EU Privacy Changes and its impact on Australian business

The regulatory landscape governing data privacy and protection across the world is set for a landmark change with the European Union’s General Data Protection Regulation (‘GDPR‘) coming into effect on 25 May 2018.

The GDPR will replace the data privacy standards currently in place in the European Union (‘EU‘) and aims to harmonise data protection laws across the EU, modernising standards to reflect the use of new technology and the growing practice of the creation and processing of personal data on the internet.

The GDPR will have application beyond the EU and will apply to all companies, regardless of location and size, that:

  • offer goods or services in the EU;
  • monitor the behaviour of residents of the EU; or
  • or process or hold the personal data of individuals based in the EU.

Personal data is defined broadly and will include any information that can be used to directly or indirectly identify an individual. This may include an individual’s name, email address, medical information or even a computer IP address.

Australian companies that fall within the reach of the GDPR will need to ensure they are adequately prepared. Compliance with the GDPR will require companies to adopt transparent data handling practices and meet certain standards when handling personal data. This will include obligations regarding the type of personal information that can be gathered, how personal information needs to be stored and protected and what organisations must do in the case of a data breach.

Unlike previous data protection laws, the GDPR also introduces direct liability for data processors, such as service providers who provide cloud based services.

The GDPR introduces unprecedented penalties for non-compliance. Fines can be up to €20 million or 4% of annual group turnover (whichever is greater) for serious infringements.

In the lead-up to the commencement of the GDPR, businesses should investigate whether they will be required to comply with the GDPR, and if so, take action immediately to ensure they are compliant by 25 May 2018.

If you have any queries regarding your company’s compliance with the GDPR, please contact us.

This article was written by Marcus Hannah, Associate – Commercial and Jey Jeyabala, Lawyer – Commercial.