The European Union’s General Data Protection Regulation (GDPR) was implemented in May 2018. It ultimately regulates personal data of EU citizens. It is important to understand that the GDPR does not only apply to EU businesses, but any businesses obtaining data from anyone that occupies residency in The European Union. With the rise of Australian online businesses and services, The GDPR is something to be cautious of when interacting with businesses from The EU.
How Are Terms Defined By The GDPR?
- Processing refers to the use of personal data ranging from collecting it to destroying it.
- Personal data is any data that identifies a living person whether it is directly or indirectly. Data that directly identifies an individual can include a name or email address. Data that indirectly identifies an individual indicates that it is possible to identify someone by cross referencing multiple data sources.
- Sensitive personal data is far more classified including race and health status
- A Controller is an individual who identifies the methodology of using the personal data
- A processor works for the controller by managing the personal data
- A data subject is anyone in The EU who has had their personal data obtained and processed
Australian businesses must understand if it is necessary to be GDPR compliant. The first circumstance leading an Australian business to be compliant with The GDPR is if the business has been established in The EU. The second circumstance is if the business offers goods and services to EU citizens. It does not matter the size of the company, if the business is involved in any of the two circumstances highlighted above, then they should comply with the GDPR.
What Businesses Should Follow The GDPR?
Three of the most common examples include Australian businesses that have offices in The EU. The second example is those that target EU consumers, and lastly Australian businesses whose website targets EU customers or users.
How Can Businesses Comply With The GDPR?
There are typically seven principles in which a business should be aware of. These include:
- Data minimisation
Where Do The GDPR vs Australian Privacy Principles Differ?
The GDPR and The Australian Privacy Act 1988 have similarities. Both include concepts demonstrating compliance with privacy principles. Some ways both differ include:
- The notion of processes and controllers are not included in The Australian Privacy Act like The GDPR does.
- In Australia consent is implied, but in The GDPR consent is made through a statement or by clear affirmative action.
- The rights differ in both, such as the right to erase personal data.
- There is a shorter timeframe to report data breaches under The GDPR. The requirements are also far more burdensome regarding reporting data breaches.
- The Privacy Act does not cover small businesses, but The GDPR covers all types of businesses and organisations.
What Are The Penalties For Non Compliance With The GDPR?
The two tiers of penalties include:
- In cases of infringement to an organisation’s obligations it is up to 10 million euros or 2% global turnover.
- In cases of infringement to an individual’s rights of privacy it is up to 20 million euros or 4% annual turnover.
What Effect Does Brexit Have On The GDPR?
There is a transition period whereby The GDPR still applies to The United Kingdom. After this period, The GDPR will conclude automatically applying to UK businesses. Several GDPR articles are planning to translate UK law to UK GDPR. Of note, UK GDPR will be applied to cover the protection of personal data to UK individuals only.