The European Union's ('EU') new General Data Protection Regulation ('GDPR') came into effect on 25 May 2018. Whilst Europe is over 14,000km from Australia's sandy shores, its data protection laws are only a click away.
Is this relevant to my business?
If you are wondering why an EU regulation is causing such a fuss in Australia, the first key thing to know about the GDPR is that it applies to Australian organisations of any size that either;
- have an establishment or presence in the EU, or
- do not have a physical presence in the EU, but;
- offer goods and services to European-based individuals, or
- monitor the behaviour of European-based individuals.
Since a failure to comply with the terms of the GDPR may result in fines of €20 million or 4% of annual turnover (whichever is higher), it is critical that Australian organisations are prepared and protected.
What is the GDPR?
The GDPR is the biggest overhaul of data protection laws in Europe since the introduction of the European Union Data Protections Directive in 1995. The new laws seek to protect individuals' privacy and personal data by regulating the way that organisations collect, store and protect the personal information ('personal data') of European-based individuals. This includes customers, employees and suppliers ('data subjects').
For instance, organisations may collect personal data from data subjects only for 'specified, explicit and legitimate purposes'. In addition, organisations must obtain explicit and informed consent from the data subject prior to processing their data.
The GDPR also dictates how organisations must prepare for, respond to and report a data breach. Organisations must appoint a 'Data Protection Officer' to internally regulate the way personal data is processed by the organisation. They must also conduct a Data Protection Impact Assessment, outlining the potential ways that personal data stored by the organisation could be compromised, as well as how the organisation would respond to such a breach.
If a breach occurs, the organisation must report the breach to the relevant supervisory authority, and in certain circumstances also notify the individuals whose data has been compromised. This is similar to the new mandatory data breach notification regime that was introduced in Australia in February 2018.
The GDPR also grants data subjects certain rights over their personal data, such as:
- The right to access and review the personal data that is held by a company relating to the individual;
- The right to object to their personal data being processed;
- The right to data portability;
- The right to complain or query how companies process their personal data;
- The right to object to automated decision making using personal data; and
- The right to have personal data forgotten by the company.
How does the GDPR affect Australian Companies?
While the GDPR shares some common elements with Australian laws under the Privacy Act 1988, there are many elements of the GDPR that do not have an Australian equivalent. To make sure that they are protected, Australian organisations should take steps to determine whether their businesses are required to comply with the GDPR and if so, ensure they are familiar with the various obligations and additional rights granted under the GDPR.
If your company is not already GDPR-compliant, it is crucial that you immediately review your internal and external policies and procedures as well as any and all data collection procedures. The potential fines of €20 million or 4% of annual turnover (whichever is higher) are too great to ignore, and it is yet to be seen just how strictly the EU will enforce the new laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.