The actual guidance around what constitutes an individual “in the EU” is limited but it is taken under other guidance to cover organisations that offer to sell in euros, offer their goods and services in a European language other than English, and who monitor behaviours such as via online behavioural advertising, profiling or tracking.

To the extent that this applies to NSW public sector agencies, they need in addition to meeting their obligations under the Information Privacy Principles (IPPs), to look to comply with additional requirements under the General Data Protection Regulation (GDPR ) which include the right to be forgotten (also known as the right to erasure), data portability, the right to have a human review any automated decision making process, and a right to restrict the processing of their data. The GDPR also provides that withdrawing consent should be as simple as granting consent, which is not something generally considered under the IPPs.

The other important issue is that notification of data breaches under the GDPR requires that the relevant EU supervisory authority be notified within 72 hours.

These obligations will likely require NSW public sector agencies to update the privacy management plans.

At the conclusion of the fact sheet it provides links to a number of resources including the UK Information Commissioner’s Office Guidance on the GDPR which is a resource for both public sector agencies and businesses generally. The fact sheet can be found here.