Privacy under the GDPR

The GDPR

Unless you live in an internet free bubble, you will notice many of your online services sending you privacy policy updates. This is not a coincidence: on 25 May 2018 the European Union’s General Data Protection Regulation (GDPR) came into effect and imposed new obligations on how organisations collect, process and store data. European and international companies have been scrambling to issue new privacy policies to ensure they are compliant.

Despite being a European law, the GDPR may impact your Australian business. The GDPR imposes some obligations that are different than found in the Australian equivalent privacy law, the Privacy Act 1988.

When the GDPR applies

The GDPR applies if your organisation is based in the EU, collects data from EU residents, processes data from EU residents or sells goods or services to EU residents. An Australian business may need to comply with the GDPR if it:

·         Has an office in the EU;

·         Sells an app or a product that can monitor an EU resident’s behaviour;

·         Sells products to people located in the EU;

·         Provides services to an EU resident.

The obligations

The GDPR applies to ‘personal data’ which is any ‘information relating to an identified or identifiable natural person’. There is no turnover threshold for the GDPR, where in Australia, the Privacy Act normally won’t apply to your business if turnover is under $3m.

Under the GDPR, personal data may only be processed if the subject of the data has provided consent or there is another legal basis, including:

·         For the legitimate interests of a data controller or a third party

·         To perform a task in the public interest or in official authority

·         To comply with a data controller’s legal obligations

·         To fulfill contractual obligations with a data subject

·         To perform tasks at the request of a data subject who is in the process of entering into a contract with a data controller

·         To protect the vital interests of a data subject or another person

Consent must be ‘opt in’, so consent as a default will not be sufficient. This is a higher threshold than under the Privacy Act which only requires consent where sensitive information is being collected.

Compared to the Privacy Act in Australia, the GDPR provides a number of rights to individual data subjects:

·         A right of erasure in certain circumstances;

·         A right of access and information about how the data is being processed;

·         A right to view how personal data is being processed;

·         A right to portability of data – so an individual can transfer their data from one system to another.

These new rights may require changes to how you process and store data.

Sanctions

Under the GDPR, the authorities can impose finse of up to 20 million euro or 4% of global annual turnover, which ever is higher.

What you need to do

Data handling in Australia is already subject to the Privacy Act regime, but the GDPR imposes some new obligations. To make sure you stay out of trouble:

1.       Determine if the GDPR applies to your business.

2.       If it does, audit your data flow, from collection through processing and storage. Determine if you have sufficient consent and if your systems will enable compliance with new GDPR rights.

3.       Update and implement new GDPR-compliant privacy policy and processes.

If you think the GDPR might apply to your business, get in touch.

For further information:

Office of the Australian Information Commissioner guidance

Text of the GDPR

Compliance Council comparison between the Privacy Act and the GDPR