What is GDPR and do I need to care about it?
The European Union has introduced a General Data Protection Regulation (the GDPR). It is the EU equivalent of the Privacy Act and the Australian Privacy Principles.
The GDPR came into force on 25 May 2018.
The GDPR is about privacy and data protection. It is about the “personal data” of individuals in the EU through its entire life-cycle – so we are talking about collection, use, retention, transfer and deletion. By contrast Australian privacy law is about the collection, use and disclosure of “personal information”.
How does this affect an Australian business?
If you have any business relations with European companies then you may be affected.
The GDPR forces your EU corporate customers to have specific terms in their contracts with suppliers (such as you) where those supplies process personal information. You could think of it as pushing the compliance obligations onto you contractually, so that your customer can hold you responsible if there is a breach. No doubt these obligations will be in the fine print somewhere or part of their new standard arrangement.
If you’re an Australian business, its handy to know that the European authorities didn’t think the Australian privacy law was strong enough, so thinking you are generally in compliance with Australian requirements may still mean you aren’t in compliance with their requirements.
It gets better – if you have your own suppliers then the obligations continue down the chain. It is probably going to be worth you updating your contracts with them to make sure they mirror your obligations to the European customer.
What action can I take?
In practical terms it means you will probably have to update your customer terms and conditions for them, as well as your sub-contracts with your subcontractors (known as processors or sub-processors) who access or are provided personal information (for example, CRMs, cloud-based systems and some data analytics tools).
The specific requirements for these contracts come from a few places, primarily Article 28 of the GDPR, which applies to all processing and sub-processing arrangements, and Article 46, which deals with international transfers of personal information.
As mentioned above, the European Commission has not recognised as having “adequate privacy laws”. This means that further “appropriate safeguards” have to be taken by organisations which want to transfer information to Australian service providers.
This might involve further terms and conditions (model clauses nominated by the EU) or consent, which the GDPR makes more difficult to manage.
What if I have customers in the EU?
If your business sells goods or services directly to customers in the EU and you collect the personal information about individuals in the EU, you will likely be caught by the GDPR.
How is the GDPR different to Australian privacy law?
There is a fair degree of overlap between the two, for example data minimisation, transparency, use only for specified purpose, and security are all already reflected in the Australian Privacy Principles. Both require “privacy by design”.
GDPR introduces the concept of “controllers” and “processors”.
“Controllers” are effectively the entity that decides why personal information is collected and processed.
They are responsible for ensuring that personal information is processed in accordance with the GDPR, whether they process it themselves or outsource to a “processor”.
“Processors” only process personal information on behalf of, on instructions from, and under a contract with, the controller, and have more limited obligations than controllers.
The GDPR places obligations on controllers that are more onerous than the Australian Privacy Law. Some of the key differences are as follows:
1. The controller needs to ensure there is a “lawful basis” for processing personal information
Lawful bases for processing personal information are:
- contractual obligation to the individual
- compliance with legal obligation
- necessity to protect vital interests
- necessity for a task carried out in the public interest and
- legitimate interest of the controller or a third party.
2. Consent is harder to obtain
In Australia, consent can be implied. Under the GDPR, it must be explicit by “a statement or by clear affirmative action”. Under both systems, consent must be able to be withdrawn at any time.
3. Data subjects’ enhanced rights
In Australia there is a right of access and right to correct personal data. The GDPR adds additional rights such as the right to erase data, the right to data portability and the right to not be subject to decisions based solely on automated processing except in certain circumstances.
4. Appointment of EU representative and Data Protection Officer
You might need to appoint a “representative” established in the EU, or a Data Protection Officer.
5. Data breach requirements more onerous
You’ll need to report a greater range of data breaches in a much shorter time frame.