As of 25 May 2018, the European Union General Data Protection Regulation (GDPR) will implement a new extra-territorial data protection regime, which will impact Australian entities that handle personal data of EU residents.
Thankfully some of the provisions of the GDPR mirror those of the Australian Privacy Act 1988, which Australian entities are hopefully already familiar with. However, there are numerous substantive differences and unique requirements that go beyond the Australian position.
It is therefore important for organisations with operations in the EU to determine whether or not the GDPR applies to them and to ensure their personal data handling practices are brought into compliance before next year’s deadline.
Does my business need to comply with the new EU regulations?
You will need to comply with the GDPR requirements if your business or organisation:
1. has an ‘establishment’ within the EU (an effective and real exercise of activity through stable arrangements), whether or not personal information is actually processed in the EU;
2. is outside the EU but conducts data processing or controlling activities and offers goods or services to individuals within the European Union whether or not payment is required; or
3. is outside the EU but conducts data processing or controlling activities and monitors behaviours of individuals within the European Union, whether or not such behaviour occurs in the EU.
This will most likely encompass Australian entities that have EU clients, have local operations in the EU or otherwise hold personal information on EU residents.
What key changes will the GDPR implement?
• Data controllers will have weightier accountability and governance obligations.
• Personal data may only be processed with an individual’s consent which must be freely given, specific, informed and unambiguous.
• If a data breach occurs, relevant authorities and the individuals concerned must be notified without delay (if possible within 72 hours).
• Rights of individuals will be broadened to include the right of erasure, the right to data portability and the right to object to the processing of personal data.
• Entities who outsource their data processing to a third party will be required to document their relationship with the third party in a contract containing certain specific clauses.
• Transfer of personal data to countries outside the EU will be limited to those which the EU Commission approves as adequately safe.
What should I do next about GDPR?
Substantial sanctions for breaches of the regulations apply. Therefore organisations with operations or clients in the EU should analyse the extent to which they hold personal data of EU residents and determine whether they fall into the definition of ‘data controller’ or ‘data processor’ under the GDPR and determine the scope of their responsibilities under the GDPR. They should also seek professional advice on how to bring their data protection policies and practices into accord with both the Australian and EU requirements.
You may like to complete our FREE GDPR Readiness Questionnaire so that we can help you assess where you stand with GDPR and the work required. Our initial assessment and response is free of charge.
Check out our other articles on the topic of the Data Protection Officer (DPO) here.
Compliance Quarter are providing a range of innovative services to help our clients navigate GDPR – to enquire directly please click here.