Many of us have seen our email inboxes inundated by messages about GDPR and have a vague idea that this relates to European data regulations, but we might be less clear about what relevance this has to us or how it affects Australian businesses.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA). The GDPR regulates the personal data of individuals in the EU through the entire process of collection, use, retention, transfer and deletion. Although it covers some of the same ground as the Australian Privacy Act and the Australian Privacy Principles, the GDPR is seen as the most wide-ranging, broadly applicable and comprehensive privacy legislation in the world.

Does this apply to Australian businesses?

There has been much confusion about what this means for businesses, including what impact this will have on businesses outside of the EU. In short, because the law covers data protection and privacy provisions relating to the people who are residents in Europe, it potentially affects all enterprises, regardless of location, that are doing business with customers in the EU and EEA. Beyond individual retail customers, Australian businesses will also need to consider their relationships with corporate clients or corporate customers in the EU, i.e. the other businesses you deal with.

According to the Office of the Australian Information Commissioner, Australian businesses that may be covered by the GRPR include:

  • an Australian business with an office in the EU
  • an Australian business whose website targets EU customers, for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros
  • an Australian business whose website mentions customers or users in the EU
  • an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.

The last of those categories is perhaps the most complex to unpack. While your business may not actively collect the personal information of individuals in the EU, the GDPR might come into play through your relationships with customers or suppliers. The question to ask being ‘do I deal with personal information held by an EU corporate customer?’

What will my EU-based business partners expect from me?

Any EU-based company you deal with will certainly be subject to the GDPR. This means, in order to remain compliant, they are likely to be ensuring all their arrangements with other businesses worldwide are also compliant. This is especially relevant here in that the European Commission have not recognised Australia as having ‘adequate privacy laws’, which means additional ‘appropriate safeguards’ have to be put in place by organisations who want to transfer information to Australian service providers. In practical terms, this might mean your EU corporate clients will be looking for amended contracts and agreements that cover their responsibilities under the GDPR and may mean you having to change your policies and procedures to accommodate that. Achieving that might also mean looking more broadly at the whole supply chain and the policies of your service providers.

What impact has the GDPR already had on businesses?

Although the GDPR has only recently come into force, complaints have already been filed against Facebook, Google, Instagram and Whatsapp. The allegations, among other issues, objected that consent is only requested with respect to the entire Privacy Policy on an ‘all or nothing’ basis. The GDPR, however, requires that an individual has given consent to the processing of his or her personal data for one or more specific purposes. In addition, ‘consent’ must be freely given, specific, informed and represent an unambiguous indication of the data subject’s wishes.

Many commentators have suggested that privacy and data processing legislation worldwide is likely to tighten up and move towards the GDPR model. Bearing that in mind, as well as any ways in which the GDPR might affect you now, it may be wise to audit your policies and procedures in this area to ensure you are well prepared. It’s a complex situation and the action that needs to be taken will vary from one company to the next depending on their specific circumstances. If you are unsure it may be wise to seek specialist advice.