Everything You Need to Know About GDPR
The 2018 General Data Protection Regulation (GDPR) has overhauled previous practices for how businesses worldwide are required to process and handle consumer data. These changes specifically affect businesses in the European Economic Area (basically all countries in Europe), but they extend further than this, having a significant knock-on impact on Australian business practice too.
Designed to modernise previous laws put in place to protect the personal information of individuals, GDPR has had an enormous global effect on how businesses handle their customers’ privacy.
It’s a big deal, and it’s important for Australian organisations to stay up to date if they wish to avoid incurring severe consequences. Our complete guide to GDPR explains everything you need to know about what it is, how to comply with regulations and the steps you can take to protect your business.
Why is GDPR Relevant to Australia?
Before the GDPR began being properly enforced in 2018, data protection rules across Europe were governed by the outdated regulations of the 1990s. Naturally, these have struggled to keep up with the rapid advancements of technology: the internet, social media and digital entrepreneurship.
In 2018, a more stringent and up-to-date version of these regulations was introduced. After all, plans from the ‘90s simply couldn’t account for modern platforms like Facebook, Twitter and Instagram because they just didn’t exist back then.
Since 2018, GDPR has changed how businesses are required to handle information about their consumers and employees not only in in the European Economic Area (EEA), but for Australian businesses dealing with European customers’ data, too.
Australia’s peak body governing personal information, the Office of the Australian Information Commissioner, states in relation to GDPR:
From 25 May 2018 Australian businesses of any size may need to comply with the GDPR if:
- they have an establishment in the European Union (EU);
- if they offer goods and services in the EU; or
- if they monitor the behaviours of individuals in the EU.
The GDPR includes requirements that resemble those in the Australian Privacy Act 1988, and additional measures that similarly aim to foster transparent information handling practices and business accountability around data handling.
What Exactly is GDPR?
The General Data Protection Regulation is a European law about data protection and privacy for all individuals in European Union.
The GDPR, which was put into place on May 25th, 2018, was created in order to replace the European Data Protection Directive established in 1995 upon which previous data laws in the EU laws were founded.
The regulations set out by GDPR are similar to those of the Australian Privacy Act (1988), including additional requirements that seek to keep all data handling processes as transparent and open to consumers as possible.
According to the EU’s GDPR website, the modern legislation was put into place in an attempt to ‘harmonise’ data protection rules across the European Economic Area, as well as non-EU countries. It aims to give greater rights and more data protection to the consumer.
Businesses worldwide that deal with wU citizens are also being affected, including Australia. The direct changes and impacts of the 2018 GDPR upon EU and Australian businesses dealing with European citizens include:
- Broader jurisdiction: The GDPR applies to all companies that process the personal data of EU citizens - irrespective of where the company is based.
- Penalties: Breaches to the rules and practices set out by the GDPR can cost companies up to 20 million Euros, or 4 percent of their annual global turnover. Although some fines are less expensive, they still serve as a significant and damaging deterrent for non-compliance.
- Consent from data subjects: Consent must be obtained from all users providing data and requested in an understandable and accessible format. The purpose of this data must be clearly outlined for users to sign off. There must also be an easy way for individuals to retract their consent.
- Breach notifications: A data breach that could be detrimental to users must, according to the GDPR, be reported within 72 hours of its discovery.
- Disclosure of important consumer rights: Businesses may be required to disclose consumer rights, including the data subject’s right to request: copies of their data, information on how it is being used and the right to have it erased - sometimes referred to as ‘Data Erasure’. Customers also have the right to move their data freely between service providers.
- Specific protection for children: Amongst all internet users, children are generally the most vulnerable and least aware of risks - particularly where data protection is concerned. GDPR requires that any parental consent must be given for users younger than 16 years of age in order for it to be considered lawful.
The Differences Between GDPR and Australian Data Privacy Regulations
Although GDPR applies to Australian businesses that deal with the data of citizens of the EU, Australian data privacy regulations themselves are different in some ways. These regulations apply to Australian businesses that deal with the data of non-EU citizens.
The GDPR and Australian data privacy regulations are moving in the same direction, but there are still some key differences that need clarification.
One of the most notable of these differences is the consequences for data breach, or the harm that could be caused by a data breach, which is explained differently in Australian regulations compared with GDPR.
Consequences of Data Breach
The Australian Notifiable Data Breach Scheme was put in place to give individuals some protection as they could come under ‘serious harm’ as a result of data breach. Importantly the obligation to notify under the Australian Notifiable Data Breach scheme only arises where the data breach is ‘likely to result in serious harm to individuals’.
This harm is defined by the Office of the Australian Information Commissioner (OAIC) as: “serious physical, psychological, emotional, financial, or reputational harm.
