There has been a lot of discussion around GDPR for Australia and how it will affect Australian businesses. Designed to establish a single set of data protection across Europe, it is now more relevant than ever after recent data breaches like the Facebook-Cambridge Analytica scandal.
We broke down exactly what GDPR is, it’s main principles and how it will affect Australian businesses.
General Data Protection Regulation (GDPR) is a regulation in European law on data protection and privacy for individuals within the European Union. It is intended to give individuals better control over their personal data held by organisations.
GDPR applies to the data processing activities of businesses with an establishment in the EU that are data processes or controllers. These businesses need to comply with GDPR regardless of whether the data is processed in the EU. Generally, it is the responsibility of the data controller to implement effective measures. A data controller says how and why personal data is processed. The data processor must be able to demonstrate the compliance of processing activities. This is even if the processing is carried out by a data processor on behalf of the controller.
GDPR is not confined to entities within the EU. It will apply to foreign entities if they:
A European tourist who provides personal information when booking a service with an Australian business, while in Australia – GDPR does not apply. If however you market to that person a month later when they have returned to Europe, then GDPR does apply.
If a non-EU citizen is residing in Europe, then GDPR may apply. For example, if an Australian is on holidays in Europe and receives a marketing email from an Australian business, GDPR does not apply. If however that Australian is temporarily living in Europe for say 2 years then GDPR may apply.
Compared to GDPR, under Australian privacy law, if it is reasonably expected that someone would want to be marketed to, businesses are able to market to them.
Whether or not GDPR applies to you depends on whether:
As GDPR is still new, there are still grey areas with certain cases of data ownership. Maximum penalties for a breach of GDPR at 20M or 4% of annual revenue, whichever is greater. However we predict that the targets of such penalties will most likely be large companies such as Facebook and Google.
If you are looking for more detail on GDPR for Australia, we encourage to seek your own independent legal advice.