The EU has given individuals within the EU greater control of their privacy, with worldwide effect. Australian companies should see the benefits of being GDPR-compliant.
Three months ago today the General Data Protection Regulation (GDPR) came into force. This new European Union (EU) Regulation on data protection and privacy has extraterritorial effect and affects businesses worldwide, provided they target customers within the EU. The penalties associated with failing to comply with the new requirements are definitely worth considering, with fines up to AUD 31.4 million or four per cent of the company’s total worldwide annual turnover.
Are Australian businesses ready?
The GDPR clearly applies to Australian businesses that sell goods or services directly to customers in the EU and collect personal information from them. It also affects the processing of personal information of data subjects within the EU. Some Australian companies that do not fall directly under the scope of the GDPR may have clients, partners or corporate customers that must fulfil direct obligations; the main challenge for these Australian businesses will be to comply with the new contracting arrangements that their partners and corporate customers may ask them to sign.
Australian companies that are already compliant with the Australian Privacy Law have part of their homework done in terms of data protection and privacy under the GDPR framework. However, there are certain aspects where the GDPR imposes more strict requirements such as:
- Establishing a distinction between controllers and processors. On the one hand, the data controller determines the purposes and the means to process personal data: the “why” and “how” the data should be processed. On the other hand, the data processor processes personal data on behalf of the controller. There are situations where an entity can be a data controller or a data processor, or both.
- Giving individuals the “right to be forgotten”. Individuals have the right to the erasure of their data in the possession of other parties when there are no compelling reasons for its processing.
- Appointment of a Data Protection Officer. A company needs to appoint a Data Protection Officer as long as its core activities involve processing of sensitive data on a large scale or involve large scale, regular and systematic monitoring of individuals. Data Protection Officers are responsible for implementing and overseeing the company’s data protection strategy as well as ensuring compliance with the GDPR.
- Reporting data breaches within a shorter time frame. Companies have just 72 hours to gather all the information related to a data breach and to report it to the relevant authorities.
In any case, it is advisable for Australian companies that are in doubt about whether the GDPR affects them, either directly or indirectly, to seek legal advice and implement appropriate measures where necessary.
What is the enforceability of the GDPR?
While the enforceability of GDPR on Australian businesses with a physical presence in the EU is straightforward, one might wonder to which extent the European Data Protection Supervisor can enforce the GDPR on a company located in a different country. There are certain ways in which the GDPR can be imposed on overseas companies.
Firstly, it is up to the discretion of the EU courts to decide if a foreign company is collecting EU residents’ data and therefore needs to be compliant with GDPR. One of the objectives of the GPDR is precisely to protect individuals and to have them as the main point of reference regardless of where the company is located.
Secondly, the GDPR requires foreign companies without an establishment in the EU to designate a “representative” located in the European Union. The GDPR representative is a different figure to the Data Protection Officer and will act on behalf of the controllers and processors with regards to their obligations. The representative can be subject to enforcement proceedings if there is a lack of compliance by a controller or processor.
Thirdly, the GDPR can rely on internal law and cooperation with countries outside the EU to facilitate the effective enforcement of legislation for the protection of personal data.
Finally, the GDPR grants direct rights to data subjects and gives the possibility to non-EU citizens to submit complaints for a breach on their data privacy. Indeed, the GDPR does not define data subjects as EU citizens, but as natural persons. Consequently, non-EU citizens who are residing or transiting within the EU are protected under the GDPR.
Seeing GDPR as an opportunity
While the GDPR could be perceived as an administrative burden due to the various regulations, requirements and changes that come with it, in fact it presents an opportunity for businesses.
Being compliant with GDPR forces a company not only to review and harmonise procedures when it comes to collection and processing of personal data, but also to centralise data, to get to know the client better, to clean the company’s mailing list and to avoid losing information.
Being GDPR-compliant signifies a ‘stamp’ of high standard security measures for clients, which adds value compared to other companies in the same market not only within the EU, but also worldwide.
The truth is that the GDPR is a reality. The EU has been a precursor on giving individuals within the EU a broader control on their privacy, but other countries may follow. Bearing in mind the digital and global context we live in where individuals transfer both their lives and their data around the globe every day, the changes introduced by GDPR will impact on a local level within the context of Australian privacy policies.
Iris de Orte Júlvez is a qualified lawyer in Spain who works in compliance at Polyglot Group. She holds a European Master in Law and Economics and is currently undertaking a Bachelor of Social Science in Accounting and Finance at the London School of Economics and Political Science.
This article is published under a Creative Commons Licence and may be republished with attribution.