From 25 May 2018 Australian businesses may need to comply with the EU General Data Protection Regulation, even if they don't have any physical presence in the EU. If you offer goods and services or monitor the behaviour of individuals in the EU, then you may be caught.
Our Guidance note (included below) gives you some tips on some of the biggest changes to be introduced by the new EU GDPR and what they might mean for you.
There are many reasons why Australian organisations should be aware of and consider the extent to which they might voluntarily adopt some of the changes to be introduced under the new GDPR. In particular, it is likely that the provisions in the new GDPR will influence the Australian Privacy Commissioner’s approach to the interpretation and application of the Australian Privacy Principles, particularly in view of the growing international co-operation between privacy regulators in responding to data breach cases involving multiple jurisdictions. Organisations should also appreciate that Australians will be exposed to the new practices when dealing with European based organisations and they may come to expect the same kind of protections from Australian entities, setting a new hurdle for trust that will apply regardless of what may be required by the less stringent Australian Privacy Principles.
In short, the GDPR flags a new direction in data protection and it would be prudent for all Australian organisations to pay attention.
- Australian organisations could be covered by the GDPR if their services are targeted at EU residents or they monitor their behaviour.
- A new definition of ‘consent’ means that it will become difficult to rely on pre-ticked boxed, opt-out provisions or bundled consents. Australian entities should consider the extent to which they comply with this definition when relying on consent under the Australian Privacy Act.
- Information must be provided in a way which is concise, transparent, intelligible and easily accessible. It is possible that the Australian Privacy Commissioner will expect the same standard of disclosure from Australian organisations.
- To encourage compliance, the EU regulator will be able to impose much higher penalties than before, with the higher penalty regime being fines up to 20 million Euro or 4% of annual group turnover. The imposition of high penalties for significant violations may encourage the Australian regulator to take similar action.
- Data security measures are specified to include restoring availability and access and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures. The Australian Privacy Commissioner may incorporate similar expectations into the interpretation of ‘reasonable steps’ for the purposes of APP 11.
For more information, register for our on-line training session or download our Guidance note (below).