While the General Data Protection Regulation (GDPR) was introduced by the European Union to protect against the misuse of the personal data of EU citizens, it will also impact Australian businesses with established operations in the EU.
Limiting the amount of personal data that may be collected by organisations and regulating the ways such data may be used and the length of time it may be stored are just some of the ways that the most comprehensive update to global data protection regulation in decades will alter the cyber marketing landscape.
Set to come into force on 25 May 2018, the GDPR represents a far wider reaching and more stringent data protection regime than those currently effecting Australian businesses, such as the Notifiable Data Breach Scheme, which Morrissey Law & Advisory has previously analysed in our article on the impacts of the NDB scheme.
Which businesses will be covered by the new regulations?
The GDPR applies to the data processing activities of controllers (which determine how and why personal data is processed) and processors (which act on behalf of controllers) inside and outside the EU.
Unlike the NDB regime, which only imposes obligations on business with turnover greater than $3 million, the GDPR will effect Australian businesses of all sizes that operate or conduct market research in the EU.
The types of Australian businesses that will be covered by the GDPR include:
- Those with an office in the EU;
- Those that offer goods or services to EU citizens; and
- Those that monitor the behaviour of individuals in the EU.
What information does the GDPR apply to?
Article 4 of the GDPR states that ‘any information relating to an identified or identifiable natural person’ will be covered. This definition of ‘personal data’ is very similar to the ‘personal information’ definition in the Australian Privacy Act 1988 (Cth).
What obligations will be imposed on businesses?
Although many of the requirements are mirrored in the Privacy Act, the GDPR includes expanded accountability and governance requirements, including requirements that data controllers must:
- Show that they comply with all the ‘Principles relating to the processing of personal data’ set out in Article 5;
- Put into action technical and organisational measures and data protection policies, in order to demonstrate that their processing activities comply with the GDPR (Article 24); and
- Implement data protection procedures to foster ‘data protection by design and default’ (Article 25).
Consent is crucial to the operation of many of the procedural and processing obligations the GDPR imposes on businesses. Under the GDPR, personal data may only be processed if one of the ‘conditions for processing’, under Article 6, apply. For example, under Article 6(1)(a), an individual must have given consent to the processing of his or her personal data for one or more specific purposes.
The GDPR requires an array of prescribed information regarding the processing of personal data to be issued to individuals, such information must be intelligible, accessible, transparent, concise and in plain language.
Expanded Rights of Individuals
The GDPR introduces a number of new and improved rights aimed at allowing individuals to take charge of their own privacy and the way in which their personal data is processed. The new rights of individuals include:
- The right to erasure, meaning individuals may require data controllers to delete their data in circumstances such as where the information is no longer necessary for the purpose for which it was collected, or where an individual withdraws consent and no other legal ground for processing their data exists. (Article 17)
- The right to object to processing of an individual’s personal data at any time is also provided for in the GDPR. When an objection is made the data controller must cease processing the individual’s data.
- A right to be provided with personal information that is being processed, or has been processed by a data controller.
- A right to obtain a restriction on processing of an individual’s personal data from a data controller, in instances such as where the individual contests the accuracy of their personal data.
New obligations on data processors
A number of new obligations apply solely to data processors (as the entities operating at the direction of data controllers), including that:
- Processors must only process data in line with documented instructions from the appropriate controller;
- Confidentiality commitments are undertaken by personnel authorised to process personal data;
- A processor may not engage another processor without the authorisation of the data controller; and
- Processors must implement adequate technical and organisational measures to ensure a level of security necessary to mitigate risks associated with the possession and processing of personal data
The obligations imposed by the GDPR represent significant improvements in the protection of individuals’ private information, as well as much stricter and wider reaching obligations on businesses with established operations in the EU.
For more information on the GDPR and its requirements, the full text is available at https://gdpr-info.eu/
If you have any questions about the GDPR or its application to your business and data processing activities, please do not hesitate to contact Morrissey Law & Advisory.
Disclaimer: This publication by Morrissey Law & Advisory is for general information and commentary only and should not be considered or relied upon as legal advice. Formal legal advice should be sought in relation to any matters or transactions that may arise in relation with communication.