From 25 May 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) will come into force, regulating how public and private sector organisations must handle, secure and share “personal data” of EU residents. It is set to be one of the biggest changes to personal data protection in the EU in 20 years.

What is the GDPR?

The GDPR is a harmonised law across 28 EU member states, which mandates how organisations must handle personal data under strict conditions, protect it from misuse and exploitation, and respect the rights of data owners.

What types of data are we talking about?

Broadly, the GDPR applies to “personal data”, which is any information relating to an identified or identifiable natural person. For instance, this may include an individual’s name, signature, home address, salary, job title or opinions about them based on their online purchases or habits.

It is important to note that, while there are many similarities, the scope of personal data under the GDPR is potentially wider than the definition of “personal information” under Australia’s Privacy Act 1988 (Cth). For example, an email address or an Internet Protocol (IP) address is very likely to be personal data under the GDPR, but is not always personal information under the Privacy Act.

How does the GDPR apply to Australian businesses?

The GDPR applies to:

  • EU-based businesses, and
  • non-EU businesses which either:
    • offer goods or services to people in the EU;
    • have an office in the EU; or
    • monitor the behaviour of people in the EU, including where individuals are tracked on the internet or mobile apps, such as by profiling an individual (including via cookies, web beacons, tags or other technologies) to make decisions about that person or to analyse or predict that person’s personal preferences, behaviours and attitudes.

Persons in the EU do not have to be EU citizens, but merely located in the EU at the time of the transaction.

This means that many Australian businesses will need to comply with the GDPR. For example, let’s say you run an Australian-based business offering sporting equipment for sale in-store and online, and a customer in France places a bulk online order for soccer nets from your company. Your business accepts the order then receives payment and arranges for shipping of the product. In this scenario, your business would likely be “offering goods or services to people in the EU” and be required to comply with the GDPR when handling personal data about your customer in France (called a “Data Subject”), such as their name, email address, telephone number, billing and shipping addresses, and payment information.

Penalties for non-compliance

The GDPR provides a range of regulatory powers, including imposing administrative fines of up to €20 million or 4% of annual worldwide turnover. It also provides individuals (“data subjects” with specific rights, including the right to request that their personal data be deleted, and in some cases a right to bring legal action against companies who do not comply with the GDPR in handling their personal data.

Due to the GDPR’s potential reach outside of the EU, and new rights the GDPR grants to individuals over their personal data, the GDPR will have important implications for many Australian businesses.

Over the coming weeks, we will share a suite of short and snappy articles, to give Australian business the building blocks to comply with the GDPR.