The European Union’s General Data Protection Regulation (GDPR) has been in effect since May 2018.
In essence, it regulates ‘personal data’ of EU residents — from collection to use, retention, transfer and deletion.
The GDPR is a European Union regulation – so I shouldn’t be affected as an Australian business, right? Not necessarily, but we’ll tell you why.
The GDPR doesn’t just apply to EU businesses. It applies to any business that processes and collects personal data from an individual who resides in the European Union.
We know with the rise of online businesses and services, some Aussie businesses are bound to be caught by the extra territorial scope of the GDPR and may have to comply with the GDPR — so let’s break it down.
Firstly, let’s understand how things are defined in the GDPR.
Processing: this could refer to the use of personal data. It could encompass anything from collecting data to destroying it, and is a catch-all word to cover any operations on personal data.
Personal data: this could refer to any data that can identify a living person directly or indirectly.
Data that identifies someone directly could include a person’s name, address, email address, IP address or location data. If data identifies someone indirectly, it means it’s possible to identify someone by cross referencing different sources of data. By itself, this data may not be able to identify an individual, but combined with other data your company possesses, it may help to achieve a positive identity match.
‘Sensitive’ personal data: this class of data should be handled with extra care. It could include race, health status, sexual orientation, religious beliefs, political beliefs, genetics or biometrics, to name a few.
Controller: this is someone who determines the purpose and methods of processing personal data (for example, you as a business decide to collect a first name, last name and email address as part of your ‘controller’ role).
Processor: this issomeone who manages personal data on behalf of a controller (for example, a processor could be a marketing company that uses personal data for promotional reasons).
Data subject: any individual in the EU whose personal data is processed.
It is important to think about whether you need to be GDPR compliant as an Australian business.
Australian businesses may need to comply in two circumstances:
- If the business has an establishment in the EU. This applies regardless of whether the business collects and processes personal data (and irrespective of where it is processed); or
- If the business offers goods/services to EU citizens or monitors the behaviour of individuals in the EU.
The GDPR applies to the data processing activities of all businesses, regardless of size (which is somewhere the GDPR and the Australian Privacy Principles diverge — more on that below).
What Businesses Need To Comply With The GDPR?
Some examples of Australian businesses that may need to comply with the GDPR include:
- Australian businesses with an office in the EU
- Australian businesses that target EU customers. This could include allowing customers to order goods and services in a European language other than English, or offering customers the option to pay in Euros
- Australian businesses whose website refers to EU customers or users (e.g. if you have mentioned them in testimonials or reviews)
What Do You Need To Do To Be Compliant?
We’ve already written about some quick tips on how to be GDPR compliant. But, essentially, there are seven main data protection principles that need to be adhered to.
1. Lawfulness, Fairness and Transparency
2. Purpose Limitation
Here, the GDPR mandates that organisations should only collect personal data for a particular stated purpose and only collect personal data necessary to fulfil that purpose. There is more leeway for purposes in the name of the public interest or for scientific, historical or statistical purposes.
3. Data Minimisation
An organisation that collects personal data should only process this information in a way that fulfils its processing purposes. This is beneficial for both users and organisations because:
- In the case of a data breach, there will only be a limited amount of personal data available.
- Minimising the amount of personal data collected will make it easier to keep this data accurate and up to date.
According to the GDPR, ‘every reasonable step must be taken’ to erase or rectify personal data that is inaccurate or incomplete within 30 days of the individual’s request.
5. Storage Limitation
When the organisation stops having a need for the personal data, the GDPR mandates that it must be deleted.
6. Integrity and Confidentiality
In this requirement, the GDPR mandates that personal data must be ‘processed in a manner that ensures appropriate security of personal data’. While there aren’t specific measures specified in the GDPR (due to the fast-changing nature of technology), it simply requires all measures to be taken to ensure this.
This is referred to as the ‘accountability principle’, which means exactly that. It commands accountability by requiring the controller to be responsible for and be able to demonstrate compliance.
GDPR vs Australian Privacy Principles: Where Do They Differ?
There are many similarities between the requirements outlined in the GDPR and in the Australian Privacy Act 1988. They both include general concepts like being able to demonstrate compliance with privacy principles whilst adopting transparent information handling practices.
Below are just some of the situations where the GDPR differs from the Privacy Act.
Processors and Controllers
The Australian Privacy Principles do not have the notion of ‘processors’ and ‘controllers’. Having defined roles ensures accountability. Controllers also have obligations to be more transparent in their communication with individuals than what is required by the Privacy Act.
While in Australia consent can be implied, the GDPR mandates that consent must be made explicit by a ‘statement or by clear affirmative action’. Both systems allow consent to be withdrawn at any time.
There are certains rights in the GDPR that aren’t explicitly stated in the Privacy Act. This includes the right to erase personal data, the right to be forgotten and the right to data portability.
There is a more onerous requirement to report data breaches under the GDPR, and you also have a shorter time frame in which to do this.
Size of Business
As mentioned before, the Privacy Act does not cover small business (ones with an annual turnover of $3 million or less – subject to some exceptions). In contrast, the GDPR applies to all organisations, regardless of size and industry.
Penalties For Non-Compliance
The GDPR has two tiers of penalties for non-compliance.
1. Up to €10 million, or 2% annual global turnover – whichever is higher. This is in the case of an infringement of the organisation’s obligations (which include data security breaches).
2. Up to €20 million, or 4% annual global turnover – whichever is higher. This is where there is an infringement of an individual’s privacy rights.
Brexit: What Does It Mean For GDPR?
The UK was one of the principal architects of the GDPR. But now that Brexit is well and truly underway, will you still have to comply with the GDPR if you have customers primarily in the UK?
Initially, there will be a transition period (which will run through till 31 December 2020) where EU rules surrounding the GDPR will continue to apply to the UK.
After this time, although the GDPR will cease to automatically apply to business in the UK after the end of the transition period, it is unlikely that much is to change for Australian businesses with UK customers.
Many of the GDPR articles are being planned to be translated into UK law as a ‘UK GDPR’, which will mean that compliance will largely stay the same. This means the extraterritorial scope and representative requirements will largely stay the same (but you’ll require a UK Representative rather than an EU Representative).
And, of course, the UK GDPR will be altered in scope to cover the personal data protection of UK individuals only.
All in all, for Aussie businesses, the same level of compliance will most likely be necessary if you conduct business in the UK.