The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will apply from 25 May 2018.
Who does it apply to?
The GDPR applies to all companies processing the personal data of persons residing in the EU, regardless of the company’s location.
Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
Australian businesses that may be covered by the GRPR include an Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros.
An organisation is considered a ‘data controller’ if it possesses, and is responsible for, the data that it manages. This might include companies, government departments, general practitioners or sole traders.
Where an organisation is in possession of the data, but another entity is responsible for it, the organisation is considered a ‘data processor’.
What does it apply to?
The GDPR applies to ‘personal data’. This means ‘any information relating to an identified or identifiable natural person’.
How is the GDPR different from the Australian Privacy Act?
While the GDPR and the Australian Privacy Act 1988 have much in common the GDPR contains obligations which do not have equivalents under the Privacy Act.
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers and the controllers, “without undue delay” after first becoming aware of a data breach.
Part of the expanded rights of individuals under the GDPR is their right to be forgotten (also known as Data Erasure). It entitles the individual to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
What are the penalties for non-compliance?
The GDPR gives supervisory authorities the power to impose administrative fines for contraventions by controllers or processors, with fines of up to €20 million or 4 per cent of annual worldwide turnover, (whichever is higher).
What you need to do