What is the GDPR and does it affect my organisation?

The European Union General Data Protection Regulation (GDPR) came into effect on 25 May 2018.

Although the GDPR came into force on the other side of the world, its effects are far reaching and Australian businesses cannot ignore it.

Many Australian businesses have carried out reviews of their privacy policies and notifiable data breach procedures following the amendments to the Privacy Act¹ which came into force earlier this year.

Businesses affected by the GDPR will need to ensure that its stringent requirements are complied with, or risk the consequences.

What Australian businesses does the GDPR apply to?

In contrast to the Australian privacy legislation, the GDPR applies to all Australian businesses, irrespective of size, in certain circumstances:

The GDPR applies to:

• the processing of personal data of a business within the EU, even if the processing takes place outside the EU.
• the processing of personal data of subject who are in the union by a controller or processor not established in the EU, where the processing activities are related to:
  • the offering of goods or services; or
  • the monitoring of the EU behaviour of persons within the EU.²

Accordingly, the GDPR applies to Australian businesses:

• with an office in the EU, irrespective of whether or not data is processed there;
• who has customers within the EU who subscribe to its website;
• that holds personal data of persons within the EU; and
• that has persons within the EU on its payroll. (Unlike the Australian privacy legislation, payroll information is not exempt).

Whose information is subject to the GDPR?

Data controller and data processor

What is the intent of the GDPR?

• The concept of ‘consent’.  The GDPR requires that the consent of an individual to collection of his or her data is freely given.  Consent of the individual is required and it must be ‘freely given, specific, informed, and unambiguous’.⁸  Accordingly, it is no longer sufficient for a business subject to the GDPR to have a tick box where an individual consents to their personal data being used for ‘marketing’.  The GDPR makes specific reference to the collection of data in relation to contractual arrangements and it appears that particular attention will be given to data collected from an individual which was not necessary for the performance of the contract.⁹  If asked, a business will be required to prove that it has consent to use personal data with particular consideration given to lapsed and inactive customers.
• The restriction on the collection of certain data, such as data relating to the racial or ethnic origin, political opinions, or religious beliefs of an individual are prohibited (subject to certain exceptions).¹⁰
• Once data is collected, the controller must provide information regarding the data collected to the data subject, including, but not limited to, the identity and contact details of the controller;
• A right to “data portability” which is a right to receive personal data an individual has provided to a data controller and to submit that to another data controller.¹¹
• A right to restriction of processing - an individual can now have a temporary restriction placed on the processing of his or her data if they have concerns about the accuracy of the information to enable the controller to verify the accuracy of the personal data.¹²
• A right to be erased or ‘forgotten’¹³ - individuals now have a right to require data controllers to delete their data in certain circumstances, including, but not limited to the information no longer being necessary for the purpose for which it was collected, or the individual withdrawing his or her consent to the data being held.¹⁴
• Overseas transfers of personal data are also affected.  Consideration will now be given to whether a particular country or international organisation ensures an adequate level of protection.¹⁵

Penalties for non compliance

What should your business do now?