What does GDPR stand for?

General Data Protection Regulation.

What is GDPR?

The new GDPR legislation is a new set of rules created to unify and improve data privacy laws across Europe and give EU citizens more control over their privacy and personal data.

When does GDPR legislation take effect?

The policy will come into effect on May 25, 2018.

What information does GDRP apply to?

GDPR legislation applies to ‘personal data’ which is a broad term for ‘any information relating to an identified or identifiable natural person’. This includes information specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.

EXAMPLES

• Biometric information such as fingerprints
• Banking or credit card information
• Medical records
• Personal information collected when applying for a loan
• Data collected about user behaviour on Facebook
• Cloud providers (even though they are only considered a ‘data processer’)

Who does GDRP apply to?

The GDPR applies to any organisation, regardless of their location, if they offer goods or services to, or monitor the behaviour of, EU citizens. It applies to organisations who process and/or hold the personal data of citizens residing in the European Union, regardless of the company’s location.

EXAMPLES
Scenarios where GDPR would apply:

• An Australian online retailer offering products or services globally
• An Australian company with an office in the EU
• A global company providing genetic/DNA/ancestry identification services
• An Australian company offering services in an EU language or currency (euros)
• A company, irrespective of location, offering market research on the buying behaviour of French citizens
• A security company that retains biometric information
• Cloud providers (even though they are only considered a ‘data processer’)

What are some of the new GDPR requirements in Australia?

• Right to access – Individuals can ask an organisation to confirm whether their personal data is being processed, where and for what purpose. They can also request a copy in electronic format, free of charge.
• Data breach notifications – Any data breach that is likely to ‘result in a risk for the rights and freedoms of individuals’ must be reported within 72 hours of first realising the breach has occurred.
• Data portability – Individuals can request that an organisation give them back a copy of the personal data they provided or request they send the data to another organisation, which could be a competitor.
• Erasability – Individuals have the ‘right to be forgotten’ and can request that their personal data be deleted in certain circumstances, including when the information is no longer necessary for the purpose in which it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data.
• Consent – Clear consent with a positive opt-in must be given for any personal data being collected and processed. Silence, pre-ticked boxes or inactivity does not constitute consent, and if a child is under 16 years of age their parents must consent on their behalf.
• Objecting to data processing – Under GDPR, individuals can, at any time, object to the processing of their personal data and organisation are generally required to comply. There are some exceptions which can be found in Article 21.
• Privacy by design, not an afterthought – This requires that companies, when designing information systems, consider data security from the outset. (Sounds like best practice doesn’t it?)
• Data Protection Officers – Certain organisations including, but not limited to, public or government organisations, will now be required to have a Data Protection Officer, who will be responsible for overseeing data protection to ensure compliance with GDPR requirements. More information can be found in Section 4.

What are the GDPR penalties for non-compliance?

If you breach the GDPR Australia legislation penalties can be substantial, however they are discretionary and must be imposed on a case-by-case basis. A lower level fine can be up to €10,000,000 or 2% of annual worldwide turnover, whichever is greater, with the maximum fine being €20,000,000 or 4% of the annual worldwide turnover. More information can be found in Article 83 of the legislation.

Click here for tools to assist with GDPR Australia compliance.

Legal disclaimer: Information outlined here solely reflects the views of its editors and authors and should not be construed as legal advice. We recommend you obtain formal legal advice.