The European Unions ‘General Data Protection Regulation’ (GDPR) is in force from the 25th of May 2018. With the rise in online businesses worldwide, wide-scale data collection and monetisation has become the norm, prompting governments to intervene to put measures in to protect the individual.
Although the GDPR is a European regulation, Australian businesses may need to comply with it, particularly if the business in question operate in an online space. In the following blog post we will look at when and where the GDPR applies, obligations under GDPR, and the difference between the GDPR and the Australian Privacy Act.
When and where does the General Data Protection Regulation apply?
The GDPR applies to businesses that meet the following criteria:
- The business was established in the European Union (EU);
- The business offers goods or services to individuals based in the EU;
- The business monitors EU residents behaviour.
Focusing on Australian businesses, if any Australian organisation collects personal data on individuals who are located in the EU, it is likely that those actions will fall under the GDPR. For example, an Australian business will need to comply with the GDPR if it:
- Deals with the personal information of an individual in the EU (for example, the executor of an estate could reside in the European Union);
- Ships products to individuals located in the EU;
- Sells an item that tracks the behaviour or location of an individual located in the EU (such as a fitbit);
These above points will require any Australian business that qualify to ensure that they meet the new GDPR regulations and obligations.
What are the obligations under the General Data Protection Regulation?
The GDPR places a number of restrictions on data ‘controllers’ and ‘processors’. A controller is defined as a business that determines how data will be processed or used, and the processor is a business that acts on that data.
Principles for Processing Personal Data
Any business that has access to personal data will need to comply with the following principles:
- Process the personal data in a manner that is lawful, fair and transparent
- Process the personal data in a way that maintains its accuracy
- Process the personal data in a secure fashion
- Use the data for a legitimate purpose
- Do not collect/use data that you do not need
- Store the data for no longer than necessary
Companies now must request permission to control or process personal data. This request must be made prior any data is collected, with a system that makes it easy for the individual to withdraw consent. There also must be separate requests for each collection.
Data Protection Officer
If your business undertakes regular monitoring of individuals on a large scale, a data protection officer will be required. In some cases, you may be required to appoint a representative located in the EU to act as the businesses point of contact if it undertakes large-scale data processing.
Access to Data and Deleting Data
With these new changes, individuals now have the right to contact your business to request and obtain:
- Copies of their data
- Instructions of how your business is using their data
- Details of how long their data will be stored
- Information on who the data will be disclosed to
Individuals now also have the right to ask your business to erase their personal data, or to place a restriction on how it will be used. Your business must comply with these requests if it no longer requires this data.
Disclosure of Data to third parties
Your business may need to disclose personal data or other parties. In these cases your business may only disclose as much data as the third party needs, and the third party must agree to keep the data confidential.
It is important to note that your business may still be held liable if the third party discloses the data in a way that breaches the GDPR. If this occurs you will need to prove that your business was not responsible in any way for the breach. However, you may still be held liable if your business does not adequately investigate the third party’s data protection capabilities.
Personal Data Breaches
If a data breach occurs that is likely to compromise the data of your clients, it is crucial that you notify a supervisor authority within 72 hours of the breach occuring. If you notify after this deadline you must also provide a viable reason for the delay.
Differences Between the GDPR and the Australian Privacy Act
The main difference between the GDPR and the Australian Privacy Act is who must comply. Within the Australian Privacy Act there is a ‘small business exception’ that discludes businesses that have a revenue of less than $3 million from complying. In contrast, the GDPR has no revenue threshold and any business that meet the criteria must apply.
The other major difference between these two acts is that there are much higher penalties for breaching the GDPR. If a business breaches the rules stipulated by the GDPR they can be fined either €20 million or 4% of their total worldwide annual turnover of the preceding financial year. As a contrast, the penalty for breaching the Privacy Act is a fine of $2.1million AUD.
With many businesses collecting personal data, the EU is recognising that protecting individuals personal data. Many businesses that operate in the online space (including Australian companies) will need to stay updated, aware and in compliance with the General Data Protection Regulation. You will decide if your business has any obligations and if so you will need to decide how to meet those obligations.
If you have any questions about how to comply with the General Data Protection Regulation, call Owen Hodge Lawyers on 1800 770 780 or email us at [email protected]