There are a few privacy changes that have occured and will occur. You may be affected, so I've summarised it here. Please keep in mind I'm not your legal counsil so as always, check yours.
Australian NDB (maybe skip this if you don't operate in AU)
Then you have to have the processes and procedures in place to evaluate if a security incident is a breach of PII. What the impact will be to those whose information is affected and the steps that have been taken to remediate the issue. To determine whether a security incident is a breach you have to assess three main criteria:
If the answer to the above is yes, then you may have a notifiable breach.
GDPR (probably affects most of us)
GDPR affects organisation both inside the EU as well as outside of the EU. The main criteria are pretty broad. If you are selling goods or services to EU citizens, then you will have to comply. The difficulty comes into play with the last criterion which is "monitor the behaviour of, EU data subjects". This basically means if you have a web site that collects information about users of the site, you will likely have to comply. This is one reason why you are seeing those fairly intrusive "we collect cookies, give us permission" banners on more and more websites.
The penalties can be quite substantive, up to 20 million pounds. Not sure how they would collect that from "Bob's Kitchen and Toilet Brush emporium", but ultimately the risk is there.
The main changes are:
And before you ask, yes the IP address is considered PII and falls under this regulation (maybe a good argument to block all of the EU IP addresses ) .
So if you have a web site, deal with EU citizens or you do business in Australia, then you may have some privacy processes to review and update.
Mark H - Shearwater
Mar 6th 2018
1 year ago