Articles > Contracts

Why Should Australian Businesses Know About The GDPR?

June 23, 2021   Izaak HauptPhilip Evangelou

The European Union’s General Data Protection Regulation (GDPR) was implemented in May 2018. It ultimately regulates personal data of EU citizens. It is important to understand that the GDPR does not only apply to EU businesses, but any businesses obtaining data from anyone that occupies residency in The European Union. With the rise of Australian online businesses and services, The GDPR is something to be cautious of when interacting with businesses from The EU.

How Are Terms Defined By The GDPR?

  • Processing refers to the use of personal data ranging from collecting it to destroying it.
  • Personal data is any data that identifies a living person whether it is directly or indirectly. Data that directly identifies an individual can include a name or email address. Data that indirectly identifies an individual indicates that it is possible to identify someone by cross referencing multiple data sources.
  • Sensitive personal data is far more classified including race and health status
  • A Controller is an individual who identifies the methodology of using the personal data
  • A processor works for the controller by managing the personal data
  • A data subject is anyone in The EU who has had their personal data obtained and processed

Who Needs A GDPR Privacy Policy?

Australian businesses must understand if it is necessary to be GDPR compliant. The first circumstance leading an Australian business to be compliant with The GDPR is if the business has been established in The EU. The second circumstance is if the business offers goods and services to EU citizens. It does not matter the size of the company, if the business is involved in any of the two circumstances highlighted above, then they should comply with the GDPR.

What Businesses Should Follow The GDPR?

Three of the most common examples include Australian businesses that have offices in The EU. The second example is those that target EU consumers, and lastly Australian businesses whose website targets EU customers or users.

How Can Businesses Comply With The GDPR?

There are typically seven principles in which a business should be aware of. These include:

  1. Lawfulness
  2. Purpose
  3. Accuracy
  4. Storage
  5. Confidentiality
  6. Accountability
  7. Data minimisation

Where Do The GDPR vs Australian Privacy Principles Differ?

The GDPR and The Australian Privacy Act 1988 have similarities. Both include concepts demonstrating compliance with privacy principles. Some ways both differ include:

  • The notion of processes and controllers are not included in The Australian Privacy Act like The GDPR does.
  • In Australia consent is implied, but in The GDPR consent is made through a statement or by clear affirmative action.
  • The rights differ in both, such as the right to erase personal data.
  • Compliance is more than just a privacy policy regarding The GDPR. A representative might be appointed in The EU for any questions or concerns an individual may have.
  • There is a shorter timeframe to report data breaches under The GDPR. The requirements are also far more burdensome regarding reporting data breaches.
  • The Privacy Act does not cover small businesses, but The GDPR covers all types of businesses and organisations.

What Are The Penalties For Non Compliance With The GDPR?

The two tiers of penalties include:

  • In cases of infringement to an organisation’s obligations it is up to 10 million euros or 2% global turnover.
  • In cases of infringement to an individual’s rights of privacy it is up to 20 million euros or 4% annual turnover.

What Effect Does Brexit Have On The GDPR?

There is a transition period whereby The GDPR still applies to The United Kingdom. After this period, The GDPR will conclude automatically applying to UK businesses. Several GDPR articles are planning to translate UK law to UK GDPR. Of note, UK GDPR will be applied to cover the protection of personal data to UK individuals only.

Key Takeaways

Compliance with The GDPR is far more complex and extends beyond just having a GDPR privacy policy. The GDPR does not only apply to EU businesses, but any businesses obtaining data from anyone that occupies residency in The European Union. Seeking legal advice is important with understanding The GDPR and if your business is compliant with it.

About Izaak Haupt

Izaak HauptIzaac is a paralegal while he completes his Bachelor of Laws, Bachelor of Business at UTS.

About Philip Evangelou

phillipPhil is a director at OpenLegal. He has over 16 years experience working in private practice and in-house counsel in Sydney and London, giving him expertise in employment law, IP, finance, leases, dispute resolution, insurance and contracts.