Several countries and jurisdictions are increasing the protection afforded to personal information. The European Union’s General Data Protection Regulation (GDPR) is one of the most comprehensive measures worldwide to rebalance the data relationship between individuals and businesses.
The consequences for Australian businesses – of any size – that have an establishment in the European Union, offer goods and services in the European Union or monitor the behaviour of individuals in the European Union are potentially profound.
Under the GDPR data protection requirements – which came into effect on 25 May this year – businesses must meet obligations covering accountability and governance; consent; mandatory data breach notification; expanded rights for individuals; privacy notices; expanded rights for individuals; data control and processing; and overseas transfers of personal data.
For example, as a brief from the Office of the Australian Information Commissioner points out, ‘data controllers’ – typically businesses or organisations that decide why and how data should be processed – must advise supervisory authorities within 72 hours of becoming aware of a breach (unless the breach is unlikely to result in a high risk to individuals’ rights and freedoms).
If a data breach is likely to result in a high risk to the rights and freedoms of ‘natural persons’, the data controller needs to notify the individual without undue delay – unless exceptions to this notification requirement apply.
Affected businesses also need to be aware the GDPR gives individuals the right to require data controllers to delete their data in some circumstances – including when the information is no longer necessary for the purpose it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data.
The penalties for non-compliance are severe – many contraventions can attract fines of up to €20 million or 4% of annual worldwide turnover. For organisations that do business in the European Union and have not fully accounted for GDPR, the message is clear: review data management and control practices against GDPR requirements and, where required, take remedial action as quickly as possible. Talk to Neil or the FirstWave team today on +61 2 9409 7000 to discuss your GDPR requirements.
By Neil Pollock, COO and Head of International