The Privacy landscape has changed – has your business updated its privacy policy?

Is your turnover more than $3M?  The Australian Privacy Act applies to you. 

The Privacy Act has been in force since 1988. You may already have a Privacy Policy in place in your business, but you probably rarely use it or refer to it. Having a privacy policy is only the first step for proper privacy compliance.

You can comply with the Privacy laws by implementing a Privacy Compliance Program in your business. The content and extent of your Privacy Compliance Program can be tailored depending on the size and complexity of your business, and the types of personal information (and credit information) that you collect. As a minimum, your Privacy Compliance Program should include the following elements:

  • An audit of your existing privacy practices, to identify the gaps in compliance;
  • Updating your existing Privacy Policy (or preparing one in the first place if you don’t already have one);
  • Updating your data collection forms and consent forms;
  • Updating or implementing Complaints Handling procedures;
  • Updating or implementing Access & Correction Request procedures;
  • Training your staff; and
  • Auditing your compliance measures from time to time

A “one-size fits all” approach does not work for Privacy compliance. Your Privacy Compliance Program needs to be tailored, relevant and useful for it to actually be used in your business.

Do you hold personal information about individuals? You must comply with the new Australian mandatory data breach reporting regime.

The mandatory data breach reporting regime came into force on 22 February 2018. You have an obligation to notify the Office of the Australian Information Commissioner, and individuals whose personal information is involved in a data breach, that is likely to result in serious harm. It is important you are adequately prepared before any eligible data breach occurs so you can respond appropriately and within the timing requirements.

If you answer YES to any of these questions, the European Union General Data Protection Regulation (the GDPR) may apply to you.

  • Do you offer goods or services to customers in the EU?
  • Do you monitor the behaviour of EU residents or use other online tracking methods on your website which can be accessed by EU residents?
  • Are you a business with an establishment in the EU?

The GDPR became enforceable from 25 May 2018 and impacts almost every organisation that is either based in the EU, or that does business in the EU (even if based abroad).

Despite being an EU based regulation, the GDPR is enforceable against all organisations regardless of their location if they offer goods or services to, or monitor the behaviour of people in the EU.  Penalties for non-compliance under the GDPR are significant with fines of 4 per cent of global revenue or €20m (over $30 million AUD), whichever is higher.

Australian businesses should determine whether they need to comply with the GDPR and if so, take steps now to ensure their personal data handling practices comply.

Macpherson Kelley can assist your business to ensure compliance with each of these changes and requirements. If you have any questions about the changes and how they may impact you, please contact Kelly Dickson.

This article was written by Jason Kaye, Graduate Lawyer – Commercial.