News: Impact of European Union’s General Data Protection Regulation (GDPR) on Australia

← Back to Legalwise News

Thursday, May 31, 2018

KHQ Lawyers’ Darren Sommers, Principal Solicitor, and Clea Cole, Lawyer, from the Corporate and Commercial team, discuss the ramifications of the European Union’s General Data Protection Regulation (GDPR) for Australian businesses. 

Darren Sommers

Data protection and privacy – a global issue for Australian businesses following the introduction of the EU’s General Data Protection Regulation.

Clea Cole

On 25 May 2018, changes to the European Union’s General Data Protection Regulation (“GDPR”) came into effect requiring organisations all over the world (including businesses in Australia) to provide a high level of protection to the personal data of individuals in the EU, and allow those individuals to maintain better control over their personal data.

Specifically, the GDPR applies to Australian businesses (regardless of size) that are ‘data processors’ or ‘data controllers’ and that have an establishment in the EU, offer goods or services in the EU, or otherwise monitor the behaviour of individuals in the EU. Generally speaking, ‘data controllers’ determine the purposes and means for processing personal data and ‘data processors’ process personal data on behalf of a controller.

In today’s global economy, the introduction of the GDPR is particularly significant given that most businesses operate online (via the use of platforms, websites and applications), or otherwise have operations in overseas jurisdictions and accordingly have clients and customers globally.

The flow on effect for Australian businesses is that their data protection and privacy measures may no longer just be assessed from an Australian law perspective. Instead, these issues are now global and Australian businesses must take steps to evaluate their information handling practices to ensure that they comply.

It is not however all doom and gloom (and regulatory hurdles). The GDPR and Australian privacy laws (namely, the Privacy Act 1998 (Cth)) share many similarities and Australian businesses should already have some GDPR compliant measures in place.

For example, both the GDPR and Australian privacy laws foster transparent information handling practices and accountability measures to show individuals that their privacy is being adequately protected. Both laws also require businesses to implement measures that demonstrate their compliance with a set of privacy principles, and both take a privacy by design approach.

Obviously, however, there are some key differences between the two regimes. We have summarised a few of these below but ultimately the Office of the Australian Information Commissioner recommends that Australian businesses with clients or customers in the EU check to see if they are covered by the GDPR and, if so, take steps to comply.

Highlights of the GDPR are as follows:

Accountability and governance: to achieve accountability and good governance practices, businesses covered by the GDPR must, amongst other things, implement appropriate technical and organisational measures. Such measures may include: undertaking compulsory data protection impact assessments when data processing is likely to result in a high risk to the rights and freedoms of individuals; maintaining documentation of business’ processing activities; implementing appropriate security measures; recording and, where necessary, reporting personal data breaches; and (unless an exception applies) appointing data protection officers.

Consent: an individual’s consent to a business handling their personal data (including any cookies associated with an individual’s online usage patterns) must be freely given, specific and informed, and must be indicated by a statement or other clear affirmative action. This has made many businesses reconsider their information collection statements to require customers to actively consent to the use of their personal data (versus the current common practice of having a check box “ticked” and requiring customers to actively opt out).

Enhanced individual rights: the rights of individuals now specifically include a right of access to personal data; a right to rectification; a right to erasure (or a right to be forgotten) if certain conditions are met (including when the personal data being collected is no longer necessary for the purposes for which it was collected or processed, or when the data subject withdraws their consent); a right to data portability (which is essentially a right to obtain a machine readable copy of your personal data and reuse, or transfer that personal data to another data controller); and a right to object to the processing of your personal data.

Ultimately these changes require businesses to adopt and/or strengthen their internal processes and systems to ensure they can adequately protect clients’ personal data.

Accordingly, we suggest that if you haven’t done so already you:

  • Seek advice about whether the GDPR applies to your business;
  • Familiarise yourself with the requirements of the GDPR and if necessary obtain compliance advice to ensure you have a firm understanding of those requirements;
  • Evaluate your business’ organisational measures relating to the handling and collection of personal data and update these to ensure that they meet the requirements of the GDPR; and
  • Update your privacy policy and collection statement.


Darren Sommers
 specialises in providing general commercial legal advice and specialist technology law advice to clients in the IT industry and other technology industries. In addition to his law degree, Darren has both an honours degree in Science and a Master of Information Technology. Darren has also previously worked as a software developer and business analyst for leading multi-national companies. Darren’s vocational experience in IT assists in providing his clients with practical and well targeted legal advice.

Clea Cole is a lawyer in our Corporate & Commercial team, having joined KHQ as a trainee lawyer in 2015. She was admitted to practice in mid-2016. Prior to joining KHQ, Clea worked at the Fair Work Commission as a legal research analyst in the Workplace and Economic Research Section.

Contact Darren at dsommers@khq.com.au or Clea at ccole@khq.com.au

Subscribe

"Tremendously helpful. Take away materials which will improve my school practice."

Delegate - School Law Conference , Melbourne, June 2017

 

 

 

 

, School Law Conference

Read more testimonials