By Adam Kiolle
All of Europe has been talking about it but Australian companies have been largely unaware of it: the ever-nearing entry into force of the EU General Data Protection Regulation (GDPR) on 25 May 2018. The GDPR is a new European Union-wide law aimed at protecting individuals' rights in relation to the processing of their personal data that will impose extra obligations on most businesses that deal with people's personal information. While Australia may sometimes feel a long way from the EU, Australian businesses should be aware that even Australian companies are not beyond the GDPR's reach. This articles outlines the top 6 things that Australian companies should be aware of in relation to GDPR compliance.
The GDPR can apply to Australian businesses
Companies based outside the EU - even as far away as Australia - can also fall within the scope of the GDPR. This will be the case if the Australian company offers goods or services to individuals residing in the EU. For example, if your company regularly ships goods to customers in the Netherlands or anywhere else in the EU (e.g. through a webshop), there is a good chance that you will be processing personal data in a manner that will bring your company within the scope of the GDPR. The same will apply to Australian businesses supplying services (e.g. professional services or cloud-based solutions) to individuals based in the EU. The fact that your business does not have any physical presence in the European Union is irrelevant.
A second category of non-EU businesses to which the GDPR applies are companies that "monitor the behaviour" of people within the EU. This category is aimed primarily at social networks based outside of the EU that allow users inside the EU to make use of their services, however it is likely to apply more broadly to many other types of business, in particular app and software developers whose software gathers user data and is available to users in the EU.
Even Australian businesses processing data on behalf of EU business customers should beware. The GDPR's regime of joint and several liability means that individuals whose data has been compromised as a result of an unauthorised disclosure or breach can choose to take recourse directly against the EU business or the Australian data processor.
The GDPR's extraterritorial reach will mean that many Australian businesses - even those without a physical presence in Europe - may find themselves subject to its requirements without being aware of it.
Unlike Australian privacy laws, the GDPR can apply to businesses of all sizes
Australian privacy law is considerably more lenient than the existing EU data protection regulations. A large number of businesses are exempt from the key Australian data protection law, the Privacy Act 1988 (Cth) and the Australian Privacy Principles provided for in the Act, which only apply to businesses with a turnover of more than $3 million. By contrast, the new GDPR (and the EU data protection directive that went before it) can apply to businesses of any size where they process personal data by "automated means" or in an organised fashion, with only few exceptions.
This means that it is possible that some Australian businesses may be subject to the GDPR even if they are not subject to the equivalent Australian legislation.
The GDPR is stricter than Australian privacy laws
The definition of "personal data" under the GDPR is somewhat broader than the definition of "personal information" under the Australian Privacy Act 1988 (Cth) and the levels of protection provided for under the GDPR go much further than those under Australian regulations.
Particularly high levels of protection apply to certain special categories of sensitive data (such as biometric information or data related to things such as a person's health, ethnicity or religious affiliation).
This means that even if your company is already compliant with the Australian privacy regulatory regime, it is possibly that you may still need to make some changes to make your company GDPR compliant.
The penalties for non-compliance with the GDPR are hefty
The GDPR provides for massive penalities for non-compliance, with maximum fines of the higher of EUR 20 million (approx. AUD 30 million) or 4% of worldwide annual revenue applicable for certain breaches. Compared to this, the maximum penalty under the Australian Privacy Act 1988 (Cth) of AUD 420,000 for serious or repeated interferences with privacy pales into insignificance.
While it is expected that these penalities will not be handed out lightly and that regulators are likely to be relatively lenient in the early stages of implementation of the new regulations (this is certainly the position that has been expressed in relation to the Dutch regulator the Autoriteit Persoonsgegevens) and while there are some questions around how likely it is that European regulators will - at least initially - be proactively investigating non-EU entities, the existence of penalties of this magnitude should give any businesses falling under the GDPR (including Australian companies) pause for thought.
Compliance does not have to be a huge burden
There are a number of simple steps that Australian companies can take to GDPR-proof themselves. Often, all that will be necessary is a slight adjustment of existing measures and documentation such as company privacy statements.
As a first step, Australian companies dealing with customers in the EU should find out whether their activities expose them to the GDPR. If it appears that they do fall within the scope of the GDPR, they should undertake a review of their privacy statements, data processing agreements and organisational and security measures to identify any concrete measures that need to be taken to ensure that they are GDPR-proof, ideally before its entry into force on 25 May 2018, or otherwise as soon as possible.
GDPR-compliance can be an asset
Finally, it is important to note that while the GDPR does present certain regulatory and compliance burdens, it can also offer companies opportunities.
GDPR-compliance as a selling point: GDPR-compliance can be an asset for some companies, especially businesses dealing with personal information as a key part of their business model who can spruik their GDPR-compliance as a kind of seal of approval that is good for their reputation and adds value to their proposition.
Reposted with permission; original publication by AB in NL: https://www.australian-business-netherlands.info/single-post/2018/05/01/Australian-companies-and-the-EU-General-Data-Protection-Regulation-GDPR