On 25 May 2018, the European Union (EU) (and perhaps less so, the rest of the world) welcomed the introduction of the General Data Protection Regulation (GDPR). Described as the most signiﬁcant overhaul of data protection laws in recent memory, the GDPR has caused large and small entities around the world to stop, reconsider and, in most cases, re-calibrate their data handling and management practices. But what has changed in practice?
This article reﬂects on our learnings over the past half year: how we have seen Australian organisations manage their compliance obligations, what we are currently seeing in terms of enforcement, some of the intended and unintended consequences we have seen the GDPR have, and what we might expect to see in the coming months and years.
WHAT DOES IT DO? The GDPR imposes a number of strict requirements on organisations that process, or control the processing of, personal data of EU persons, including: + introducing a mandatory data breach notification regime (Articles 33 and 34); + imposing tighter conditions and requirements in relation to obtaining consent (Articles 7 and 8); and + formalising the requirement to conduct data protection impact assessments (Article 35). The regulation also empowers EU persons by giving them rights to: + access their personal data (Article 15) and to rectify it where incorrect (Article 16); + be ‘forgotten’, i.e. the erasure of their personal data (Article 17); and + object to instances of collection or processing for direct marketing purposes (Article 21).
Most notably, as many of our readers will be all too familiar, the territorial scope of the GDPR is incredibly broad. The regulation captures within its net not just the (expected) big global players. It also captures any organisation (whether established in the EU or not) processing (or controlling the processing of) the personal data of persons who are in the EU where the processing relates to offering them goods or services or monitoring the behaviour (as far as such behaviour takes place within the EU).
WHAT MIGHT HAPPEN IF YOU DON’T COMPLY? You could find yourself in hot water, with breaches of “higher severity” obligations potentially leading to fines of up to the greater of 4% of the organisation’s annual global turnover or €20 million (AUD 31.8 million) (Article 83) – although, six months in, it is unclear what the penalties will look like in practice. For more background information on the GDPR, including as to its extra-territorial reach and the key changes introduced by it, as well as a comparison of its key requirements versus those under the Australian Privacy Act, please see our “GDPR: The Final Countdown” and “GDPR: Ready or Not, Here it Comes” articles.