Macro Shot with Augmented Reality: IT Administrator Plugs in RJ45 Internet Connector into LAN Router Switch. Cables with Virtual Graphichs Showing Data Transfer.

GDPR in Australia – is Your Business Compliant?

The European Union’s (‘EU’) new General Data Protection Regulation (‘GDPR’) came into effect on 25 May 2018.  Whilst Europe is over 14,000km from Australia’s sandy shores, its data protection laws are only a click away.

Is this relevant to my business?

If you are wondering why an EU regulation is causing such a fuss in Australia, the first key thing to know about the GDPR is that it applies to Australian organisations of any size that either;

  1. have an establishment or presence in the EU, or
  2. do not have a physical presence in the EU, but;
    a)  offer goods and services to European-based individuals, or
    b)  monitor the behaviour of European-based individuals.  

Since a failure to comply with the terms of the GDPR may result in fines of €20 million or 4% of annual turnover (whichever is higher), it is critical that Australian organisations are prepared and protected.

What is the GDPR?

The GDPR is the biggest overhaul of data protection laws in Europe since the introduction of the European Union Data Protections Directive in 1995.  The new laws seek to protect individuals’ privacy and personal data by regulating the way that organisations collect, store and protect the personal information (‘personal data’) of European-based individuals.  This includes customers, employees and suppliers (‘data subjects’).

For instance, organisations may collect personal data from data subjects only for ‘specified, explicit and legitimate purposes’.  In addition, organisations must obtain explicit and informed consent from the data subject prior to processing their data.

The GDPR also dictates how organisations must prepare for, respond to and report a data breach.  Organisations must appoint a ‘Data Protection Officer’ to internally regulate the way personal data is processed by the organisation.  They must also conduct a Data Protection Impact Assessment, outlining the potential ways that personal data stored by the organisation could be compromised, as well as how the organisation would respond to such a breach.

If a breach occurs, the organisation must report the breach to the relevant supervisory authority, and in certain circumstances also notify the individuals whose data has been compromised.  This is similar to the new mandatory data breach notification regime that was introduced in Australia in February 2018.  

The GDPR also grants data subjects certain rights over their personal data, such as:

  1. The right to access and review the personal data that is held by a company relating to the individual;
  2. The right to object to their personal data being processed;
  3. The right to data portability;
  4. The right to complain or query how companies process their personal data;
  5. The right to object to automated decision making using personal data; and
  6. The right to have personal data forgotten by the company.  

How does the GDPR affect Australian Companies?

While the GDPR shares some common elements with Australian laws under the Privacy Act 1988, there are many elements of the GDPR that do not have an Australian equivalent.  To make sure that they are protected, Australian organisations should take steps to determine whether their businesses are required to comply with the GDPR and if so, ensure they are familiar with the various obligations and additional rights granted under the GDPR.

If your company is not already GDPR-compliant, it is crucial that you immediately review your internal and external policies and procedures as well as any and all data collection procedures.  The potential fines of €20 million or 4% of annual turnover (whichever is higher) are too great to ignore, and it is yet to be seen just how strictly the EU will enforce the new laws.

If you would like to receive our regular legal Updates, please subscribe here.  If you require advice as to exactly how your company can ensure GDPR compliance, please do not hesitate to contact our Privacy and Data Protection team.

Share:

Send an enquiry

Any personal information you provide is collected pursuant to our Privacy Policy.

Categories
Archives
Author

More posts

Security of personal information

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Are you liable for labour hire workers if they are injured?

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

The risks with cyber attacks and data breaches

Part 1 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches. Cyber attacks and data breaches are the top business risk in Australia according to Aon’s 2023 Global Risk Management Survey.

Help! My builder won’t finish the job – what do I do?

It’s normal for building projects to experience setbacks during construction.  However, in extreme cases your builder may suspend works and leave the site or disappear without explanation. This article will explain your available options if your builder won’t return to the site, and how to avoid the common pitfalls which may affect your rights against your builder.

Is your intellectual property secure?

Securing intellectual property (IP) is critical in today’s competitive and increasingly digital landscape. From innovative startups to established enterprises, big or small, safeguarding your business’ intellectual assets can help ensure sustained competitiveness, legal protection and set you up to capitalise on your unique creations.

Out with the old (section 260) and in with the new (Part IVA)

Part IVA overcomes deficiencies of section 260 of the Income Tax Assessment Act (ITAA), exposed by judicial decisions. Part IVA was introduced, albeit with limitations on scope, to provide an appropriate balance between combatting tax avoidance without discouraging commercial and familial transactions.

© 2024 Coleman Greig Lawyers  |  Sitemap  |  Liability limited by a scheme approved under Professional Standards Legislation. ABN 73 125 176 230