Changes to the European Union’s General Data Protection Regulation (“GDPR”) are now in effect, requiring organisations to provide a high level of protection regarding the personal data of individuals in the EU, and ensuring those individuals are able to maintain better control over their personal data.

The GDPR applies to Australian businesses (regardless of size) that are ‘data processors’ or ‘data controllers’ and:

• Have an establishment in the EU;
• Offer goods or services in the EU; or
• Otherwise monitor the behaviour of individuals in the EU.

Data Control

‘Data controllers’ determine the purposes and means for processing personal data and ‘data processors’ process personal data on behalf of a controller.

The introduction of the GDPR is significant given most businesses operate online or have operations in overseas jurisdictions.

For Australian businesses, it means their data protection practices may no longer be assessed only from the perspective of Australian law.

Silver Lining

But it’s not all doom and gloom. Australia’s privacy laws share many similarities with the GDPR and Australian businesses should already have some GDPR?compliant measures in place.

For example, both laws:

• Foster transparent information handling practices and accountability measures to show individuals that their privacy is being adequately protected;
• Require businesses to implement measures that demonstrate their compliance with a set of privacy principles; and
• Take a ‘privacy by design’ approach.

Top Tips

There are key differences between the two laws, and the Information Commissioner recommends that Australian businesses with EU-based customers check whether they are caught by the GDPR and take steps to comply. 

We recommend you:

• Seek advice about whether the GDPR applies to your business;
• Familiarise yourself with the requirements of the GDPR and obtain advice to ensure you have a firm understanding of those requirements;
• Evaluate and update your data handling processes to ensure they comply with the GDPR; and
• Update your privacy policy and collection statement.

ABOUT THE AUTHOR
Clea Cole is a lawyer with KHQ Lawyers’ Corporate & Commercial team. She eats privacy and data protection work for breakfast.