By Demetrio Zema, Founder & Director
In April 2016, the European Union (EU) introduced the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) and the GDPR is set to take effect from 25 May 2018. This is the biggest change to happen in the regulatory framework of privacy to date and the GDPR effectively ushers in a new era of a strict rules concerning privacy and data security with severe penalties for non-compliance.
Although the intended effect of the GDPR is to harmonise data protection laws across the EU and to replace the existing national data protection rules, due to the borderless nature of global commerce, Australian businesses in the e-commerce space should be particularly mindful that the GDPR may apply to their collection and use of personal information of customers in the EU.
Similar to the Australian Privacy Act, the GDPR requires businesses to implement measures that ensure compliance with a set of privacy principles, and in certain circumstances, data breach notifications and privacy impact assessments are mandated.
Does the GDPR affect your business?
The GDPR will apply to your business if it:
has an establishment in the EU;
- offers goods and/or services in the EU (irrespective of whether payment is required); and/or
- collects personal data of EU citizens (regardless of where the data is actually processed).
There are GDPR exceptions that apply to small businesses with fewer than 250 employees, but these exceptions merely cover the extent to which records must be maintained.
Australian businesses which are already subject to Australian privacy laws will be expected to simultaneously comply with the GDPR if they fall within one of the above categories.
Key GDPR obligations
The GDPR is a sprawling document, but we have highlighted some key obligations for your business to be aware of if the GDPR is applicable.
Local representation and appointment of data protection officers
Businesses covered by the GDPR which are not established in the EU will need to appoint a local representative based in a EU member state (although some exceptions will apply). This is so that there is a point of contact for supervisory authorities and individuals in the EU for any issues related to data processing and GDPR compliance.
Businesses that carry out large-scale monitoring of individual behaviour will need to specifically appoint a Data Protection Officer (DPO), who needs to be a person with expert knowledge of data protection law and practices. The DPO should be responsible for monitoring the business’ ongoing compliance with the GDPR, including raising awareness of the GDPR and training staff, and ensuring auditing requirements are met.
“Profiling” is defined in the GDPR as the automated processing of personal information to evaluate personal aspects of an individual, which includes work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Upon request, a business must provide an individual with information about profiling, including “meaningful information about the logic involved” and the consequences for the individual.
One of the biggest changes introduced by the GDPR morphs the concept of consent.
Under the GDPR, consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Consent was also previously only required to be given once and covered all uses. Under the GDPR’s consent requirements, consent needs to be separately permitted for use of personal data for different things. Businesses must also record when consent was given.
Consent can be withdrawn upon an individual’s request (known as the “right to erasure”), and the business must cease processing the individual’s personal information unless it can demonstrate legitimate grounds for processing the personal information.
Data governance obligations
The GDPR contains specific provisions that promote security and privacy as a design principle.
Businesses will need to take technical and organisational measures to demonstrate that their data processing is compliant with the concept of privacy by design. In practice, this means things like having procedures in place to detect, analyse, and report data breaches. The GDPR makes specific mention of data encryption and pseudonymisation (the process of separating personally-identifiable information from other data attributes to prevent security risks) as a means of achieving these design goals.
The GDPR introduces the right to “data portability”, which entitles an individual to request from a business all personal information concerning them in a structured, commonly-used and machine-readable format. The individual can also request that the business transfer that information directly to another entity.
As part of the transfer process, businesses are obliged to provide extensive supporting material within a month of the request, including the categories of data that they are handling, along with the reasons for processing the data.
Consequences of non-compliance
Penalties for non-compliance are severe:
- for lower severity obligations, the maximum penalty is €10 million or 2% of annual worldwide turnover for the preceding financial year, whichever is greater; and
- for higher severity obligations, the maximum penalty is €20 million or 4% of annual worldwide turnover for the preceding financial year, whichever is greater.
Get GDPR ready
- Audit your business’ privacy and information management practices in order to assess whether it is necessary to modify and align them with GDPR requirements.
- Establish how and where your business’ data is collected, stored and transferred. For example, consider all your business’ data flow arrangements with affiliate entities, and any marketing campaigns which may reach individuals in the EU.
- Appoint a designated privacy officer as a primary point of contact for privacy matters.
- Provide annual training to staff who have access to personal information.
- Ensure that processes are in place to extract and transfer personal information when necessary.
The Office of the Australian Information Commissioner has also published guidance to assist Australian businesses with understanding its GDPR obligations: https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation.
If your business falls under one the categories to which the GDPR will now apply, feel free to contact the Law Squared team and we can help you become GPDR ready!
At Law Squared, we partner with passionate entrepreneurs and businesses who need our technical help and expertise. We’d love to have a chat with you, so feel free to drop us an email firstname.lastname@example.org.
Stay in the know
Sign up with your email address to receive news and updates.
SEARCHING FOR SOMETHING?
- Brand Protection
- Business Coaching
- Business Development
- Business Formation
- Business Insurance
- Business Legal Strategy
- Business Strategy
- Civil Procedure
- Consumer Law
- Dispute Resolution
- Effective Client Relationships
- Generating Product Value
- Intellectual Property
- Law Firm Strategy
- Legal Tips
- Managing Business Finance
- New Gen
- Risk Management
- Start Ups
Thoughtful, insightful and meaningful discussion at last nights Mental Health and Entrepreneurship Panel thanks to… https://t.co/9BEfHFgOk2