By Laura Bueti, Lawyer
What is the European Union General Data Protection Regulation?
The European Union (EU) General Data Protection Regulation (GDPR) came into effect on 25 May 2018, replacing all existing privacy laws within the EU.
The aim of the GDPR is to ‘harmonise’ the national data protection laws in the EU, to ensure consistency and uniformity across the EU jurisdictions, and to expand the territorial scope of the EU’s privacy framework worldwide.
Notably, the GDPR implements the following changes to the privacy framework of which you should be aware:
- there is a new definition of ‘consent’, being that it must be ‘freely given, specific, informed, and an unambiguous indication of the data subject’s agreement to the processing’;
- data subjects (individuals whose personal data is being dealt with by an organisation) now have further rights to have their personal information deleted, and have a right of ‘data portability’;
- organisations will have further accountability and governance requirements, to demonstrate consideration and integration of data protection into processing activities;
- there is further regulation around how information is to be collected and used for the purpose for which it was collected;
- there is a new requirement for ‘data protection impact assessments’ to be undertaken;
- there is a requirement for mandatory data breach notifications to be made within 72 hours of becoming aware of any data breach;
- some organisations will be required to appoint a ‘data protection officer’; and
- there are now higher penalties for breaching the privacy regulation, including fines of up to €20 million or 4% of an organisation’s annual worldwide turnover, whichever is greater, for certain types of contraventions.
The GDPR only applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified. The GDPR refers to these individuals as ‘data subjects’.
The definition of ‘personal data’ draws strong links to the definition of ‘personal information’ under the Australian Privacy Act 1988 (Cth).
Data Controllers and Data Processors
The GDPR will only apply to an organisation which is deemed to be a ‘data processor’ or ‘data controller’, dealing with personal data.
Data controllers are generally defined as organisations which determine how personal data will be processed and used.
Data processors are generally defined as organisations that process personal data on behalf of the controller.
Key principles (Article 5 of the GDPR)
The following six points outline the key principles that organisations will need to comply with, in relation to personal data.
Personal data will be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Does your not-for-profit / charity fall under the scope of the GDPR?
It is not typical for laws to apply to entities that are not established within its jurisdiction (i.e. laws applying extraterritorially). The GDPR, however, applies to all organisations which process or control personal data regarding individuals within the EU.
This application extends to organisations which may not be geographically located or registered within the EU, and includes charities and not-for-profits.
Therefore, the GDPR not only applies to organisations geographically located within the EU, but also to organisations located outside of the EU, if they offer goods or services to, or monitor the behaviour of, EU data subjects (i.e. the organisation amounts to a ‘data processor or data controller’).
The GDPR will apply to your organisation if one of the following criteria is met:
- if your organisation has an office, or is established in the EU; or
- if your organisation offers goods or services to individuals in the EU (including free goods or services); or
- if your organisation tracks or monitors individuals in the EU (i.e. collects information which identifies a person), for the purpose of profiling, analysing or predicting that person’s behaviours.
The GDPR applies to not-for-profits / charities in the same way that it would a ‘for profit’ organisation, and not-for-profits / charities could be liable for sanctions under the GDPR with fines of up €20 million or 4% of an organisation’s annual worldwide turnover.
Brexit raises interesting questions about whether an Australian organisation will be caught by the scope of the GDPR if it is only processing or controlling personal data in relation to United Kingdom (UK) data subjects.
At this stage in time, it is unclear whether Brexit will provide any relief for Australian organisations of any obligations under the GDPR, as we are yet to see how the UK government will respond.
It is, however, likely that the UK will implement an equivalent (or very similar) privacy framework to the GDPR post-Brexit. It would be wise for Australian organisations processing personal data of UK data subjects, to expect that they will be required to comply with very similar obligations, post-Brexit.
How should your Not-for-Profit /Charity comply?
The Office of the Australian Information Commissioner (OAIC) clearly sets out the GDPR governance requirements, and provides Australian organisations with guidance on how to ensure your organisation is compliant with the requirements of the GDPR.
Not-for-profits / charities which fall under the scope of the GDPR should consider their current privacy policies and procedures to ensure that they are complying with the governance requirements.
If your organisation is already meeting its obligations under the Australian Privacy Act 1988 (Cth), it is likely that you will already be complying with many of the requirements and obligations under the GDPR.
If you are concerned about your organisation’s compliance with its domestic and international privacy obligations, you might consider taking the time to review and refresh your privacy policies and procedures.
Get the latest news insights and articles straight to your inbox, simply enter your details.