Changes to the GDPR are effective from the 25th May 2018.
Many Australian businesses will need to comply.
The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that will apply from 25 May 2018.
Australian businesses with an establishment in the EU, or that offer goods and services in the EU, or that monitor the behaviour of individuals in the EU may need to comply.
You sell or seek to sell goods or services in the EU (this still includes the UK for the purposes of the GDPR). For example, if your website offers goods for sale in Euros and ships to countries of the EU, then the new GDPR privacy laws will apply to your business; or
You hold personal data for individuals residing in the EU; or
You have an office in the EU.
The GDPR applies to “personal data”. This is similar to “personal information” under the Australian Privacy Act, but the GDPR makes it clear that a wide range of identifiers will be considered “personal data”, including: a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
WHAT ARE THE NEW REQUIREMENTS UNDER THE GDPR?
Accountability and Governance.
The GDPR sets out expanded accountability and governance requirements. In addition to being able to demonstrate that you comply with the principles set out in the GDPR, you must be able to show that you have considered data protection in your processing activities.
For example, your processes should:
- pseudonymise personal data as soon as possible
- be transparent as to how personal data is held and used
- enable the individual to monitor the data processing
- enable the controller to create and improve security features.
In certain circumstances, you may be required to appoint a data protection officer to monitor and advise on compliance with the GDPR and undertake a compulsory data protection impact assessment (DPIA).
Consent is relevant to the operation of many requirements and restrictions on handling personal data under the GDPR.
Consent must be:
- freely given
- an unambiguous indication of the subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement.
Under 16 Years of Age.
Consent must be obtained from a person with parental responsibility for the child.
Mandatory Data Breach Notification.
You must notify the relevant authority of a data breach within 72 hours of becoming aware of the breach unless the breach is unlikely to result in a high risk to the rights and freedoms of individuals.
Expanded Rights for Individuals.
The GDPR includes a range of new and enhanced rights for individuals.
- The right to erasure gives individuals a right to demand their data is deleted in certain circumstances.
- The right to object at any time to the processing their personal data (including profiling).
- The right to ‘data portability’— to receive personal data they have provided to a controller in a ‘structured, commonly used, machine-readable format’ and to transmit that data to another controller, where the data is processed electronically.
- The right to restriction of processing— for example, if an individual contests the accuracy of their personal data, there may be a temporary restriction on processing to enable the controller to verify the accuracy of the personal data.
Obligations on Data Processors.
A controller must only use processors that provide sufficient guarantees that they will implement appropriate technical and organisational measures that ensure compliance with the GDPR and protect the rights of the data subject.
This generally needs to be set out in a contract, and your contract with your data processor should include specific clauses stating that:
- the processor may only process data in accordance with documented instructions from the controller
- the processor must ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
- the processor cannot engage another processor without the authorisation of the data controller
- assists the controller to satisfy its responsibilities in terms of security obligations, data protection impact assessments and DBN notifications.
CLICK HERE TO DOWNLOAD a table which compares the Australian Privacy Act to the new EU GDPR. This table was prepared and published by the Australian government’s Office of the Australian Information Commissioner (OAIC), March 2018.