The European Union’s General Data Protection Regulation (GDPR) contains new data protection requirements that were put into effect on May 25, 2018. These harmonised and replaced the EU’s existing national data protection laws. The goal of enacting clear, uniform data protection laws is to give businesses legal certainty while also increasing consumer trust in online services.
Some Australian businesses, known as APP entities, covered by the Australian Privacy Act 1988 (Cth) may be required to comply with the GDPR. This applies if the business has an establishment in the EU, regardless of whether they process personal data there, if they offer goods and services in the EU or monitor individual behaviour in the EU.
What is GDPR?
GDPR is an EU regulation dealing with data protection and privacy issues. It is used to track the entire lifecycle of a person’s personal data in the EU, from collection to deletion.
Based on this definition, GDPR appears to be similar to the Australian Privacy Principles and the Australian Privacy Act 1988.
Despite obvious similarities in intent and definitions, GDPR is still regarded as one of the most comprehensive data privacy and security laws on the entire planet.
Who will be affected by the GDPR?
The GDPR applies to all businesses that are data processors or controllers within an establishment in the EU. A controller determines how and why personal data is processed, while a processor acts on the controller’s behalf. The GDPR applies regardless of whether the data is processed in the EU.
The GDPR also applies to the data processing activities of all EU processors and controllers outside the EU.
Data controllers and processors who are subject to the GDPR but are not based in the EU must generally appoint a representative based in an EU member state, however, some exceptions apply. To ensure compliance with the GDPR, the representative serves as the point of contact for supervisory authorities and individuals in the EU on all issues relating to data processing.
Australian businesses that have customers in the EU or operate in the EU should determine whether they are subject to the GDPR and if so, take steps to ensure compliance.
Australian businesses that may be subject to the GRPR include:
- An Australian company with an office in the EU.
- An Australian company whose website caters to EU customers, for example, by allowing them to order goods or services in a European language or accept payment in euros.
- An Australian company whose website mentions customers or users in the EU.
- An Australian company that tracks data in the EU and uses processing techniques to profile people in order to analyse and predict personal preferences, behaviours, and attitudes.
Australian Privacy Act 1988
The Australian Privacy Principles (APPs) outlined in Schedule 1 of the Privacy Act, show how most Australian Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million and all private health service providers and some small businesses, must handle, use and manage personal information.
The Privacy Act applies to Australian-incorporated businesses. It also applies to businesses operating outside of Australia that collect personal information from or store personal information in Australia and conduct business here.
Australian businesses and GDPR
The GDPR’s impact is far greater than most companies realise, and while it may not apply to business owners personally, it may still apply to customers and suppliers, requiring businesses to change their policies accordingly.
This is why the GDPR includes specific terms for businesses that process personal information. That refers to corporate customers with an additional clause in their contract stating business compliance with GDPR regulations, or something similar.
Enterprise service providers are also subject to GDPR compliance, because they may store and process personal information about customers.
This means that businesses who want to keep current EU customers or gain them in the future, need to start working on GDPR compliance status. The same is true for subcontractors and their contracts with businesses if they process customer personal information.
Distinctions between GDPR and Australian Privacy Law
GDPR and the Australian Privacy Law Act bear similarities. Both laws:
- Promote open information handling practices and corporate accountability, in order to give individuals confidence that their privacy is being protected.
- Require businesses to put in place measures to ensure compliance with a set of privacy principles.
- Take a privacy-by-design approach to compliance.
- Expect privacy impact assessments which are mandated in certain circumstances under the GDPR.
- Are technology-agnostic, which ensures their relevance and applicability in the face of constantly changing and emerging technologies.
However, there are some significant differences, the most prominent being the GDPR’s concept of ’processors’ and ’controllers’. Processors are companies that process information on behalf of someone else, presumably under a legal contract and their GDPR limitations are not severe. In contrast, controllers are entities that ensure GDPR compliance when working with personal data. Controllers are the people who decide why personal information is collected and/or processed. Controllers are subject to much stricter regulation under GDPR than under Australian Privacy Law.
Here are some other differences between GDPR and Australian Privacy Law:
- Individuals have additional rights in relation to their personal data. While Australian law covers access and correction rights successfully, GDPR adds several more, such as the right to data portability and the right to have data erased.
- Receiving consent is more difficult. Consent can be implied under Australian law. On the other hand, GDPR necessitates either affirmative action or a statement.
- There will be more appointments. According to GDPR regulations, businesses may be required to appoint a representative based in the EU, as well as a Data Protection Officer.
- The concept of ‘Lawful foundation’. Under GDPR, any data controller must ensure that their work with personal information is done on a lawful basis, which can include consent to the need to protect vital interests and contractual obligations.
- Data breach regulations. GDPR compliance requires a company to report a broader range of data breaches and has much less time to do so.
When to look into GDPR Privacy Law:
The first and most important question to ask is whether the business is processing any data from EU citizens. If the answer is ‘yes, the business is within the scope of GDPR and should begin working on it.
The following steps are a good place to start:
- Examine all of the personal information currently in possession, including who has access to it and where it came from.
- Examine overall data collection methods.
- Update the company privacy statement. The most important parts detail what data is being collected, why it’s being collected, what is the legal basis for collecting it, and how it is being protected.
- Make certain that personal information is well protected.
- Share GDPR compliance information with key individuals within an organisation.
- Delete all personal data that is not needed or has no legal reason for.
- Take the time to review third-party providers and determine whether they are GDPR compliant.
Although GDPR has been in effect for some time, many businesses are still unsure whether they are subject to its regulations and have not taken any steps to become compliant. It is strongly advised that businesses learn at least the bare minimum about GDPR and understand what data is stored where in order to respond to requests from EU citizens.
It’s never too late to comply with GDPR and Australian Privacy Law. Now is the time to audit various personal data, the placement of this data and the level of protection in place.
Here are some general principles to keep in mind when it comes to the GDPR for Australian businesses:
- The collection of data must be legal and the processing of data must be transparent.
- Don’t try to collect more information than necessary.
- Make certain that all of the personal information obtained is secure.
- Specify the reason for the data used and only use it for those specific purposes.
- Demonstrate understanding of and adherence to GDPR principles.
- Don’t keep personal information for any longer than necessary.
- Maintain error-free and up-to-date personal data.
It is also important to note that this article is not intended to be professional legal advice and any company with specific questions about GDPR compliance in Australia should always contact and consult their corporate or external legal counsel.