In May 2018, a regime of new privacy regulation commenced in Europe. Its application is extensive and may apply to Australian businesses with a presence or connection to the EU. Many Australian organisations are being asked currently to sign new data sharing agreements with European companies.
The European Union General Data Protection Regulation (GDPR) is an important regime that will harmonise data privacy laws across Europe.
Four years in the making, it was finally endorsed by the EU Parliament on 14 April 2016 and will commence on 25 May 2018. It is a set of rules and regulations on data protection and privacy for all individuals within the European Union.
Who will the GDPR apply to?
Compared to the Data Protection Director 95/46/EC which it replaces, the GDPR has an increased territorial scope. It applies to all companies processing personal information from individuals residing in the EU, regardless of where the company is located. Therefore, the GDPR will apply to Australian organisations who:
- Have an establishment in the EU (e.g. an office or factory in the EU);
- Offer goods and services in the EU (e.g. a website that allows EU customers to order goods or services or mentions customers or uses in the EU);
- Monitor the behaviour of individuals in the EU (e.g. an organisation that tracks the activity of individuals in the EU).
What information does the GDPR apply to?
The GDPR only applies to personal data. Under Article 4, “personal data” has been defined as any information relating to an identified or identifiable natural person. There are ‘special categories’ of personal data which are offered additional protection and this includes personal data revealing racial or ethnic origin, political opinions, trade union membership or religious or philosophical beliefs. Health information, genetic data, biometric data or information concerning an individual’s sex life or sexual orientation are also ‘special categories’ of information (Article 9).
Overlap with the Privacy Act 1988 (Cth) and additional obligations
The key piece of privacy legislation in Australia is the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). There are several overlaps between the APPs and the GDPR, meaning organisations that comply with the APPs are likely to be compliant with several provisions of the GDPR already. For example, APP 1.2 requires APP entities to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs. This is similar to the requirements under the GDPR to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities.
However, some additional obligations arise under the GDPR. These include requiring organisations to:
- Appoint an EU representative in an EU member state;
- Demonstrate through the implementation of technical and organisational measures that their processing activities comply with the GDPR;
- Appoint data protection officers to monitor and advise on compliance with the GDPR and with internal privacy policies and procedures; and
- Undertake a data protection impact assessment prior to data processing, where a type of processing is likely to result in risk for the rights and freedoms of individuals.
Organisations should also note additional requirements for data processing businesses and for organisations that transfer personal data outside the EU. Additionally, the GDPR has expanded rights for individuals that organisations will need to respect. For example, individuals in the EU have a ‘right to be forgotten’, meaning they can require organisations to delete their data in certain circumstances. Individuals also have a right to data portability which is a right to request information they have given to one online service provider to be transmitted to another online service provider and a right to object at any time to the processing of their personal data.
Data breach notification
The GDPR imposes on organisations a mandatory data breach notification regime which requires them to advise the relevant supervisory authority of a data breach within 72 hours of becoming aware of the breach, unless the breach is unlikely to impact the rights and freedoms of individuals. Affected individuals also need to be notified without undue delay. This is likely a higher standard than Australia’s new Notifiable Data Breaches Scheme as this only requires notification of breaches which are likely to result in serious harm to any individuals affected.
How can we help?
The GDPR is a complex regime and organisations that breach it risk fines up to €20 million or 4% of annual worldwide turnover. It is imperative that organisations prioritise compliance with the GDPR as its commencement day looms. Moores recommends each organisation takes the following 5 steps to ensure compliance and best practice:
Moores 5 Step Plan to Privacy Compliance
- Assess which scheme or legislation applies to your organisation
- Create a data breach response plan to ensure swift action to mitigate risk, including:
- Legislative requirements to contract individuals affected
- Steps for potential remedial actions to prevent serious harm eventuating
- When data breaches need to be reported and process for reporting; and
- Creating templates for notifications and external communication
- Review your service provider agreements and other information sharing arrangements to help you understand the responsibilities and rights on each party
All this information can seem overwhelming and possibly insurmountable, so don’t forget Moores is here to help, whether it is a simple policy review or the full implementation of your 5 step plan we are more than happy to discuss your requirements.
If you would like further assistance, please do not hesitate to contact us.