted, is that the last year has highlighted how important it is to have systems in place that ensure data is satisfactorily protected.
“You need to have a system in place whereby you design how your information is presented, you are aware how long it is kept for, you do things positively so that you can tick the boxes so that if there is a breach, you’re able to say, ‘Yep, we considered that. This is why we kept the information for that long, we considered that. That’s why we kept this particular software in place, in order to defeat infiltration by software. This is why, this is why, this is why’.
“And that will go a long way to protect you against the severity of the fines that can be issued. You might still be in breach because something has happened that had enabled the data to get out there. But the, whether or not you’re prosecuted, or if you are, what sort of fine will apply is very much going to be affected by the positive, the direct and positive steps that you took.”
To listen to Jerome's full conversation with Tal Williams, click below: