Cyber Security
General data protection regulation and its relevance in Australia
J By Samantha Humphries
oin me on a brief trip back in time, to October of 2016. A co-worker stops by my desk with a question… “Sam, what do you know about GDPR? I’ve got a customer asking about it.” Well, not a great deal at the time. Sure, I’d heard of it, I’m based in Europe so it had started to crop up in various news articles, but if deciphering the acronym had come up in a pub quiz, I wouldn’t have been 100% sure I’d have known what the four letters stood for. GDPR, or indeed the General Data Protection Regulation (there’s your trivia point!), is a piece of European Union (EU) legislation that was adopted back in April 2016, giving organisations just over two years to get their compliance ducks in a row. You’d be forgiven for thinking, as I’ve just mentioned the EU, then this article doesn’t apply to you in Australia. Well, stick with me for a few more sentences please, because you could be wrong, and it could be a very costly mistake. GDPR protects the “rights and freedoms of EU citizens” – more specifically it exists to ensure organisations treat their personal data properly. The data is the key point here – it doesn’t matter where the data is held, where your organisation has their head office, or even if you’ve done any business that involves money changing hands. If you process the personal data of EU citizens, whether they are
52 | Australian Cyber Security Magazine
customers, prospects, employees, or anything else, then you’re on the hook for GDPR compliance. Personal data is anything that can directly or indirectly identify a living person. This goes beyond some of the more obvious data types such as names, online identifiers, and ID numbers; IP addresses in some cases, location data, health information, biometric data, trade union member information, political opinions, sexual orientation, genetic data, and more class as personal data. Under GDPR, there are six principles of personal data processing that you must follow. Personal data shall be: 1) Processed lawfully, fairly and in a transparent manner. 2) Collected for specified, explicit, and legitimate purposes. 3) Adequate, relevant and limited to what is necessary. 4) Accurate, and where necessary, kept up to date. 5) Retained only for as long as is necessary. 6) Processed in an appropriate manner as to maintain security. This essentially means that the days of collecting and processing data because it might come in useful at some