We’ve already spoken about what the implementation of new General Data Protection Regulations (GDPR) mean for our clients in the UK, so today we will turn our attention to its impact on Australian businesses.
“Privacy Acts” are data protection laws which regulate the collection, use and disclosure of personal information about individuals.
These acts promote transparent data handling practices and business accountability.
To give individuals confidence, the Government enforces the Australian Privacy Act of 1988 which requires business to:
- Implement a ‘privacy by design’ approach to compliance
- Demonstrate compliance with privacy principles and obligations
- Adopt transparent information handling practices
GDPR is another layer of protection which you have to be aware of if your business operates in the EU.
Will GDPR apply to your business?
You should prepare for GDPR, if your business:
- Has an office in the EU
- Has a website targeting EU customers
- Has a website mentioning customers or users in the EU
- Tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
If needed, seek specialist legal advice to ensure you are prepared.
So what information applies?
The GDPR applies to ‘personal data’, meaning ‘any information relating to an identified or identifiable natural person’. This can include data about your race, religion, beliefs, union memberships, sexual orientation etc.
Are you a Data Controller and what are the implications?
Your business is classed as a ‘data controller,’ if you determine the purposes and means of processing personal information. If you use email marketing software to communicate a product or service to a database you are a data controller. If this sounds like you, refer to the Act and its related articles, as outlined below.
Data controllers should:
- Comply with GDPR Principles relating to how you process personal data (Article 5)
- Implement data protection policies to ensure you comply with the GDPR (Article 24)
- Implement technical and organisational measures to show you have integrated data protection by design and by default (Article 25)
- Consider if you require a data protection officer to monitor and advise on compliance with the GDPR
- Undertake a compulsory data protection impact assessment (DPIA) prior to processing data
- Keeping records of processing activities under their responsibility
Are you a Data Processor and what are the implications?
Some GDPR requirements apply directly to data processors. Whilst these are less stringent then for data controllers, processors must still understand their responsibilities.
The relationship between controller and processor generally needs to be set out in a contract, which includes specific clauses such as:
- The processor may only process data in accordance with documented instructions from the controller (Article 28)
- The processor must ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- The processor cannot engage another processor without the authorisation of the data controller (Article 28)
- The processor assists the controller to satisfy its responsibilities in terms of security obligations, data protection, impact assessments and DBN notifications.
Like data controllers, the processor must also implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32).
Mandatory data breach notification
As a rule, data controllers and processors must advise the relevant supervisory authority of a data breach within 72 hours.
Refer to Article 33 and 34 of the act for exceptions to this notification requirement.
Overseas transfers of personal data
Under GDPR, personal data may be transferred outside the EU to countries or international organisations that provide an adequate level of data protection.
GDPR sets out the details the EU Commission needs to consider when deciding whether these third parties ensure an adequate level of protection (Article 45).
The European Data Protection Board is required to provide the Commission with an opinion assessing the adequacy of a country or organisation’s level of data protection (Article 70(1)(s)).
In the absence of an adequacy decision, overseas transfers are permitted in some limited circumstances, on the condition that individual’s enforceable rights and effective remedies are available and where appropriate, safeguards are in place. These safeguards include:
- The data controller has approved ‘binding corporate rules’ that enable transfers within a corporate group
- The data controller has entered into an agreement that contains the ‘standard data protection clauses’ adopted by the EU Commission or a data protection authority
- Approved codes of conduct are in place and the recipient controller or processor gives binding and enforceable commitment to apply appropriate safeguards
- An approved certification has been made by an accredited body and the recipient controller or processor gives binding and enforceable commitment to apply appropriate safeguards (Article 46).
- In the absence of an adequacy decision or appropriate safeguard, overseas transfers are permitted in very specific situations.
The new sanctions are severe.
GDPR gives supervisory authorities the power to impose administrative fines of up to €20 million or 4 percent of annual worldwide turnover. They’ll go with whichever figure is higher, so you need to be vigilant.
This article provides a commentary on GDPR for informational purposes only and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation.
Not all aspects and interpretations of GDPR are fully defined yet. Therefore we encourage you to work with a legal professional to discuss how GDPR will specifically apply to your organisation, and how best to ensure your compliance.