The GDPR, on the other hand, requires notification to take place irrespective of whether ‘harm’ could be caused by the data breach. In other words where there is data breach notification must take place.
The GDPR explicitly states that:
The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
What Do These Changes Mean for Australian Businesses?
The full text of the GDPR contains 99 different articles that set out the rights of the individual, as well as the obligations placed upon organisations to uphold these rights. There are a total of 8 rights for individuals, which include having easier access to personal information as well as the right to restrict data processing.
All of these requirements apply to Australian businesses that handle the data of citizens of the EU. These changes will have the biggest impact on two things: how accessible data is to the individual and how accountable organisations are for protecting it.
Complete Access to Your Data
Above all, the GDPR gives individuals far more power when it comes to accessing the information that an organisation holds about them. This power is granted by way of a Subject Access Request (SAR).
SARs give individuals the ability to request that any information held about them by an organisation be disclosed. Previously, these requests cost £10, but the new GDPR has abandoned this fee, making it free to ask for and receive information. Upon receiving a SAR, businesses must provide the requested information within one month.
These changes mean that every single person in the EU now has the right to confirm what information a particular organisation, anywhere in the world, has about them. This is particularly important for technology companies like Facebook which hold enormous amounts of data about their users.
New GDPR laws also reinforce the rights of EU citizens when subjected to automatic data processing systems worldwide. Although there are certain exceptions to this rule which are outlined by the GDPR, generally speaking, users have the right to an explanation for any decision made about them.
In some circumstances these changes grant users the right to have their data removed, such as where it is no longer necessary for the requested use, consent is withdrawn, if it was processed unlawfully or if there is simply no longer any legitimate interest.
Business Accountability and Compliance With GDPR
As with any new regulation, things don’t always go as planned. In recent years there have been a handful of enormous data breaches that are worth noting, including millions of LinkedIn, Yahoo and even MySpace account details.
Any company covered by the GDPR, whether based inside or outside out of the EU, is now accountable for how it handles its EU citizen information - whether this means having policies in place outlining its data protection practices or having documents available explaining how data is processed.
New GDPR rules demand that the destruction, loss, alteration or unauthorised disclosure of any user data where it may be detrimental to those involved must be reported within 72 hours.
There are also specific rules for larger companies. Any organisation with over 250 employees that handles data belonging to EU citizens is now obliged to provide documentation explaining why information is being held and processed, how long it is being kept for, accurate descriptions of what information is being held and details about any security measures that have been put into place to ensure its protection.
Furthermore, companies like Facebook that have ‘regular and systematic’ monitoring on a large scale or those that hold a lot of sensitive data are required to employ a Data Protection Officer (DPO). The responsibilities of a DPO include monitoring the company’s compliance with GDPR and serving as a point of contact for employees and customers.
Lastly, businesses are now required to obtain consent for data collection. Article 6 of the GDPR sets out a number of conditions that must be met if data collection is to be considered lawful, which are:
- the data subject has given consent to the processing of their personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Note that under the GDPR a company is either a ‘controller’ or ‘processor’ of personal data.
What are GDPR Fines
The introduction of the GDPR brings with it serious fines for those that flout it.
These fines can vary in amount. Smaller offenses can result in fines of up to €10 million (converted to Australian dollars) or 2 percent of the company’s global turnover - whichever is the greater of the two. More serious breaches can have fines of up to €20 million or 4 percent of a firm’s global turnover.
One of the most frequently discussed elements of GDPR is the ability for regulators to issue fines to Australian organisations that do not meet GDPR requirements. Whether that means failing to have a Data Protection Officer where necessary, not processing an individual’s data in the correct manner or allowing a security breach to occur, a company can be fined.
In response to rumours about the GDPR making examples of larger companies through the use of even larger fines, Elizabeth Denham states that these speculations are incorrect.
"Having larger fines is useful but I think fundamentally what I'm saying is it's scaremongering to suggest that we're going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm." (Source)
What Can Australian Companies Do To Ensure That They Meet GDPR Guidelines?
It’s crucial that you understand the ins and outs of GDPR in order to fully appreciate its consequences - but what actions can Australian companies that deal with EU data take to ensure that they meet the standards of the GDPR?
- Invest in your IT and marketing departments: Stop the threat or risk of a data breach before it even occurs. Both the threats of cybercrime and the necessity for specific monitoring and implementation strategies mean that your IT department is crucial. Investing in customised and secure IT solutions will ensure that your business remains on the right side of the GDPR and consumer trust.
- Employ a Data Protection Officer (DPO): Companies that perform regular and systematic monitoring of data on a large scale or that keep a lot of sensitive data are now, under the GDPR, required to employ a DPO. Though smaller organisations may not need to hire a DPO, it’s worth considering as the potential damage to your company simply isn’t worth the risk. Consumer information is required to remain private, so any measures you can take to enforce that will benefit your organisation.
