The Facebook Cambridge Analytica scandal dominated headlines for weeks. Public concern over digital privacy and data security is growing with every high profile data security breach. Businesses are being forced to adapt to an environment where individuals are aware that their personal data is valuable, vulnerable and, in many cases, commercially exploited by social media platforms and third parties.
Regulators and policy makers are taking note too. From 25 May 2018, the General Data Protection Regulation (GDPR) will apply. We have previously explained the GDPR and highlighted some of the key issues for Australian businesses and differences with the Australian privacy regime (read further here).
In the lead up to 25 May, Australian businesses should consider whether the GDPR will apply to their operations. The implications for the GDPR are far-reaching, and will impact many Australian businesses, particularly those operating online. Below we have set out some FAQs for businesses likely to be affected by the GDPR.
What is the GDPR?
The GDPR is a regulation for the protection of the personal data of EU residents. It replaces an EU directive from 1995 which largely predated modern concerns around online privacy. It will apply to all 28 member states of the EU.
Importantly, it can also apply to foreign businesses who process the data of EU residents.
Do Australian businesses have to comply with the GDPR?
The GDPR can apply to an entity (including Australian businesses) who stores or processes the personal data of EU residents. The entity does not need to be based (or have operations) in the EU for the GDPR to apply.
Many businesses who have customers or clients in the EU need to review whether their activities fall within the scope of the GDPR.
What type of businesses will need to comply with the GDPR?
The GDPR regulates the activities of ‘controllers’ and ‘processors’. A controller is an entity who determines how and why personal data is collected and processed, while a processor is responsible for a limited range of activities involved with the processing of the personal data on the behalf of a controller (e.g. collecting and storing personal data, managing a controller’s data security in relation to personal data or transferring personal data between organisations).
By way of example, if your business sells products to EU residents and you use the services of a market research agency to track customer satisfaction, your business may be a ‘controller’ and the market research agency is the ‘processor’.
How do you comply with the GDPR?
Controllers and processors have different obligations under the GDPR.
Controllers are generally responsible for collecting and managing the consent of individuals whose personal data will be processed. They also need to ensure the processors they contract with comply with the GDPR or risk penalties themselves.
Processors are obliged to comply with a range of obligations in relation to their data processing activities. These include, but are not limited to:
- only processing personal data on instructions from the controller (and not using or mining the personal data for reasons other than their engagement)
- obtaining written permission for subcontracting and taking full liability for failures of the subcontractors to meet the requirements of the GDPR
- at the choice of the controller, deleting or returning personal data to the controller at the end of the term of the contract
- assisting in controller compliance audits
- having sufficient and compliant data security
- notifying data controllers of data breaches.
When does my business need to comply?
If GDPR applies, businesses will need to be able to demonstrate compliance with the GDPR by 25 May 2018.
What are the penalties for non-compliance with the GDPR?
Breaches of the GDPR by controllers and processors can carry fines up to:
- the greater of €10 million, or 2% of the worldwide annual revenue of the prior financial year (for lower level breaches)
- the greater of €20 million, or 4% of the worldwide annual revenue of the prior financial year (for higher level breaches).
What are the differences with Australian privacy law and principles?
Some of the requirements under the GDPR are similar those already in Australia under the Privacy Act 1988 (Cth), including to:
- implement a privacy by design approach to compliance
- be able to demonstrate compliance with privacy principles and obligations
- handle personal information in a transparent manner.
However, the GDPR imposes more stringent requirements, particularly on data obtaining of and maintaining consent. Further, some of the new rights of individuals (including the ‘right to be forgotten’) do not have equivalents under the Australian privacy regime.
The scope of the differences should not be underestimated. Privacy policies developed for Australia will not be sufficient to comply with the GDPR. Many Australian businesses will need to update personal data handling practices and processes to ensure compliance with the GDPR.
- can apply to Australian businesses
- comes into force on 25 May 2018
- imposes a range of new obligations and restrictions on both data controllers and processors
- can lead to penalties and fines upwards of €10 million for breaches.
Australian businesses should assess whether their operations may lead to regulation under the GDPR and to be aware of the issues this may present. The obligations imposed by the GDPR are likely to have considerable legal and administrative implications for Australian businesses with any kind of cross-border presence in the EU. We can assist you with determining the legal implications of the GDPR on your business.