The Facebook Cambridge Analytica scandal dominated headlines for weeks. Public concern over digital privacy and data security is growing with every high profile data security breach. Businesses are being forced to adapt to an environment where individuals are aware that their personal data is valuable, vulnerable and, in many cases, commercially exploited by social media platforms and third parties.
Regulators and policy makers are taking note too. From 25 May 2018, the General Data Protection Regulation (GDPR) will apply. We have previously explained the GDPR and highlighted some of the key issues for Australian businesses and differences with the Australian privacy regime (read further here).
In the lead up to 25 May, Australian businesses should consider whether the GDPR will apply to their operations. The implications for the GDPR are far-reaching, and will impact many Australian businesses, particularly those operating online. Below we have set out some FAQs for businesses likely to be affected by the GDPR.
What is the GDPR?
The GDPR is a regulation for the protection of the personal data of EU residents. It replaces an EU directive from 1995 which largely predated modern concerns around online privacy. It will apply to all 28 member states of the EU.
Importantly, it can also apply to foreign businesses who process the data of EU residents.
Do Australian businesses have to comply with the GDPR?
The GDPR can apply to an entity (including Australian businesses) who stores or processes the personal data of EU residents. The entity does not need to be based (or have operations) in the EU for the GDPR to apply.
Many businesses who have customers or clients in the EU need to review whether their activities fall within the scope of the GDPR.
What type of businesses will need to comply with the GDPR?
The GDPR regulates the activities of ‘controllers’ and ‘processors’. A controller is an entity who determines how and why personal data is collected and processed, while a processor is responsible for a limited range of activities involved with the processing of the personal data on the behalf of a controller (e.g. collecting and storing personal data, managing a controller’s data security in relation to personal data or transferring personal data between organisations).
By way of example, if your business sells products to EU residents and you use the services of a market research agency to track customer satisfaction, your business may be a ‘controller’ and the market research agency is the ‘processor’.
How do you comply with the GDPR?
Controllers and processors have different obligations under the GDPR.
Controllers are generally responsible for collecting and managing the consent of individuals whose personal data will be processed. They also need to ensure the processors they contract with comply with the GDPR or risk penalties themselves.
Processors are obliged to comply with a range of obligations in relation to their data processing activities. These include, but are not limited to:
When does my business need to comply?
If GDPR applies, businesses will need to be able to demonstrate compliance with the GDPR by 25 May 2018.
What are the penalties for non-compliance with the GDPR?
Breaches of the GDPR by controllers and processors can carry fines up to:
What are the differences with Australian privacy law and principles?
Some of the requirements under the GDPR are similar those already in Australia under the Privacy Act 1988 (Cth), including to:
However, the GDPR imposes more stringent requirements, particularly on data obtaining of and maintaining consent. Further, some of the new rights of individuals (including the ‘right to be forgotten’) do not have equivalents under the Australian privacy regime.
The scope of the differences should not be underestimated. Privacy policies developed for Australia will not be sufficient to comply with the GDPR. Many Australian businesses will need to update personal data handling practices and processes to ensure compliance with the GDPR.
Australian businesses should assess whether their operations may lead to regulation under the GDPR and to be aware of the issues this may present. The obligations imposed by the GDPR are likely to have considerable legal and administrative implications for Australian businesses with any kind of cross-border presence in the EU. We can assist you with determining the legal implications of the GDPR on your business.
Dan Pearce, Partner
T: +61 3 9321 9840
Lyn Nicholson, General Counsel
T: +61 2 8083 0463
Trent Taylor, Partner
T: +61 7 3135 0668
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this publication is accurate at the date it is received or that it will continue to be accurate in the future. We are not responsible for the information of any source to which a link is provided or reference is made and exclude all liability in connection with use of these sources.