The European Union’s (EU) General Data Protection Regulation (GDPR) comes into force on 25 May 2018. It will affect any business that collects the data of individuals in the EU. If your business already complies with Australian privacy laws, you have a head start in ensuring GDPR compliance. However, you may need to tweak your business operations to fully adhere to the GDPR. This checklist will assist you in determining whether you need to make any changes to your business to ensure GDPR compliance.

Determine Whether Your Business Needs to Comply with the GDPR

Your business needs to comply with the GDPR if it collects data and it:

  • is established in the EU;
  • supplies goods or services to individuals in the EU; or
  • monitors the behaviour of individuals in the EU.

Determine Whether Your Business is a Data Processor or a Data Controller

Your business will face different obligations depending on whether it is a data controller or data processor.

Data controllers are:

  • natural or legal persons;
  • public authorities;
  • agencies; or
  • other bodies that determine the purpose and means of the processing of personal data.

A data controller can, therefore, be any business that asks its customers for their personal information. If your business asks customers for their name and email to send them newsletters, for example, your business is a data controller because you collect personal information for the purpose of sending out a newsletter.

Data processors are:

  • natural or legal persons;
  • public authorities;
  • agencies; or
  • other bodies that process data on behalf of data controllers.

Data processors can be data storage businesses such as Amazon Web Services, businesses that organise customer information such as Marketo or Salesforce and businesses that send out newsletters to customers such as MailChimp. Each of these businesses deals with information on behalf of others and are, therefore, processors of data.

Complete a Data Protection Impact Assessment (DPIA)

If your business processes personal data using new technologies and the processing is likely to result in a high risk to the rights and freedoms of individuals, you need to complete a DPIA.

In particular, you need to carry out a DPIA if your business:

  • systematically and extensively evaluates personal aspects of individuals, including profiling, and where the processing has legal or other consequences for the person involved. For example, where you process data for credit applications that might result in an application being rejected;
  • processes special category data, including data on:
    • racial or ethnic origin;
    • political opinions;
    • religious or philosophical beliefs;
    • trade union membership;
    • genetic data;
    • biometric data; and
    • data concerning a natural person’s sex life or sexual orientation.
  • process personal data relating to criminal convictions and offences; or
  • systematically monitors a publicly accessible area on a large scale.

Appoint an EU Representative

If your business falls under the scope of the GDPR because you supply goods or services to individuals located within the EU, or you monitor the behaviour of individuals within the EU, you need an EU representative.

You do not need a representative if:

  • your business only processes data occasionally (except if it processes special category data, or criminal conviction or offence data) and it is unlikely to result in a risk to the rights and freedoms of natural persons. This takes into account the nature, context, scope and purposes of the processing; or
  • your business is a public authority.

There is no need to establish a representative in every EU member state where you might supply goods or services or monitor individuals’ behaviour. Rather, you only need one representative in the EU.

Update Your Privacy Notices and Privacy Policy

If your business falls under the scope of the GDPR, you may need to update your privacy policy. However, if your privacy policy already complies with the Australian Privacy Act 1988 (Cth) (Privacy Act) you may only require small tweaks to comply with the GDPR.

It is useful to state in your updates:

  • your business processes personal data in accordance with the principles set out in the GDPR;
  • individuals over 16-years-old can consent to the processing of personal data, but anyone younger needs the consent of their parent or guardian; and
  • individuals have the right to:
    • be forgotten;
    • access their data;
    • request their data be erased;
    • request for the processing of their data to be restricted;
    • data portability.

You must include a privacy notice every time you collect personal information. Under the Privacy Act, consent can be explicit or implied. Therefore, when someone enters their information in your online form, they imply consent to the collection of their data.

However, according to the GDPR, businesses require an “unambiguous indication of the data subject’s wishes which, by a statement or by a clear affirmative action, signifies agreement to processing” . Therefore you must ensure the customer consents to the collection of the personal data and your privacy policy each time you collect their data. You can do so via a click to accept box to signify explicit consent.

Train Staff and Create a Privacy Compliance Manual

Your staff are likely to be the ones responding to individuals requesting to exercise their rights. Therefore, it is essential that they are aware of the rights under the GDPR and respond appropriately.

Businesses that do not comply with the GDPR can face fines of up to €20 million or 4% of their annual worldwide turnover, whichever is higher. Accordingly, creating a privacy compliance manual and providing your staff with training is important to ensure GDPR compliance.

Abide by the Relevant Obligations

Data Controllers Data Processors
Under the GDPR data controllers must:

  • conduct DPIAs if required;
  • appoint processors under a binding written contract stating the processor must:
    • only process personal data in line with the controller’s instructions;
    • promise to ensure the security of personal data;
    • impose confidentiality obligations on all personnel processing data; and
    • abide by a suite of other rules; and
  • implement appropriate technical and organisational security measures to protect personal data “by design” and “by default”.
Under old EU law, data processors had contractual obligations to controllers but no direct statutory obligations. However, the GDPR changes this:

  • Where a processor determines the purposes and means of any processing activity, that processor is treated as a controller in respect of that processing activity.
  • Each processor (and any of its representatives) must keep records of its processing activities performed on behalf of the controller (which include certain prescribed information).
  • To the extent that the GDPR requires the appointment of a data protection officer, that requirement also applies to processors.

Key Takeaways

You must ensure GDPR compliance by adjusting your operations and updating your privacy policy if your business:

  • is established in the EU;
  • supplies goods or services to individuals in the EU; or
  • monitors the behaviour of individuals in the EU,

You also need to determine whether you are a data processor or a data controller; there are different obligations for the two categories. Further, you must decide whether you need to carry out a DPIA and appoint a representative in the EU. If your business does not comply with the GDPR once it comes into force, you may be fined.

The GDPR comes into force on May 25, 2018. Ensure you understand what the EU’s new privacy laws mean for your business with our cheatsheet.

 

If you need assistance in determining whether your business needs to ensure GDPR compliance, get in touch with LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.

Chloe Sevil
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
Would you like to get in touch with Chloe about this topic, or ask us any other question? Please fill out the form below to send Chloe a message!