A new General Data Protection Regulation (GDPR) has commenced in the EU.
GDPR may affect Australian business if they are established in the EU, offer goods or services in the EU, or monitor the behaviour of individuals in the EU.
Multiple changes including increased accountability and governance for business; giving individuals rights; tighter rules for Data Breach Notifications; and greater sanctions.
You won’t be alone in thinking your inbox is being filled with extra notifications from businesses about changes to their Privacy Policies. You might be thinking that legal teams must have some spare time on their hands coming up to financial year end, but the reality is, that something big has happened in the world of privacy. This may be being a little dramatic, but the in truth, if your business is not over these privacy changes, you might need to ask yourself, should we be?
A new General Data Protection Regulation (GDPR) which contains new data protection requirements for the European Union (EU) became effective on 25 May 2018.
As an Australian business, the GDPR may not apply to you, but if your business has an establishment in the EU, or if it offers goods and services in the EU, or if it monitors the behaviour of individuals in the EU, then regardless of your businesses size, the GDPR applies.
There are many changes, but some of the ones you should be familiar with are:
- Accountability and Governance – businesses must appoint data protection officers and their contact details must be communicated to the relevant Member State supervisory authority (in Australia this is the OAIC). This differs to the Privacy Act 1998 (Cth) as even though businesses are expected to appoint key roles and responsibilities for privacy management, they do not need to keep the Privacy Commissioner up to date about who is in those roles.
- Data Breach Notifications – as a result of recent changes, the Privacy Act requires mandatory reporting for data breaches that are likely to result in the real risk of serious harm for individuals as soon as practicable. GDPR goes further, requiring mandatory data breach notifications for all data breaches within 72 hours of becoming aware of the breach.
- Individual Rights – GDPR contains expanded rights for individuals, including the right to have a data controller delete data in certain circumstances or to withdraw consent. Under the Privacy Act there are no equivalent rights.
- Sanctions – GDPR gives supervisory authorities the power to impose fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher). This is significantly higher than the Privacy Act.
Check out www.oaic.gov.au for resources that will assist your business check its compliance with GDPR or to help with steps to comply. Hicksons can also assist you to ensure that your business is compliant with these obligations.
Post by John Kell and Joanne Gream