The EU General Data Protection Regulation (the GDPR) came into effect on 25 May 2018 and imposes additional compliance obligations on some Australian organisations.
While the GDPR and the Australian Privacy Act 1988 (the Privacy Act) share a number of common features, the GDPR contains heightened compliance obligations, enhanced consumer rights and significantly higher penalty provisions. It is important that organisations quickly identify whether they are subject to the GDPR, and if potential exposure exists, review and develop policies and procedures to facilitate compliance.
This article provides an overview of the key compliance obligations arising from the GDPR. The article does not constitute detailed legal advice, and where companies are concerned by the GDPR, specialist assistance from a law firm should be sought.
When do organisations fall under the GDPR?
The GDPR applies to:
- Businesses established in the EU;
- Businesses based outside the EU that monitor, or offer goods and services to individuals in the EU;
- Personal data processes in places where EU Member State law applies by virtue of public international law.
The GPDR is not Australian law and its potential application turns on aspects of Australian and international law, the facts and circumstances of a specific organisation, as well as developing market forces.
Australian organisations likely to be impacted by the GDPR include businesses that are registered as foreign entities within the EU, have an office in the EU, provide online and electronic services which target EU customers or are responsible for websites that contain personal data of EU citizens. Australian businesses that rely upon third parties that process or control data within the EU will also be impacted by the GDPR.
Unlike Australia's Privacy Act, which does not apply to some organisations whose annual turnover is less than $3,000,000, the GDPR applies to the data processing activities of all businesses regardless of their size, where the data processors or controllers fall within the GDPR’s territorial scope.
Does compliance with the Australian Privacy Act satisfy GDPR obligations?
Compliance with the Privacy Act will not necessarily result in compliance with the GDPR. The GDPR creates new obligations on Australian businesses including:
- Enhanced individual rights including the right to access personal data free of charge in an electronic format, the right to erasure (a right to have personal data erased in certain circumstances), and the right to data portability (a right to receive personal data in a structured and commonly used electronic form that can also be transferred to another controller);
- Expanded accountability and governance requirements that are required to demonstrate that processing of personal data is performed in accordance the GDPR;
- Consent to the processing of personal data must be given freely, be specific and informed. An unambiguous indication of the data subject's wishes is required and that agreement must be provided by a statement or by clear affirmative action; and
- Mandatory notification to the supervisory authority within 72 hours where a data breach is likely to result in a risk to the rights and freedoms of natural persons.
While these expanded rights and obligations do not currently exist under the Australian Privacy Act, the GDRP is also influencing the development of privacy laws within the Asia Pacific region including in Japan, Hong Kong, and Philippines. Over time the GDPR is also likely to influence amendments to Australia’s Privacy Act.
Mandatory notification and the GDPR
The Mandatory Notifiable Data Breach Regime under the Privacy Act came into effect on 22 February 2018 and imposes obligations on organisations in relation to how they investigate and manage suspected data breaches.
Australian data breaches that are notifiable under the Privacy Act may also trigger an organisation's GDPR obligations. The trigger for notification under the Australian Privacy Act is a "likely risk of serious harm to affected individuals". This is a different threshold to the trigger under the GDPR which requires notification to the relevant supervisory authority within 72 hours where there is a "risk" to the rights and freedoms of natural persons, and notification to individuals where there is a "high risk". The threshold for notifying individuals is therefore higher than the threshold for notifying the supervisory authority. As a result even if an Australian organisation determines it is not necessary to notify under the Privacy Act it may still be required to notify the relevant supervisory body or affected individuals under the GDPR.
What should Australian organisations do to prepare for the GDPR?
Over time, the need for GDPR compliance will become increasingly important to many Australian organisations. Where organisations are concerned about the GDPR they should:
- Review and identify the data they hold or control to ensure they understand what data they hold, why the data is needed, what the data is being used for, who has access to the data and for how long the data is needed;
- Incorporate key components of the GDPR into their existing risk registers, data protection procedures and policies;
- Update their incident response plans to ensure investigation and notification obligations comply with the GDPR; and
- Review existing contractual arrangements with third parties that process or control data within the EU and manage any relevant counter-party risk.
Once an organisation has a clear understanding of these issues, actions can be taken to manage both Privacy Act and GDPR compliance.
If you have any queries regarding this article please contact Ben Di Marco ( ben.dimarco@clydeco.com), Matthew Pokarier (matthew.pokarier@clydeco.com) or Stefanie Luhrs (stefanie.luhrs@clydeco.com) of Clyde & Co.
Clyde & Co is a international law firm whose multi-disciplinary data security and privacy team specialise in incident response, pre-breach advisory work, privacy compliance, cyber insurance, and dispute resolution.