The EU’s General Data Protection Regulation (GDPR) is just about to come into effect in Europe, and Australian politicians have been paying attention.
Last week, the Senate passed a motion calling on the government to “consider the impact of Australia’s insufficient and out-dated privacy laws on all Australians, including children and young people”.
Putting the motion forward, Green Senator Jordon Steele-John said: “Under current Australian law, young Australians might never be able to exercise their right to privacy”.
The Senate agreed GDPR should be regarded as the global best practice for standards in data privacy law and Australia should use it as a model for its own laws.
But, while GDPR is designed to protect citizens and give them more control of their own data, for businesses — including startups — it has required hefty process overhauls.
If the Australian government implemented a carbon copy of the EU’s GDPR, it would make sweeping changes to the ways any organisation can collect, hold or process personal information.
Under the regulation, citizens’ data cannot be held outside of the EU, and businesses have to get consent from each individual to use their data, as well as explaining exactly what it’s being used for.
Individuals also have a right to access their data, obtain it themselves and use it for their own purposes, and businesses must be able to provide that in a workable format.
Individuals also have the right to be forgotten and can demand their data is deleted at any point.
The European regulation is focused on ‘data protection by design’, meaning companies have to build privacy safeguards into their systems right from the start.
It also mandates proof of compliance, meaning that, even if a company complies with the rules already, it may still need an overhaul in order to be able to prove that to any regulator that comes calling.
Depending on the type of data an organisation is working with, the EU GDPR also requires a chief data officer to be in place.
All of this would place cost pressure on startups. And — if Australia follows the letter of the EU law — failure to make the changes could result in fines equal to 4% of an organisation’s annual turnover.
Finally, a GDPR-like system has the potential to change the playing field for startups when it comes to securing investment.
According to Scottish law firm Brodies, any GDPR compliance issues will be a red light for investors and European startups have to be ready for increased scrutiny from their backers.
The investors themselves will also likely be assessing whether the rules affect the viability of a business model. For example, gathering data with a view to selling it later may no longer be a viable proposition.
Senator Steele-John’s proposition is not with the federal government yet. But GDPR is a tricky beast, and if it’s headed this way, Aussie startups should be prepared.