If you hadn’t realised your company may be affected, you better move quickly
The European Union General Data Protection Regulation (the GDPR) came into force globally on 25 May 2018. These regulations were implemented to standardise data protection laws across the European Union (EU), as well as to strengthen the privacy rights of EU Citizens.
Within hours of the GDPR coming into force Google, Facebook, Instagram and WhatsApp received privacy complaints, and now face potential fines of up to four (4) percent of their annual worldwide turnover.
As a result, Australian companies should quickly assess whether they are subject to the GDPR and comply with their new obligations. Inaction may land you on the growing list of companies that have already fallen short of these regulations and you could even face some extremely heavy fines.
Does the EU General Data Protection Regulation apply to your company?
The GDPR applies to companies of all sizes, regardless of where they a based or where they process personal data, that:
1. Have an establishment in the EU
2. Offer goods and services in the EU
3. Monitor the behaviour of individuals in the EU.
If your company offers services targeted solely outside the EU and these services can be accessed by clients when they travel to the EU, then, your company will not be subject to the GDPR.
What are your company’s obligations under the EU General Data Protection Regulation?
The GDPR regulates how companies handle personal data, which is ‘any information relating to an identified or identifiable natural person’.1 This includes a wide range of data relating to an individual such as their:
- Identification Number
- Online Identifier
- Location Data
- Economic Data
- Cultural & Social Data
This means that any company who sells products to EU individuals would fall under the GDPR as they would possess some level of data to identify the individuals they are selling products to. The obligations on companies correspond to the sensitivity and scale of their data processing activities.
Provided that your company already complies with the Australian Privacy Act 1988 (Cth) (the APA) domestically, you should already have:
1. Transparent information handling practices
2. Implemented a privacy by design approach to compliance
3. Demonstrated compliance with privacy principles and obligations.2
The APA overlaps with many of the obligations found in the GDPR. However, there are differences that companies should be cognisant of, some of which are outlined below.
The GDPR defines consent to data processing differently to the APA. While the APA states that consent can be express or implied, consent under the GDPR must be:
1. Freely given
4. Unambiguously given with clear affirmative action.
Individuals must be able to withdraw consent as easily and they have given it, and they must be aware of their rights to do so.
Data Controllers, Data Processors and Contracts
There are specific obligations on entities which are considered ‘data controllers’ and those that are considered ‘data processors’. A data controller determines the purpose and means by which personal data is processed. A data processor processes personal data on behalf of the controller and is usually a third party contracted with the data controller.
The requirements applying to data controllers are more extensive than data processors. Data controllers are also on the hook for the misdeeds of their data processors if they have not received adequate contractual guarantees. 3 Any contract that your company has with a data processor must contain specific clauses detailing the relationship between the parties and their obligations regarding data processing. If you already have existing contracts with data processers you should include addendums, if possible, to incorporate these new requirements.
Enhanced Individual Rights
The GDPR contains greater rights for individuals in the EU, and Australian companies should be aware of these new obligations. Of importance is the ‘right to be forgotten’, which gives individuals the right to request that their data is deleted. The only times that a request for data deletion can be refused is when:
1. the personal data your company holds is needed to exercise the right of freedom of expression
2. there is a legal obligation to keep that data
3. there are reasons of public interest (for example public health, scientific, statistical or historical research purposes) to keep the data.4
Individuals can also request that the processing of their data is restricted to limited circumstances, or that processing be temporarily restricted if they contest the accuracy of data about them.
There is no equivalent obligation for Australian companies under the APA and new policies and procedures should be implemented to comply with these enhanced rights of individuals in the EU.
Do you need some extra motivation to ensure your company gets on top of the GPDR?
If you needed any incentive to shape up your data policies and procedures, just consider the fines that your company may face if you are caught breaching the GPDR.
At the moment, the fines for companies are who contravene the GDPR are either €20 million or 4 percent of annual worldwide turnover, whichever figure is higher.