On 25 May 2018, changes to the European Union’s General Data Protection Regulation (“GDPR”) came into effect requiring organisations all over the world (including businesses in Australia) to provide a high level of protection to the personal data of individuals in the EU, and allow those individuals to maintain better control over their personal data.
Application of the GDPR to Australian businesses
Specifically, the GDPR applies to Australian businesses (regardless of size) that are ‘data processors’ or ‘data controllers’ and that have an establishment in the EU, offer goods or services in the EU, or otherwise monitor the behaviour of individuals in the EU. Generally speaking, ‘data controllers’ determine the purposes and means for processing personal data and ‘data processors’ process personal data on behalf of a controller.
In today’s global economy, the introduction of the GDPR is particularly significant given that most businesses operate online (via the use of platforms, websites and applications), or otherwise have operations in overseas jurisdictions and accordingly have clients and customers globally.
The flow on effect for Australian businesses is that their data protection and privacy measures may no longer just be assessed from an Australian law perspective. Instead, these issues are now global and Australian businesses must take steps to evaluate their information handling practices to ensure that they comply.
Impact of the GDPR
It is not however all doom and gloom (and regulatory hurdles). The GDPR and Australian privacy laws (namely, the Privacy Act 1998 (Cth)) share many similarities and Australian businesses should already have some GDPR compliant measures in place.
For example, both the GDPR and Australian privacy laws foster transparent information handling practices and accountability measures to show individuals that their privacy is being adequately protected. Both laws also require businesses to implement measures that demonstrate their compliance with a set of privacy principles, and both take a privacy by design approach.
Obviously, however, there are some key differences between the two regimes. We have summarised a few of these below but ultimately the Office of the Australian Information Commissioner recommends that Australian businesses with clients or customers in the EU check to see if they are covered by the GDPR and, if so, take steps to comply.
Key provisions
Highlights of the GDPR are as follows:
- Accountability and governance: to achieve accountability and good governance practices, businesses covered by the GDPR must, amongst other things, implement appropriate technical and organisational measures. Such measures may include: undertaking compulsory data protection impact assessments when data processing is likely to result in a high risk to the rights and freedoms of individuals; maintaining documentation of business’ processing activities; implementing appropriate security measures; recording and, where necessary, reporting personal data breaches; and (unless an exception applies) appointing data protection officers.
- Consent: an individual’s consent to a business handling their personal data (including any cookies associated with an individual’s online usage patterns) must be freely given, specific and informed, and must be indicated by a statement or other clear affirmative action. This has made many businesses reconsider their information collection statements to require customers to actively consent to the use of their personal data (versus the current common practice of having a check box “ticked” and requiring customers to actively opt out).
- Enhanced individual rights: the rights of individuals now specifically include a right of access to personal data; a right to rectification; a right to erasure (or a right to be forgotten) if certain conditions are met (including when the personal data being collected is no longer necessary for the purposes for which it was collected or processed, or when the data subject withdraws their consent); a right to data portability (which is essentially a right to obtain a machine readable copy of your personal data and reuse, or transfer that personal data to another data controller); and a right to object to the processing of your personal data.
Ultimately these changes require businesses to adopt and/or strengthen their internal processes and systems to ensure they can adequately protect clients’ personal data.
Recommended next steps
Accordingly, we suggest that if you haven’t done so already you:
- Seek advice about whether the GDPR applies to your business;
- Familiarise yourself with the requirements of the GDPR and if necessary obtain compliance advice to ensure you have a firm understanding of those requirements;
- Evaluate your business’ organisational measures relating to the handling and collection of personal data and update these to ensure that they meet the requirements of the GDPR; and
- Update your privacy policy and collection statement.
If you need advice on the application of the GDPR to your business, please don’t hesitate to contact us.