The European Union ‘General Data Protection Regulation’ (GDPR) came in force on 25 May 2018. The rise in online businesses worldwide has led to the wide-scale collection and monetisation of personal data, encouraging governments to intervene to protect the individual. Despite the GDPR being a European regulation, Australian businesses, and in particular, online businesses may need to comply with it. This article explains when your business may need to comply with the General Data Protection Regulation and what to do if so.
When the General Data Protection Regulation Applies
The GDPR applies to businesses that were:
- established in the European Union (EU);
- not established in the EU but that offer goods or services to EU-based individuals (free or paid), including by accepting payment in euros; or
- not established in the EU but that monitor EU residents’ behaviour.
As many Australian businesses (especially online businesses) may collect personal data of individuals located in the EU, it is likely that their activities will fall under the GDPR. For example, a business will need to comply with the GDPR if it:
- ships products to individuals in the EU;
- sells a health gadget that can monitor the behaviour of an individual in the EU; or
- deals with the personal information of an individual in the EU (for example, an Australian citizen located in the EU obtains tax advice from an Australian accountant).
This wide application will potentially require many Australian businesses to implement the obligations of the GDPR.
Obligations Under the General Data Protection Regulation
The GDPR places a range of obligations on data ‘controllers’ and ‘processors’. ‘Controller’ means a business that determines how the data will be processed or used. ‘Processor’ means a business that processes the data on behalf of the controller.
Principles for Processing Personal Data
Any business that processes personal data will need to comply with certain principles. ‘Personal data’ means information that identifies an individual.
|Process the data in a manner that is lawful, fair and transparent.||Inform customers of how your business will use their data.|
|Use the data for legitimate purposes.||Only use the data for the purposes for which you originally informed the customers.|
|Limit the use only to what is necessary.||Do not collect information that you do not need.|
|Process the data in a way that maintains its accuracy.||When data becomes out of date, correct it to ensure accuracy.|
|Store the data for no longer than necessary.||Delete the data when you have no legitimate need for it.|
|Process the data in a secure fashion.||
Use technological protections such as secure encryption and anti-virus software.
Use organisational measures such as an internal privacy procedures manual.
Companies must always request clear consent to control or process personal data. This request must be made explicitly and in an easily accessible form. Furthermore, businesses should use:
- ‘just-in-time’ requests given just before data is collected or processed;
- separate requests for each collection; and
- a system that makes it easy to withdraw consent.
Meeting these points may require your business to change its IT system.
Data Protection Officer and EU Representative
If your business undertakes regular and systematic monitoring of individuals on a large scale, it must designate a data protection officer. For example, your business may conduct marketing that requires the collection and processing of large amounts of personal data.
In some case, the business may be required to have a representative located in the EU if it undertakes large-scale data processing to act as the business’ point of contact for requests by GDPR supervisory authorities or data subjects.
Access and Erasure
If your business collects a person’s data, that person has rights to request and obtain:
- copies of that data and how your business is using it;
- details of how long the data will be stored; and
- information about to whom the data may be disclosed to.
An individual can also ask your business to erase their personal data or to place a restriction on how it will be used. Your business must comply with requests to erase the data if it no longer needs the data for the original reason it collected the data.
Disclosure and Transfer of Data
Your business may sometimes need to disclose personal data to other parties. For example, you may hire a company to assist with marketing or the distribution of products. In such cases, your business may only disclose as much data as the third party needs to know for the specific purpose. The third party must also agree to keep the data confidential.
Your business may still be liable if the third party discloses the data in a way that breaches the GDPR. If this occurs, you will need to prove that your business is not responsible in any way for the breach. You may still be held responsible if you did not adequately investigate the third party’s data protection capabilities.
Personal Data Breaches
You must notify a supervisory authority (established in each EU member state) if a data breach occurs that will likely risk the rights of the people involved. For example, if you lose credit card details, you will likely need to notify. However, losing a simple list of names may not have any negative effects, especially if encrypted. You will need to determine this on a case-by-case basis, but it is best to err on the side of caution and notify when unsure.
You must notify within 72 hours. If you notify after this deadline, you must also provide reasons for the delay. In any subsequent investigation, the authority will look at whether you have complied with the GDPR, including whether you have sufficient technological protections.
Differences Between the GDPR and Australian Privacy Act
The first difference between the GDPR and the Australian Privacy Act is who must comply. The Privacy Act applies to Australian businesses that collect personal information. The definition of ‘personal information’ and ‘personal data’ under the two laws is similar — information that identifies an individual.
However, the Privacy Act includes a ‘small business exception’ where certain businesses that have a revenue of less than $3 million do not have to comply. In contrast, the GDPR has no revenue threshold. All businesses that meet the GDPR criteria must comply regardless of revenue.
The second difference is that there are higher penalties for breaching the GDPR. The highest penalty for breaching the Privacy Act is a fine of $2.1 million. However, businesses that breach the GDPR can be fined the highest of either:
- €20 million; or
- 4% of their total worldwide annual turnover of the preceding financial year.
These high penalties make complying with the GDPR an important concern for Australian online businesses with a high turnover.
Ensure you understand what the EU’s new privacy laws mean for your business with our Cheatsheet.
With many businesses collecting personal data, the EU is recognising the right of individuals to protect their data. Many businesses, especially Australian online businesses, need to stay updated, aware and in compliance with the General Data Protection Regulation. You will need to decide if you have obligations. If so, you will then need to decide how to meet those obligations.
If you need further assistance on how to comply with the General Data Protection Regulation, call LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.