By Louise Cantrill, Partner

The European Union General Data Protection Regulation (GDPR) came into force on 25 May 2018, and it has a long reach. Many Australian businesses may think they are not caught, or that their compliance with Australian Privacy Principles will be enough. But if you are wrong, the consequences could be significant  – penalties of up to €20m or 4% of annual turnover, whichever is  higher, can be applied.

So how sure are you? This article provides some general guidance on application of the GDPR, and an outline of some of the additional matters to be addressed if the GDPR does apply.

Application

Its focus of the GDPR is the protection of personal data – information which relates to an individual who can be directly or indirectly identified from the data, including name, identification number, location data or online identifier. Information about companies or public authorities is not personal data, but information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual may constitute personal data.

The GDPR generally applies to organisations collecting or processing personal data where the organisation:

1. has an established business presence in the EU
2. is offering goods or services to individuals in the EU
3. is monitoring the behaviour of individuals in the EU

Additional obligations

Many obligations mirror those that already apply in Australia under the Australian Privacy Principles. However, there are also important additional obligations which may apply, including the following:

1. An organisation which is collecting or processing personal data of an individual in the EU but which does not have an established business presence in the EU may need to appoint a representative based in the EU.
2. Conditions for consent have been strengthened. The request for consent must be clear and use plain language, easily accessible, and distinguishable from other matters (“unbundled”). It must be unambiguous, with the purpose(s) for data collection/ processing specified. For sensitive personal data (including genetic data, biometric data, race or ethnicity, health, political or religious beliefs) explicit, “opt in” consent is required. It should be as easy to withdraw consent as it is to give it.
3. A range of prescribed information is required to be included in an organisation’s privacy notices.
4. Individual rights have been enhanced, including the right to “data portability”, restriction on processing, and the right to erasure (the “right to be forgotten”).
5. Overseas transfer of information may require specified contractual safeguards to be in place where the individual has not explicitly consented (after being warned of the possible risks associated with transfer) or the EU Commission has not specifically approved a particular country or organisation as providing an adequate level of data protection.
6. Additional steps may be needed to review technical and organisational measures to ensure relevant policies and procedures have been designed and implemented – referred to as “data protection by design and by default”.
7. Notice of a  data breach must be given to the supervisory authority within 72 hours of becoming aware, unless the breach is unlikely to result in a high risk to the rights and freedoms of individuals.

Given the sanctions that can be applied for failure to comply (up to €20m or 4% of annual turnover, whichever is  higher), Australian organisations with links to the EU should take a moment to consider the applicability of the regime to their business.