Table Of Contents
- 1 When GDPR Applies for Australian Businesses
- 2 Obligations and Compliance
- 3 Obligations For Processors
- 3.1 Process the Data in a Manner That is Lawful, Fair and Transparent
- 3.2 Use the Data for Legitimate Purposes
- 3.3 Limit the Use Only to What is Necessary
- 3.4 Process the Data in a Way That Maintains its Accuracy
- 3.5 Store the Data For No Longer Than Necessary
- 3.6 Process the Data in a Secure Fashion
- 3.7 Requests For Access and Erasure
- 3.8 Disclosure and Transfer of Data to Third-Party Organizations
- 3.10 Dealing With Breaches of Personal Data
- 3.11 EU Representative or Data Protection Officer
- 4 Consent Request
- 5 GDPR Vs Australia Privacy Act
- 6 Final Words
The European Union put the General Data Protection Regulation (GDPR) into force on 25 May 2018.
The need for government intervention regarding data protection came about quite recently, as companies began collecting and selling an immense amount of personal data. In response to this data collection and monetization, the EU had decided to institute the GDPR. While only EU nations are affected directly, Australian businesses, especially online ones, may have to comply with these new regulations.
In this article, we’ll be going over four of the most important aspects of the GDPR, including when it applies to Australian businesses, what you’re obligated to do in order to comply, the nature of consent requests, and the differences between the GDPR and the Australia Privacy Act.
When GDPR Applies for Australian Businesses
The GDPR applies to three different types of businesses:
- Businesses which were originally established in the European Union.
- Businesses which were not established in the EU, but offer either goods or services to individuals located in the EU, whether or not those goods and services require payment.
- Businesses which were not established in the EU, but which do monitor residents of the EU.
Due to the fact that a very large number of Australian businesses, especially those utilizing the internet, may collect the personal data of EU residents, it’s incredibly likely that their actions are categorized as being under the GDPR.
To give a few examples of actions that might cause an Australian business to become subject to the GDPR:
- If the business ships any products to EU residents; keeps track of any personal data, such as name, address, current location, or date of birth; or deals directly with personal information such as bills or tax paperwork, then it’s likely that the business falls under the GDPR.
- In fact, if a business interacts in any way with residents of the EU, then they’re likely to be under the obligations of the GDPR.
Due to the GDPR already being in effect worldwide, many businesses are scrambling to make sure they’re compliant. If you fail to comply with the GDPR, it can be disastrous for your business. We’ll talk a bit more about the possible fines you could face for breaching the GDPR later on.
Obligations and Compliance
The GDPR places quite a few new obligations on companies which control and process data, referred to as controllers and processors respectively. To be more specific, a controller is a business that determines how given data will be processed or used, but might not be holding or processing any data itself. On the other hand, a processor is a business that processes data; often via a contract with a controller. However, in many cases, a business will be both a processor and a controller.
Obligations For Processors
Any business that holds and processes personal data, referred to as a processor, will need to comply with a few GDPR obligations, which are referred to as “principles” in this case. “Personal data,” in this case, meaning any information that can be used to positively identify an individual.
So, that brings us to the principles themselves. These are obligations that the GDPR requires processors to follow to the best of their ability, and breaching them can result in extremely heavy fines.
Process the Data in a Manner That is Lawful, Fair and Transparent
You are required to process data in a way that doesn’t violate the rights of the individual, and you should always inform individuals of how your business is using their data.
Use the Data for Legitimate Purposes
When you inform individuals of how you’ll be using their data, you’re expected to only use the individual’s data for those purposes, and you should always make sure that any other processors down the line are also staying within those restrictions.
Limit the Use Only to What is Necessary
If there’s data that doesn’t need to be kept around, or that you can’t actually use for anything lawfully, then do not keep that information.
Process the Data in a Way That Maintains its Accuracy
If you keep for any length of time, it’s important to make sure that the data remains updated to always remain as accurate as possible.
Store the Data For No Longer Than Necessary
Only keep data around as long as you need it. If you’ve already used the data and no longer need to keep it on file, then delete it.
Process the Data in a Secure Fashion
When processing data, make sure you’re using technological protections such as anti-virus software or secure encryption any time the data changes hands, and whenever it’s being stored.
Requests For Access and Erasure
If a business is collecting personal data, the individual has the right to request and obtain a significant amount of information about their data and how it’s being used.
This includes complete copies of the data itself, a description of how it’s being used, as well as how long it will be stored. They may also obtain information on who you may disclose that data to.