- Educate your employees: Anybody that handles information within a company should be educated about new GDPR practices. Although the bulk of the responsibility falls to your security staff, anyone who handles information, such as staff interacting with new customers and those that maintain CRM systems, need to be educated about GDPR.
- Complete a Data Protection Impact Assessment of your current data security system: The easiest and most effective way to ensure compliance with GDPR is to provide an accurate assessment of your current data processes, allowing you to identify high-risk areas and to fix and potential issues beforehand.
- Make use of privacy-protection tools: As with any problem companies encounter, from taxes to social media marketing, other businesses are working to provide profitable solutions. Each and every day there are more and more resources available that can help companies to remain compliant with GDPR. Work with your DPO and IT departments to seek out the solutions best suited to your needs.
- Work alongside GDPR-compliant companies and third-party providers: Whether it’s your email service provider, marketing/PR agencies or CRM service, you may be held responsible for breaches made by third-party providers that you work with. Working with GDPR-compliant organisations will ensure that you have all bases covered.
What About Small Business?
Although there are many different aspects and branches to GDPR, it all comes down to being clear and ethical with whatever data you collect, control and process.
Though smaller Australian businesses probably don’t need to hire a DPO or take the same measures as larger corporations, some initial steps they can take to become compliant include:
Conducting checks on products and services:
- Take the time to check which of your existing products or services are involved in the collection and processing of personal data.
- Ensure you have a legal basis for the processing of personal data.
- Ensure that your data processing practices comply with the obligations to your customers that have been set out in the GDPR, such as the right of access, erasure and request of consent.
Reviewing your notices and contracts:
- Update both your internal and external notices to ensure GDPR compliance.
- Check that your customer contracts conform to GDPR requirements.
- Assign a person within your organisation with the responsibility of data protection and privacy.
- Decide whether or not you need to employ a Data Protection Officer. To determine this, visit the Information Commissioner’s Office (ICO) website for guidance.
- Train and educate your staff on the importance and practicalities of data protection.
Securing your systems:
- Ensure all systems that collect, process or store personal data are secure and well-protected.
How Will GDPR Affect Australian Business?
The introduction of new data regulation rules will affect dramatically affect the way European business operates, but it’ll also have an impact on other areas - including Australia. The Australian Privacy Act (1988) shares many of the same features of the GDPR Act.
How Do I Know if My Business Will be Affected?
You may need to comply with GDPR rules if:
- Your business targets EU citizens online: Perhaps you sell goods or service in Euros or provide European language options - then your target market most likely to include citizens of the EU.
- You business monitors EU citizens online: If you track your users’ behaviour online, and they are based in Europe and you do this in such a way that allows you to identify them or targeting your advertising towards them, you’ll be subject to GDPR regulations.
- Your customers are businesses in the EU: Firstly, these target business will be required to meet GDPR requirements. Not only that, but they may also be held accountable if their partners or customers (you) fail to comply with standards.
If your business falls into one of these categories, you’ll be required to meet the standards of GDPR, meaning that you must have a reason for holding or tracking user data. GDPR sets out six legally-acceptable causes:
- Consent: If the subject has given you informed consent for you to collect their data.
- Contract: If the holding or usage of data is necessary for you to fulfill contract with the subject.
- Legal obligation: If you are under a legal obligation to keep and use the subject’s data.
- Protection: If holding the data is necessary for your business to protect lives or safety.
- Public interest: If it is in public interest for you to hold or use the subject’s data.
- Legitimate interest: The collection of the subject’s data is necessary for the legitimate interests of your business.
Be mindful that, even with legal reasons for collecting or holding data, it must still only be used for the specific purpose for which it was originally stored. It is then your responsibility to keep it safe and up to date.
What Measures Should I Take to Keep Everything Legal?
The first and most vital step you’ll need to take is to ascertain whether or not your business is required to comply with GDPR. If you’re unsure, you can always consult the help of a professional.
If you find that you do need to meet European data regulations, you may need to take the following steps:
- Audit any data you hold, deleting unneeded information.
- Review in-depth the ways that your company reviews and collects data to ensure that it complies with GDPR.
- Ensure that any third-party companies that you deal with also comply with GDPR. If they don’t, your business may be held accountable for data breaches.
How The Contract Company Can Help
The Contract Company are specialist contract lawyers. We can draft, review, handle, prepare or provide all of your commercial business contracts, as well as any other agreements you need including legal contracts, contractor agreements and contract review & drafting.
Need More Information?
While we’ve covered the most important areas of GDPR in this article, we don’t claim to have all of the answers. For more information, be sure to make use of the following links:
The Australian Government’s statement on how the GDPR will affect Australian Government Agencies.