For organisations operating in Australia, we know or should know that organisations have to follow the Australian Privacy Act 1988 and the Australian Privacy Principles contained within. But what compliance regime should Australian organisations follow if they have to process or store the personal data of European Union (EU) or United Kingdom (UK) citizens?
The EU’s General Data Protection Regulation (GDPR) has long been established as a set of guidelines that protect information privacy, even outside of the EU. The UKs version of GDPR, The Data Protection Act 2018 was implemented when the UK left the EU and was no longer bound by EU laws. There is a new bill, the ‘Data Protection and Digital Information Bill’ (DPDI Bill) which has been introduced to Parliament. It seeks to update and simplify the UK’s data protection framework in order to reduce burdens on organisations while maintaining data protection standards. First, we need to understand some of the similarities and differences between GDPR and the DPDI Bill.
GDPR applies to all EU member states and organisations processing EU citizens’ data, regardless of their location. It has an extraterritorial reach, meaning that even non-EU organisations handling EU citizens’ data fall under its purview. The DPDI Bill primarily applies to the UK, but also extends to international data transfers involving UK citizens’ data. This extension ensures that organisations outside the UK must comply when dealing with UK data. GDPR sets the age of consent for data processing at 16 years, with member states having the option to lower it to 13 years. This means that children aged 13 or older can provide consent for their data to be processed. The DPDI Bill maintains the age of consent at 13 years for online services. This consistency aligns with the previous UK data protection regime and aims to strike a balance between protecting children and allowing online services to function effectively.
GDPR mandates that certain organisations appoint a Data Protection Officer (DPO) if they engage in large-scale processing of personal data or process sensitive categories of data. The DPDI Bill removes the mandatory DPO requirement. However, it encourages organisations to voluntarily appoint a DPO to oversee data protection practices. This flexibility allows smaller organisations to focus on risk-based approaches without the burden of compulsory DPO appointments. GDPR provides extensive rights to data subjects, including the right to access their data, rectify inaccuracies, erase data (the “right to be forgotten”), and data portability. The DPDI Bill retains similar rights but introduces some variations. For instance, it includes the right to object to automated decision-making and profiling. Additionally, the bill allows exemptions for certain rights in specific contexts, such as national security or crime prevention. GDPR imposes fines up to €20 million or 4% of global annual turnover, whichever is higher. The severity of fines depends on the nature of the violation. The DPDI Bill proposes fines up to £17.5 million or 10% of global annual turnover, with a tiered approach. The Bill aims to strike a balance between effective enforcement and proportionality.
Despite the differences, the UK DPDI Bill closely aligns with the EU GDPR in many aspects. Both frameworks share an identical format and structure, emphasising transparency, accountability, and individual rights. Both emphasise fundamental data protection principles, including lawfulness, fairness, transparency, purpose limitation, and data minimisation. Both require organisations to conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities. Finally they both emphasise the need for informed and explicit consent from data subjects.
Australian organisations that process data from either the UK and the EU need to understand the nuances between the DPDI Bill and the GDPR. Some of the things that organisations can do are:
- Regularly review and update privacy policies to align with both the UK GDPR and the EU GDPR.
- Ensure that consent mechanisms meet the requirements of both frameworks.
- Be transparent about data processing activities and provide clear options for data subjects.
- Establish processes to handle data subject requests promptly.
In addition, both frameworks grant individuals rights such as access, rectification, and erasure. Australian organisations would benefit from taking these actions:
- Be prepared to address requests related to automated decision-making, including profiling.
- Adopt a risk-based approach to data protection.
- Prioritise efforts based on the sensitivity of data and potential risks.
- Be sure to conduct Data Protection Impact Assessments for high-risk processing activities.
- Evaluate the impact on individuals’ privacy and implement necessary mitigations.
Finally, the DPDI Bill removes the mandatory Data Protection Officer (DPO) requirement present in the EU GDPR. Consider voluntarily appointing a DPO; having a designated privacy expert can enhance compliance efforts.
The UK DPDI Bill builds upon the EU GDPR, maintaining high standards while adapting to the UK‘s specific context and aims to simplify the prescriptive nature of GDPR. The UK GDPR could be viewed as a simplified, although not necessarily a weaker version of the EU GDPR. Concerns have however been raised about the DPDI Bill provisions for retention of data by UK law enforcement and intelligence agencies. Under the new bill these agencies will be able to retain personal data indefinitely. This discrepancy with the EU GDPR means that cooperation with EU law enforcement may be in jeopardy. Some of the other differences could lead to the violation of agreements with the EU post Brexit.
Concerns have however been raised about the DPDI Bill provisions for retention of data by UK law enforcement and intelligence agencies. Under the new bill these agencies will be able to retain personal data indefinitely. This discrepancy with the EU GDPR means that cooperation with EU law enforcement may be in jeopardy. Some of the other differences could lead to the violation of agreements with the EU post Brexit.
Given the momentum GDPR has in many organisations and the overlap between it and UK GDPR, following EU GDPR would seem to be the easiest path to follow. Organisations operating across borders must navigate these regulations carefully to protect individuals’ privacy and avoid penalties. Seek legal advice or engage privacy professionals who specialise in the chosen frameworks. Understanding, or having someone on your side who understands the specific requirements and divergences, is crucial for compliance.
Discover how Sekuro streamlines compliance with regulatory requirements and industry standards, empowering you to navigate the complexities with ease. Explore our integrated enterprise-level Governance, Risk, and Compliance (GRC) solutions. Reduce risk, enhance corporate governance, and stay compliant with Sekuro.
Ivan wolff
Senior Consultant, Governance, Risk Compliance (GRC), Sekuro
More Articles
Selling the Strategic Imperative of Zero Trust to Your Board
In conversation with Nathan Wenzler, Chief Security Strategist at Tenable (Part 2)