An individual may also request that their data be deleted entirely, or that a restriction is placed on how it will be used. Under the GDPR, you must comply with any individual’s request to have their data erased as long as that data is no longer needed by the business for the original purpose of collection.
What this means is that you should have a plan in place for sending out copies or deleting an individual’s personal data, as well as measures to make sure that the person requesting the information or the deletion is actually who they say they are.
Disclosure and Transfer of Data to Third-Party Organizations
Occasionally, there may be situations in which you have to disclose personal data to a third party. For example, if you’re hiring an SEO in Melbourne or online marketing company to examine the buying habits of customers in order to target ads and keywords. In cases such as this, you are only permitted to disclose as much data as the aforementioned third party requires. In this case, that would mean only releasing the purchase history of the customer and some demographic information to the SEO or online marketing company that you’d hired.
In addition to only disclosing what you absolutely need to, the third party must agree to keep the data completely confidential. If the third party discloses data in breach of the GDPR, then you and your business may be held liable.
If a breach does occur under these circumstances, you’ll be required to provide proof that your business isn’t at fault for the breach. This includes proof that you had adequately investigated the third party’s data protection policies and capabilities. Or, in other words, if you give the data to a shady company or one without adequate protection, then it’s your fault if it gets out.
Dealing With Breaches of Personal Data
Data breaches happen, and they happen a lot more often than businesses would like to admit, but under the GDPR, businesses will now be required to admit to them.
What this means is that, in the event that a data breach occurs, and the breach poses a likely risk to the rights of those involved, then it must be reported to the appropriate authority as soon as possible.
As an example, say you’ve lost a list of customers’ first names. This isn’t that big a deal and probably doesn’t warrant a report. If, on the other hand, you’ve had a list of credit card details stolen, then you will need to notify the authorities. Whether or not an incident should be reported is determined on an individual basis. But, for the most part, it’s far safer to be cautious and report any incident.
If a breach does occur, and you don’t notify the appropriate authority within 72 hours, then you will be required to submit a valid reason for the delay. Upon subsequent investigation, that same authority will examine your company, and make sure that you have complied fully with the GDPR, including whether or not your technological protections are adequate.
EU Representative or Data Protection Officer
Under some circumstances, your business may be required to designate a data protection officer. Generally, this is only necessary if your business conducts operations that require the collection and processing of personal data on a large scale. However, if you’re unsure whether or not your business counts, then it’s best to appoint one just to be safe.
If a business outside of the EU conducts data processing on a large scale, then it may be necessary to appoint a representative located within the EU, who will act as a point of contact for the business, and will process requests by the GDPR supervisory authorities or any EU residents subject to the data collection.
If a company would like to control or process an individual’s personal data, they are required to request clear and explicit consent under the GDPR. The consent request must be made clearly and deliberately and must be easily accessible to the individual.
While it’s not specified exactly what form the consent should take, there are a few recommended forms. These include requests issued just before the data is collected or processed, to be certain that the consent is immediately valid; requests for each separate instance of data collection, in order to ensure all data is consensual; and a system for easy withdrawal of consent, in case an individual no longer wants their data to be collected.
GDPR Vs Australia Privacy Act
The GDPR may sound something like the already existing Australian Privacy Act. However, there are quite a few differences between the two. The clearest difference is who is required to comply. The GDPR applies chiefly to the EU and anyone who does business with them, whereas the APA only applies to AU businesses. The definition of what exactly constitutes personal data is similar, if not identical across both regulations; being defined as any data that can identify an individual.
However, there are other differences as well. The APA includes an exception for small businesses, which allows any business that brings in a revenue below $3 million to simply ignore the regulations. The GDPR, on the other hand, applies to all businesses that fall under its jurisdiction, and it is equally harsh on all of them.
How harsh is that, you might ask? Well, the APA’s highest fine is $2.1 million; which, for a smaller business, is an absolutely massive sum. The GDPR, on the other hand, has a maximum fine of 20 million Euro, or 4% of the company’s total worldwide annual turnover, based on the previous financial year. This is why the GDPR is such a big deal, and why everyone is in such a rush to comply. This is especially harsh for large businesses with a high turnover.
The GDPR is primarily meant to protect the data of individuals. In order to do so, it’s levying extremely harsh consequences on non-compliant businesses. Because of this, Australian businesses, especially ones with an online presence will find it crucial to keep their security up to date, and to make sure they’re complying with the General Data Protection Regulation. The first step is checking whether or not you fall under any of the GDPR’s obligations, and, if you do, to make sure that you’re brought into compliance with them.
The GDPR has already been placed into effect, but complying a little late is a lot better than facing GDPR fines and audits.