What does the GDPR mean for your business?

Firstly… GDPR? What is this?!

The GDPR is the European Union General Data Protection Regulation that contains new data protection requirements. The GDPR applies to businesses as of 25 May 2018. Australian businesses are responsible for ensure data handling practices comply with the GDPR before commencement.

Does it apply to my business?

If you are an Australian business with customers in the EU or you operate there, you are responsible for checking if the GDPR applies to you. The GDPR will only apply to your business if your business:

  • Has an ‘establishment’ in the EU such as an office, or effective and real exercise of activity though stable arrangements – even if this is done through a branch or subsidiary;
  • Offers goods and services to individuals in the EU; or
  • If your business monitors the behaviour of individuals in the EU.

My business is tiny and we process all data outside of the EU – is my business an exception?

No – the GDPR will apply no matter how small or large your business is, and regardless of whether data is processed in EU or not.

If you are a data controller or processor and the GDPR does apply to you, but you are not established in the EU, you will need to appoint a representative in a member state as a point of contact between the EU supervisory authorities and your business.

What information does the GDPR apply to?

  • The GDPR covers ‘personal data’ being any information relating to an identified or identifiable natural person;
  • There are additional protections that apply to processing of ‘special categories’ of personal data – data revealing racial or ethnic origin, political options, religious or philosophical beliefs, trade union membership, genetic and biometric data, health or sexual orientation.

My business does need to comply with the GDPR, but already complies with the Australian Privacy Act 1988. Do I need to take further measures to cooperate with the GDPR?

Yes – although the GDPR and Australian Privacy Act have much in common, the GDPR confers wider individual privacy rights to individuals including the right to be forgotten. It also requires businesses meet higher standards in terms of information processing, privacy policies, consent, and data breach notification.

  • Your business should be organised both internally and technically to satisfy the ‘data protection by design and default’ requirement
  • Your business may need to appoint a ‘data protection officer’ – a ‘privacy champion’ and business advisory regarding the responsible and innovative use of personal data. (The GDPR only requires one be appointed for organisations that process or collect EU citizens’ personal data);
  • There are further obligations on businesses to ensure individual consent to processing of personal data under the GDPR – consent must be given explicitly and specifically, and withdrawal of consent must be as easy for the individual as giving the consent;
  • Your business may only use data processors that provide sufficient data protection guarantees, and the contract between your business and the data processor must include certain protective clauses.

How should my business deal with data breaches if they occur?

  • The data controller must advise relevant supervisory authority of data breach with in 72 hours.
  • If the breach is likely to result in high risk to rights and freedoms of an individual the controller must notify that individual without undue delay.

What does the GDPR require in terms of privacy notices?

Your businesses privacy notice must give individuals range of prescribed information about processing of personal data, and must be concise, transparent intelligible and easily accessible, clear and plain language.

Does your business transfer data overseas?

Under the GDBR, data can only be transferred outside EU to countries or international organisations that provide an adequate level of data protection; or if certain safeguards are in place; or if there is individual consent with notification of risks.

What happens if my business infringes the GDPR?

Fines for contraventions by controllers or processors may be up to 20 million Euros or 4% of the business’ annual turnover – whichever is higher. So it is quite important that you ensure your business is not accidentally infringing processing principles, individual rights or transfer requirements.

If you would like to speak to someone about whether your business needs to comply with the GDPR, and what changes you need to make in order to properly comply, Sinclair + May would love to help.

This is general advice only. Liability limited by a scheme approved under Professional Standards Legislation. 

Published May 22, 2018

Go back