What the GDPR Means for Australian Businesses
The GDPR, or General Data Protection Regulation, came into force on 25 May 2018. This is a European Union regulation, but it also affects many Australian businesses. Here’s what you need to know.
What is it?
The GDPR regulates the ‘personal data’ of individuals. It was designed to harmonise various data privacy laws within European countries and to protect the data privacy of EU citizens. That affects how personal data is collected, dealt with, distributed and stored.
While the GDPR applies to ‘personal data’, which is defined as ‘any information relating to an identified or identifiable natural person’. Additional protections exist for certain classes of information, such as information relating to someone’s ethnic or religious identity, political opinions or sexual orientation.
The penalty for non-compliance is steep. Non-complying companies can be fined up to 20 million euros, or 4% of global annual turnover, whichever is greater.
Who does it affect?
Although the regulation was brought in in the European Union, it has a broader application. Australian businesses are affected if they:
1. Are data controllers or processors who maintain premises of any kind in the EU
You maintain premises in the EU whether you’re operating on your own account or via a related subsidiary or entity in the EU. It also doesn’t matter whether the data itself is processed in the EU, as long as the data belongs to EU residents.
For example, if you’re an Australian business using an email provider such as MailChimp, you are the data controller who is deciding what data to collect, and MailChimp is the processor. If the data belongs to EU residents, the law applies to you.
2. Offer goods and services for sale within the EU, including online goods and services bought by EU customers
You offer goods or services to EU residents, irrespective of whether payment is required or not.
3. Monitor the behaviour of individuals in the EU
You monitor the behaviour even if the monitoring takes place outside the EU, as long as the behaviour that’s being monitored is occurring within the EU. Internet tracking of an individual’s browsing behaviour or creating a data profile of that individual would both be examples of monitoring.
There is no minimum business size to which the regulation applies, so even small businesses should be aware of their obligations.
What are your obligations?
Firstly, be aware that the requirements of the GDPR are not that different from those in the Australian Privacy Act 1988, so the chances are good that you require only minor changes to be made.
Both laws foster transparent information handling practices and business accountability. Both laws require businesses to implement measures that ensure compliance with a set of privacy principles, And both take a privacy by design approach to compliance. Data breach notification is also required in certain circumstances under both the GDPR and the Privacy Act.
There are a few differences, however, which require attention. Here are the most significant three.
Both laws require that individuals consent to having personal data processed. However, the standard for consent has been strengthened in the GDPR.
Amongst other things, consent must be a positive opt-in. That differs from the Privacy Act, where ‘express or implied consent’ meets the test. That means that you cannot get away with asking customers to tick a box if you do not wish their data to be used, which many companies have done in the past.
Australian businesses to which the GDPR applies are well advised to standardise their consent mechanisms to make sure they comply.
Right to Erasure
The GDPR gives individuals a ‘right to erasure’ which means that they can require data controllers to delete their data in certain and fairly broad circumstances. There is no equivalent right in the Privacy Act, although it does compel businesses to destroy or de-identify information that is no longer needed. Companies should be aware of this individual right and take steps to comply if required.
Notification of Breach
Under the Privacy Act, companies must notify the OAIC where a breach is likely to result in serious harm, and they have 30 days to make that assessment. Under the GDPR, companies must notify affected individuals of any breach within 72 hours.
What should Australian companies do?
If you haven’t already, this is the time to look closely at your personal data collection practices. Audit the personal information you currently hold to see where it comes from and how it’s shared. Anything that you don’t need should be deleted.
Document your procedures for collection and disposal to account for the GDPR’s requirements, including the individual right to erasure. Your procedures should include safeguards against data breaches and best practice for data collection.
For further information on this topic, please see the resources at the Office of the Australian Information Commissioner.