The GDPR is Coming
For those working in the Migration Profession, if you provide services to residents of the EU and you collect any personal information from those individuals (which can be as simple as just an email address), then chances are you are subject to the GDPR. Furthermore the penalties for failing to comply are significant – hence why you are seeing lots of companies make changes to the way they manage personal data and communicating this via updated policies and terms and conditions. For a good overview of what the GDPR is and how it affects Australian Business, we recommend that you review the information which has been published by the Office of the Australian Information Commission (Click to View).
2. What does the GDPR require?
It should be noted that a number of aspects of the GDPR already exist in Australian legislation, but the GDPR in a number of ways goes a lot further. The GDPR has a number of requirements and gives individuals a number of rights when it comes to their personal data. The following is a summary of some of what the GDPR requires (this is by no means an extensive list). Some of the main obligations which apply to businesses when it comes to handling personal data includes:
- A business must have a lawful basis to handle and process personal data. Lawful basis can include things such as having the person’s consent or a legal requirement. If you don’t have a lawful basis for holding or processing someone’s data then you are obliged to delete it. Note also that the lawful basis doesn’t exist forever, for example, a person’s consent diminishes over time.
- A business must always request clear consent to control or process personal data. The days of long winded and combined consent tick boxes and automatic opt ins are over under the GDPR. The GDPR mandates that a person must be able to understand what they are consenting to and that consent must be granular.
- You must only use personal data for a legitimate purpose and use only what is necessary. If the individual hasn’t consented to their information being used in a particular way (for example they haven’t consented to being on your mailing list), then you must not use the data.
- You must only store data for so long as is necessary for achieving the legitimate purpose of holding or using the data.
- You must actively take steps to ensure that personal data is kept secure. A reminder to everyone that some of the main sources of data breaches occurs due to staff error such as sending emails to the wrong person or leaving laptops unlocked in a public place.
- You are required to make disclosures about any data breaches that occur both to the affected individual and to the relevant authorities if the individuals rights are affected. Under the GDPR there are strict (and very short) time limits on when disclosure must take place.
Under GDPR, individuals are granted a number of rights with regards to their data including:
- The right to be informed: Individuals have the right to be informed about the collection and use of their personal data including details of what data is stored, how it is stored, how it is transfered etc. This is a key transparency requirement under GDPR.
- The right of access. Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
- The right to rectification. Individuals have the right to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. Organizations have one calendar month to respond to a request.
- The right to erasure. Individuals have the right to have personal data erased. This right is also known as “the right to be forgotten.” Individuals can make a request for erasure verbally or in writing. Note that this right is not absolute, only applies in certain circumstances, and is subject to other legal obligations – for example, note the data retention requirements of the Migration Agents Code of Conduct may take precedence over this right.
- The right to restrict processing. Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, organisations are permitted to store personal data, but not use it. Note that this right is not absolute, only applies in certain circumstances, and is subject to other legal obligations
- The right to data portability. Individuals are entitled to obtain and reuse their personal data for their own purposes across different services. This right allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Note that the above is by no means a complete list of what the GDPR requires, and you should undertake your own research and investigation to ascertain the full requirements.
3. What is Migration Manager doing to comply with the GDPR
The team at Migration Manager has been steadily preparing for the introduction of the GDPR due to the fact that a lot of our clients have dealings with European residents including the collection and storage of sensitive personal information. This activity most likely makes those Lawyers and Migration Agents subject to the GDPR as, what the GDPR refers to, the ‘Controllers’ of sensitive personal data. If a Controller users another product or service provider to handle or process data, then that provider is in certain circumstances also subject to aspects of the GDPR as the data ‘Processor’. In the case of Migration Manager, if you use any of our Cloud products, our Portal, our Assessment App or will make use of our soon to be released web questionnaires, then we may be classified as your data Processor as the data will at some point in time pass through one of our systems (even though the data is fully encrypted in both transit and at rest).
In addition to all of our existing security and privacy, to meet our obligations (and to help you meet yours) we are doing the following:
- We have been educating our staff to ensure that they better understand their data protection obligations
- We are updating our online Assessment App and Client Portal to include an express Cookie notice that will be visible to the user (previously the Cookie information was contained in the Terms and Conditions)
- We are updating Migration Manager and the online Assessment app to give you the ability to create and set granular consents and declarations for the user to agree to prior to the submission of an assessment
- We are updating the online Assessment App and the Client Portal’s data privacy and security notice to include more information about how and where the data is processed. We have also added this information to our user manual so that you can see what the end user sees: Portal Data Security, Privacy and Cookies Policy and Webleads/Online Assessment Portal Data Security, Privacy and Cookies Policy
- We are updating the online Assessment App to give the person completing the assessment the ability to delete their data prior to submission, and for those users who don’t ever end up submitting a saved assessment, we are setting a 90 day deadline after which the data will automatically be deleted.
- We are adding a Data Processor notification to the submit section of the Online Assessment App so that users are fully informed of how their data is processed and transferred.
- We are updating Migration Manager to include additional logging of data deletion so that deleted personal data is not inadvertently restored from a back up.
- We are strengthening our security and privacy controls across the board. In addition to industry standard practices around encryption, our teams are also improving our systems for authentication, authorisation, and auditing at a massive scale to better protect data.
Updates to Migration Manager, the Assessment App and the Portal will very shortly be released which contain these changes.
4. What should you be doing to comply with the GDPR
If you are thinking that the GDPR won’t affect you, it is worth remembering that a lot of what is stipulated in the GDPR already exists in Australian law and so its worthwhile taking the opportunity to review how you might do things better. For those of you keen to ensure that you are GDPR compliant (which we know is a lot of you from the number of support requests we have been receiving on this issue) then we recommend the following:
- Perform your own research and ensure you understand GDPR as it applies to your business. In particular review the online services that you make use and check to see if they are GDPR compliant (services such as Microsoft, Dropbox etc all have detailed GDPR information available)
- Be thinking about how you will handle consent when it comes to your handling of data. If you send mailouts, consider carefully whether you still have the person’s consent to include them.
- Think very carefully about your data security practices and make an assessment of where your risks lie and what steps you can take to reduce those risks. If you haven’t already looked at using Migration Manager’s encrypted messaging system and the Portal, we strongly recommend you do so.
- Review our user manual to make sure that you understand how to do things such as editing and deleting files, deleting web leads, generating reports etc so that you can deal with any data handling requests you receive from your client.
Lastly, don’t panic. The aim of the GDPR is improve the protection of personal data and ensure that it is only used when it is appropriate and lawful to do so. By doing some research, making some changes and implementing the recommended processes, you will not only go a long way to being compliant with the GDPR, but you will also be providing your clients with a better service.
Image Credit: Licensed from Shutterstock