What is the GDPR?
The European Union General Data Protection Regulation (GDPR) contains new data protection requirements that have applied from 25 May 2018. It applies broad rights protecting individuals' personal information across the EU
Who does it apply to?
The GDPR applies to businesses that are data processors and controllers with an establishment in the EU. In general terms, a controller says how and why personal data is processed and a processor acts on behalf of the controller. Where a business has an establishment in the EU, activities of the business that involve processing personal data will need to comply with the GDPR, regardless of whether the data is actually processed in the EU.
Controllers must ensure and demonstrate through the implementation of appropriate technical and organisational measures, including data protection policies, that their processing activities are GDPR compliant.
The GDPR sets out expanded accountability and governance requirements and introduces a raft of changes cross a number of areas:
- There is a particular focus on the rights of the individual. A number of rights have been introduced including
- the right of erasure – that is the right to be forgotten and
- a portability right – the right to have data made available to other organisations.
- Organisations must appoint a Data Protection Officer physically resident in the EU to monitor and advise on compliance with the GDPR and with internal privacy policies and procedures.
- The GDPR introduces mandatory breach notification. Data controllers must advise the relevant supervisory authority of a data breach within 72 hours of becoming aware of the breach unless the breach is unlikely to impact the rights and freedoms of individuals. This is an onerous timing obligation compared to the equivalent laws in Australia.
- There is also a new definition of consent, which states that it must be freely given, specific, informed and an unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing.
Penalties under GDPR are much higher than those prescribed by the Privacy Act 1988 (Cth). Under the regulations, organisations may be subject to fines of up to 20 million euros or 4% of global revenues.
What does it mean for Australian business?
The GDPR is focused on activities in the EU, however as it is drafted very broadly, it is likely to impact organisations outside of the EU, including organisations in Australia. The following organisations will be captured by the regulations and required to comply. Organisations that:
- have a physical presence in the EU;
- offer goods or services into the EU (irrespective of whether payment is required);
- use social media or a website to monitor the behavior of individuals in the EU; and
- provide data processing services on behalf of a controller resident in the EU.
Australian businesses that would be covered by the GDPR include businesses:
- with an office in the EU;
- whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in euros;
- whose website mentions customers or users in the EU; and
- that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preference, behaviours and attitudes.
Risk Management – how do you assess, monitor and treat the risk?
Australian businesses that are required to be GDPR compliant need to systematically review their personal information handling practices for the EU. Additionally, businesses would be required to;
- Appoint Data Protection Officers physically resident in the EU and in Australia;
- Review technical and organisational data protection controls within the organisation;
- Revisit data breach notification plans to ensure compliance with the 72 hour notification requirement; and
- Introduce a breach register (if not currently applied).
Given the importance of consent with the GDPR, it is also necessary to revisit how consent is obtained from individuals in the EU and the type of information obtained. There is also a focus on sensitive information under GDPR, so compliant organisations need to decide what information they require for their business to function.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.