Introduction

European privacy regulation is undergoing massive changes, with the new General Data Protection Regulation (the GDPR) to take effect from 25 May 2018.

The GDPR differs from the existing law in several key ways. Enforcement rules and penalties are also much more onerous than what businesses have been used to.

GDPR: The Key Changes

  • ​Tougher sanctions
  • High bar for consent
  • Catches suppliers too
  • Harder to show ‘lawful processing’
  • Increased rights for individuals
  • Enhanced notification requirements
  • Wider territorial scope
  • Increased requirements for record keeping & internal policies
  • Online identifiers now treated as personal data
  • Data Protection Officers – new roles required by law
  • Enhanced restrictions on automated decision making and profiling

The GDPR will apply to Australian businesses that:

  • Have an establishment in the EU (regardless of whether they process personal data in the EU), or
  • Do not have an establishment in the EU, but offer goods and services or monitor the behaviour of individuals in the EU.

It is essential that those companies take immediate steps to understand the impact of the GDPR and to implement necessary changes.

Australian businesses that may have to comply with the GDPR include:

  • ​A business with an office in the EU
  • A business whose website targets EU customers
  • A business that tracks individuals in the EU on the internet and uses automated decision making and profiling.

GDPR vs Australian privacy law: What’s the difference?

Australian businesses bound by Australian privacy laws will naturally ask ‘what’s different’ about the two regimes. For efficiency reasons, having a coordinated compliance regime across a company’s Australian and UK operation is preferable, so companies will want to know whether their existing processes already do an adequate job.

Whilst there are similarities across aspects of Australian privacy law and the GDPR, there are key differences too. These include principles found in GDPR which are entirely absent from the Australian regime and hence unfamiliar to Australian compliance officers.

A comparison of the two regimes is as follows:

Topic

Australia privacy law

The GDPR

Application

Applies to businesses and Australian Government agencies with turnover of over $3M, together with some other smaller businesses

Applies to all data controllers and data processors regardless of turnover

Concept of personal information

Information which identifies an individual, whether or not it is true and whether or not it is recorded in a material form.

Examples include a person's name, address, email address, telephone number, date of birth, signature, customer records, bank account details, health information or any commentary or opinion about a person

Similar approach as the Australian regime, although uses the term "personal data"

Who does the data relate to

The Privacy Act refers to the "individual"; being the person who Personal Information relates to

Similar approach, uses the term "data subject"

Distinction between Data Controller and Data Processor

No distinction

Distinction:

  • A controller determines the purposes and means of processing personal data

  • A processor is responsible for processing personal data on behalf of a controller

Consent

Defined as ‘express’ or ‘implied’. Key elements include:

  • individual adequately informed before giving consent

  • individual gives consent voluntarily

  • consent is current and specific

  • individual has the capacity to understand and communicate consent

Needs to be ‘freely given, specific, informed and unambiguous’

Sensitive data

Sensitive information attracts a higher level of protection under the Privacy Act. Sensitive information includes information about an individual's race or ethnicity, political persuasion or political associations, religious beliefs, sexual orientation, criminal record and health and genetic information (section 6, Privacy Act).

Similar approach

Transfer of data overseas

Business must take ‘reasonable steps’ before transferring

Strict conditions to be met before transfer

Right to restriction of processing

Not included

Data subject has right to obtain restriction of processing (subject to the processing condition relied upon)

Right to be forgotten

Not included

Data subject can demand erasure of data (subject to the processing condition relied upon)

Data portability

No direct equivalent

Data subject can demand receipt of data in a portable format (e.g. CSV file) if the processing condition relied on is that the individual has consented or it is necessary for performance of a contract (subject to the processing condition relied upon)

Data breach notification

Notifiable Data Breach scheme in effect since 22 February 2018. Entities must notify individuals and the Commissioner about eligible breaches

Controllers to notify breaches likely to result in risk of significant damage (e.g. ID theft or financial loss) to the regulator within 72 hours and to affected individuals if the breach poses a high risk to them. Processors must notify their clients without undue delay. All data breaches must be logged in internal records

Penalties

Limited penalties for an isolated breach, however serious or repeated interferences with privacy may be subject to a civil penalty of up to $420,000 per contravention

Conduct may also amount to misleading and deceptive conduct under the Australian Consumer Law, with the potential for significant fines

Under Article 83:

  • Up to 10,000,000 EUR, or in the case of an undertaking, up to 2 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as controllers and processors, the certification body, and the monitoring body

  • Up to 20,000,000 EUR, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher for infringements of obligations such as principles of processing, conditions for consent, data subject’s rights, transfer beyond EU, etc

Compliance with GDPR – what Australian companies need to do

If your company is bound by the GDRP, you should take steps towards compliance without delay. Whilst the law is not in force until May 2018 and foreign companies are unlikely to be the first parties of interest for the Information Commissioner, implementing the necessary changes will take time. It is important that your company is able to show an intention to do its best to comply with GDPR, and a record of actions taken to do so.

As a starting point, we recommend the following four steps:

1. Audit

  • Audit what data you use and whether you might be caught by the regime. This is known as ‘data mapping’.

  • You should create a log of all your processing activities covering:

- the location of the data on your systems

- what data is captured and the source of the data

- what it is used for, who receives it

- where it is transferred to geographically

- what security is in place to protect the data

- how long it is kept for

- applicable contractual protections for the data

2. Understand

  • Examine the GDPR principles in detail including which of the prescribed processing conditions may justify your use of the data

  • Identify which ones are particularly relevant for your business

  • Identify your compliance weak spots

3. Plan

  • What do you need to change in order to comply with the GDPR

  • How will you implement those changes (who will do it, when, what’s the cost)

  • Set out a project plan

4. Implement

  • Implement your plan

  • Continue to monitor for updates

  • Update plan if your business changes

  • Seek advice in the event of a breach

Further useful tips for compliance are set out in Sarah Needham’s article 'Picking the low-hanging GDPR fruit', which can be found here: https://keystonelaw.co.uk/keynotes/picking-the-low-hanging-gdpr-fruit-a-pre-christmas-checklist.

Conclusion

Any largescale regulatory change can be daunting and the GDPR is no exception. However, Australian companies, like their European counterparts, should start moving towards compliance now. By taking a practical and phased approach, the project becomes manageable.