New data protection laws in the EU: What do Australian businesses need to know about the GDPR?

From 25 May 2018 the European Union General Data Protection Regulation (GDPR) will impose strict data privacy obligations on organisations dealing with data of European Union (EU) citizens. The GDPR will affect some Australian businesses, even where they have no physical presence within the EU.

The obligations extend far beyond the requirements of Australian privacy law, with higher standards for obtaining consent, harsher breach notification requirements, additional rights granted to individuals and a new requirement to appoint a data protection officer. The penalties for breaching the GDPR could be up to 4% of your organisation’s annual global turnover, or €20 million (whichever is greater),

Organisations must determine whether they will be affected by the GDPR and, if so, take steps now to comply.

Which Australian businesses are affected?

Australian businesses may need to comply if they:

•    have an establishment in the EU (for example, through a branch or subsidiary in the EU); or

•    offer goods and services in the EU; or

•    monitor the behaviour of individuals in the EU.

Australian businesses that have online stores targeting European customers (i.e. by offering payment in Euros or an EU language translation) should assume they need to comply.

What information does the GDPR apply to?

The GDPR applies to ‘personal data’, including any information relating to an identified or identifiable natural person, which is similar to the definition under the Privacy Act 1988 (Cth) (Privacy Act). ‘Personal data’ can encompass a wide range of identifiers, including an individual’s name, photo, email address, identification number or opinion.

Additional protections in the GDPR apply to ‘special categories’ of personal data, such as information relating to an individual’s gender identity, trade union activities and racial or ethnic origin.

What are the key obligations?

As there are similarities between the GDPR and the Privacy Act, Australian businesses may already be partially compliant. However there are some key differences:

•      Consent: a person’s express consent to collection of their personal data must be obtained in a clear and transparent manner. Pre-ticked boxes, opt-out arrangements or bundled consent will not meet the requirements. Businesses need to ensure the withdrawal of consent is as easy as obtaining it.

•      Right to be forgotten: the GDPR grants individuals a right to be forgotten. This means that upon request by a person or where the data is no longer necessary for the purpose for which it was collected, businesses must erase that person’s data and cease further distribution. To comply, organisations will need to conduct regular data audits and analyse whether the reason the data was collected is still relevant.

•      Access to data: individuals have the right to obtain confirmation as to whether personal data concerning them is being processed, where and for what purpose.

•      Mandatory notification: while similar in some respects to the Australian regime, the assessment timeframe for data breaches is merely 72 hours. Organisations are required to notify all individuals who are at risk from the breach, as opposed to only those at ‘significant risk’ under the Privacy Act.

How to prepare

Prior to the commencement of the GDPR it is crucial to assess whether your organisation is affected. If the GDPR applies, you must now take active steps to avoid being in breach.

The penalties are significant enough to cripple small and medium businesses, so privacy compliance should now be treated as a vital part of your risk management.