EU laws impact Aussie organisations
If you thought being prepared for Australia’s Notifiable Data Breaches scheme legal changes by Thursday, 22 February 2018 was the only thing to mark off on your privacy 'to do list', think again!
The European Union General Data Protection Regulation (GDPR) comes into effect from 25 May 2018, and is likely to affect many Aussie businesses.
Why? Well, the EU laws (which will replace its existing data protection rules) are widely drafted and will apply to:
- ‘Data controllers’ (i.e. organisations that possess or are responsible for the data it manages) and processors with an office inside the EU;
- Entities operating outside the EU which offer goods and services to individuals in the EU (even if no payment is required); and
- Entities operating outside the EU that monitor the behaviour of individuals in the EU (such as internet use profiling).
What’s important to realise is that Australian businesses of any size (not just those caught by our Privacy Act) may need to comply. For instance, if you have an establishment in the EU, or if you offer goods and services in the EU (such as an online business that ships products to EU countries) then you may be bound by the GDPR requirements.
There is some good news when it comes to compliance. The GDPR and our Privacy Act share many common requirements, including to:
- implement a privacy by design approach to compliance;
- be able to demonstrate compliance with privacy principles and obligations;
- adopt transparent information handling practices; and
- mandatory breach reporting.
However, there are some significant differences. For instance, ‘data controllers’ must provide a notice to the EU commission or relevant supervisory authority much more quickly (within 72 hours) of any data breach, the contents of which are strict and specific. In the event of “high risk breaches”, the data subject (or individual involved) must also be informed without undue delay.
The penalties for failing to meet the GDPR requirements are also significantly higher than in Australia (e.g. for a serious infringement, the penalty may involve a sanction of 4% of annual global turnover or €20 million – whichever is greater). Australian businesses therefore need to determine now whether they need to comply and if so what steps they need to take before May this year.
A good starting point is the OAIC website which contains a comprehensive summary of the GDPR, who it applies to and its new requirements. The Office has also devised a comparison table so that it is easy to review the Australian privacy requirements alongside those in the EU.
A warning - don’t be lulled into a false sense of security due to the tyranny of distance. Whilst sitting in the audience of last year’s Data + Privacy Asia Pacific Conference, I heard someone put to the Deputy Commissioner of the UK’s IOC during a Q&A session that it was surely unrealistic to think that an EU regulator would spend the time and money necessary to prosecute a small business, located in far away Australia, for GDPR breaches. His answer? "You don’t know the French like I do…!"