Macro Shot with Augmented Reality: IT Administrator Plugs in RJ45 Internet Connector into LAN Router Switch. Cables with Virtual Graphichs Showing Data Transfer.

GDPR in Australia – is Your Business Compliant?

The European Union’s (‘EU’) new General Data Protection Regulation (‘GDPR’) came into effect on 25 May 2018.  Whilst Europe is over 14,000km from Australia’s sandy shores, its data protection laws are only a click away.

Is this relevant to my business?

If you are wondering why an EU regulation is causing such a fuss in Australia, the first key thing to know about the GDPR is that it applies to Australian organisations of any size that either;

  1. have an establishment or presence in the EU, or
  2. do not have a physical presence in the EU, but;
    a)  offer goods and services to European-based individuals, or
    b)  monitor the behaviour of European-based individuals.  

Since a failure to comply with the terms of the GDPR may result in fines of €20 million or 4% of annual turnover (whichever is higher), it is critical that Australian organisations are prepared and protected.

What is the GDPR?

The GDPR is the biggest overhaul of data protection laws in Europe since the introduction of the European Union Data Protections Directive in 1995.  The new laws seek to protect individuals’ privacy and personal data by regulating the way that organisations collect, store and protect the personal information (‘personal data’) of European-based individuals.  This includes customers, employees and suppliers (‘data subjects’).

For instance, organisations may collect personal data from data subjects only for ‘specified, explicit and legitimate purposes’.  In addition, organisations must obtain explicit and informed consent from the data subject prior to processing their data.

The GDPR also dictates how organisations must prepare for, respond to and report a data breach.  Organisations must appoint a ‘Data Protection Officer’ to internally regulate the way personal data is processed by the organisation.  They must also conduct a Data Protection Impact Assessment, outlining the potential ways that personal data stored by the organisation could be compromised, as well as how the organisation would respond to such a breach.

If a breach occurs, the organisation must report the breach to the relevant supervisory authority, and in certain circumstances also notify the individuals whose data has been compromised.  This is similar to the new mandatory data breach notification regime that was introduced in Australia in February 2018.  

The GDPR also grants data subjects certain rights over their personal data, such as:

  1. The right to access and review the personal data that is held by a company relating to the individual;
  2. The right to object to their personal data being processed;
  3. The right to data portability;
  4. The right to complain or query how companies process their personal data;
  5. The right to object to automated decision making using personal data; and
  6. The right to have personal data forgotten by the company.  

How does the GDPR affect Australian Companies?

While the GDPR shares some common elements with Australian laws under the Privacy Act 1988, there are many elements of the GDPR that do not have an Australian equivalent.  To make sure that they are protected, Australian organisations should take steps to determine whether their businesses are required to comply with the GDPR and if so, ensure they are familiar with the various obligations and additional rights granted under the GDPR.

If your company is not already GDPR-compliant, it is crucial that you immediately review your internal and external policies and procedures as well as any and all data collection procedures.  The potential fines of €20 million or 4% of annual turnover (whichever is higher) are too great to ignore, and it is yet to be seen just how strictly the EU will enforce the new laws.

If you would like to receive our regular legal Updates, please subscribe here.  If you require advice as to exactly how your company can ensure GDPR compliance, please do not hesitate to contact our Privacy and Data Protection team.

Share:

Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.

Categories
Archives
Author

More posts

Employers should exercise caution when dismissing during probationary period

Can you dismiss an employee during the probationary period? Yes, but a recent case is a lesson in caution. The recent Federal Court decision of ‘Dabboussy v Australian Federation of Islamic Councils’ is a warning to employers to consider the importance of timing if dismissing an employee during probation.

The business impacts from the Government’s new cyber security laws

Cybercrime ‘is a multibillion-dollar industry that threatens the wellbeing and security of every Australian’. In an effort to combat the impact on businesses and individuals, the Australian Government has introduced cyber security legislative reforms into the Parliament.

A guide to intrafamily adoption

Adoption is the process where a parent’s legal rights for their child are transferred to another person. The formal adoption of a stepchild or close relative is known as intrafamily adoption.

Passenger movement and visa data-matching by the ATO

Heading overseas for work or a holiday? Taxation issues, including tax residency, should be on front of mind when departing from or arriving to Australia. Why? Because the Australian Taxation Office (ATO) can follow your footprints and, if you’re not careful, spring unexpected taxes on you.

Is it really necessary for my executor to have so many powers?

People often question why the executor of their estate needs to have so many powers. Simply put – if your executor isn’t given any additional powers by your Will, then they are limited to what is set out in the Trustee Act. One area that this can lead to issues in, is the family home – particularly if beneficiaries aren’t in agreement.

Essential terms of a commercial lease

A commercial lease is a contract that details the rights and obligations of a tenant and landlord. So, what are the necessary terms of a commercial lease?

Responding to data breaches

In the final part of our four-part series on your business’ responsibilities related to cyber attacks and data breaches, Special Counsel John Bennett how businesses should respond to data breaches, including application and requirements of the Notifiable Data Breaches Scheme.

Security of personal information

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Are you liable for labour hire workers if they are injured?

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

© 2024 Coleman Greig Lawyers  |  Sitemap  |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230