The European Union General Data Protection Regulation (GDPR) came into force on 25 May 2018, and it has a long reach. Many Australian businesses may think they are not caught, or that their compliance with Australian Privacy Principles will be enough. But if you are wrong, the consequences could be significant – penalties of up to €20m or 4% of annual turnover, whichever is higher, can be applied.

So how sure are you? This article provides some general guidance on application of the GDPR, and an outline of some of the additional matters to be addressed if the GDPR does apply.

The focus of the GDPR is the protection of personal data – information which relates to an individual who can be directly or indirectly identified from the data, including name, identification number, location data or online identifier.

The GDPR generally applies to organisations collecting or processing personal data where the organisation:

1. has an established business presence in the EU
2. is offering goods or services to individuals in the EU
3. is monitoring the behaviour of individuals in the EU

Many obligations mirror those that already apply in Australia under the Australian Privacy Principles. However, there are also important additional obligations which may apply, including the following:

1. An organisation which is collecting or processing personal data of an individual in the EU but which does not have an established business presence in the EU may need to appoint a representative based in the EU.
2. Conditions for consent have been strengthened. For example, the request for consent must be unambiguous and distinguishable from other matters (“unbundled”). It should be as easy to withdraw consent as it is to give it. For sensitive personal data explicit, “opt in” consent is required.
3. A range of prescribed information is required to be included in an organisation’s privacy notices.
4. Individual rights have been enhanced, including the right to “data portability”, restriction on processing, and the right to erasure (the “right to be forgotten”).
5. Overseas transfer of information may require specified contractual safeguards to be in place where the individual has not explicitly consented.
6. Additional steps may be needed to review technical and organisational measures to ensure relevant policies and procedures have been designed and implemented – referred to as “data protection by design and by default”.

Given the sanctions that can be applied, Australian organisations with links to the EU should take a moment to consider the applicability of the regime to their business.