Why is my inbox filled with Privacy Policy updates?

Key Points 
  • A new General Data Protection Regulation (GDPR) has commenced in the EU.
  • GDPR may affect Australian business if they are established in the EU, offer goods or services in the EU, or monitor the behaviour of individuals in the EU.
  • Multiple changes including increased accountability and governance for business; giving individuals rights; tighter rules for Data Breach Notifications; and greater sanctions.

You won’t be alone in thinking your inbox is being filled with extra notifications from businesses about changes to their Privacy Policies.  You might be thinking that legal teams must have some spare time on their hands coming up to financial year end, but the reality is, that something big has happened in the world of privacy.  This may be being a little dramatic, but the in truth, if your business is not over these privacy changes, you might need to ask yourself, should we be?

A new General Data Protection Regulation (GDPR) which contains new data protection requirements for the European Union (EU) became effective on 25 May 2018. 

As an Australian business, the GDPR may not apply to you, but if your business has an establishment in the EU, or if it offers goods and services in the EU, or if it monitors the behaviour of individuals in the EU, then regardless of your businesses size, the GDPR applies.

There are many changes, but some of the ones you should be familiar with are:

  • Accountability and Governance – businesses must appoint data protection officers and their contact details must be communicated to the relevant Member State supervisory authority (in Australia this is the OAIC).  This differs to the Privacy Act 1998 (Cth) as even though businesses are expected to appoint key roles and responsibilities for privacy management, they do not need to keep the Privacy Commissioner up to date about who is in those roles.
  • Data Breach Notifications – as a result of recent changes, the Privacy Act requires mandatory reporting for data breaches that are likely to result in the real risk of serious harm for individuals as soon as practicable.  GDPR goes further, requiring mandatory data breach notifications for all data breaches within 72 hours of becoming aware of the breach.
  • Individual Rights – GDPR contains expanded rights for individuals, including the right to have a data controller delete data in certain circumstances or to withdraw consent.  Under the Privacy Act there are no equivalent rights. 
  • Sanctions – GDPR gives supervisory authorities the power to impose fines of up to €20 million or 4% of annual worldwide turnover (whichever is higher).  This is significantly higher than the Privacy Act.

Check out www.oaic.gov.au for resources that will assist your business check its compliance with GDPR or to help with steps to comply.  Hicksons can also assist you to ensure that your business is compliant with these obligations.

Post by John Kell and Joanne Gream

Most Popular Articles

Blog

Service of Notices by Registered Post

Where service of a notice is authorised or required by post, unless the contrary intention appears, service will be deemed to be effected at the time when the notice would be delivered in the ordinary course of post: see the various Acts Interpretation acts of the States and Commonwealth.
Blog

Medical manslaughter - The Australian Experience

Medical manslaughter has come into the spotlight in the last week following the recent decision in England to deregister a medical practitioner after she was found guilty of manslaughter in 2015.
Blog

Commonwealth Redress Scheme for Institutional Child Sexual Abuse

On 26 October 2017 the Federal Social Services Minister introduced two bills facilitating a Commonwealth redress scheme for victims of institutional child sexual abuse.

Subscribe to Our Blog

Keeping you connected, Hicksons regularly publishes articles to keep you up to date on the latest developments. To receive these updates via email, please subscribe below and indicate which areas of law you would like to receive information on.

Top