New European Data Laws Extend to Australian Business

In this digital age, protecting personal information has become a key priority, especially for
Australian business and the health sector, including medical and dental practices.
In February, Australia was first to roll out its new personal data laws with the introduction of
compulsory data breach notification regulations. Within the first six weeks, the Australian
Information Commissioner received 63 reportable data breaches from business and the health
sector.

Now some Australian businesses face even together measures with the introduction last Friday (May
25) of one of the most sweeping regulatory changes relating to data protection ever introduced.
Penalties up to $A31m

Called the General Data Protection Regulation (GDPR), it includes requirements for business and
other organisations to have appropriate IT security measures to mitigate risk and mandatory
disclosure of data breaches impacting European citizens and supervisory bodies. Failure to comply
could mean fines of up to 20 million euro (A$30,960,000) or up to 4% of an organisation’s worldwide
annual turnover.

Importantly, the GDPR applies to any organisation conducting business in the EU and will impact
Australian businesses not previously caught by EU data protection law.
As many Australian businesses, especially those online, collect personal data of individuals located in
EU countries, it is likely that their activities will fall under the GDPR. For example, a business will
need to comply with the GDPR if it:
• Ships products to individuals in the EU
• Sells a health gadget that can monitor the behaviour of an individual in the EU; or
• Deals with the personal information of an individual in the EU. For example, an Australian
citizen located in the EU obtains legal advice from an Australian lawyer, or tax information
from an accountant in Australia.
Any business that processes personal data will need to comply with certain principles. Under GDPR,
‘personal data’ means information that identifies an individual.

IT Security Required

If a data breach is reported, the GDPR will launch data protection audits to check if the business or
organisation’s security policy incorporates “state of the art” IT security technologies.
Any breached business will need to demonstrate that they had appropriate IT and data security
controls in place and proactively worked to mitigate risk.
The GDPR specifies additional protections for personal data which fall within a `special category’
similar to sensitive information under Australia’s Privacy Act. This includes personal data relating to
an individual’s ethnicity, sexual orientation, political opinions, religious beliefs or health.
Australia, and now Europe’s new data breach laws means business must look beyond traditional
security solutions, to data protection and recovery.

Expert Support

THINK Technology Australia has recently assisted a range of different sized businesses undertake the
necessary steps to conform to Australia’s new mandatory data breach law. We have assisted our
business clients to:
• Audit their current information security processes and procedures to ensure they are
adequate; and
• Prepare a data breach response plan, or update their current plan, to respond quickly,
efficiently and lawfully to an actual, or suspected data breach.
An audit is required to determine what data your company intentionally or inadvertently collects on
clients and customers. Your business could be collecting unnecessary data, increasing the breach risk
to your business which is avoidable.
After refining your data collection, we advise business to make certain they’re using the most
effective security software possible to encrypt, secure and back-up relevant personally identifiable
information.
If want to know more, speak to one of our team today, 1300 920 866