European Union flags

EU GDPR – What the EU General Data Protection Regulation means for your Australian Business

After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.

The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover, as noted by Wikipedia.

The GDPR also brings a new set of “digital rights” for EU citizens in an age when the economic value of personal data is increasing in the digital economy.


GDPR Implications for Australian Businesses

GDPR is viewed as one of the most aggressive data protection regulations in the world and is designed to consistently protect personal data for EU citizens. The regulation means that any organization interacting with and storing the data of an EU citizen will be subject to fines for noncompliance.

Australian businesses with customers in the EU, or that operate in the EU, should confirm whether they are covered by the GDPR, and if so, take steps to ensure compliance by May 2018.

Australian businesses that may be covered include:

  • an Australian business with an office in the EU

  • an Australian business whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in euros

  • an Australian business whose website mentions customers or users in the EU

  • an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.


What your company must do if it is covered by the GDPR

The European Commission has a infographic that makes it easier for businesses to understand what they must do if they are covered by the GDPR. 

To protect the rights of people giving you their data your company must:

Communication Use plain language.

Tell them who you are when
you request the data.

Say why you are processing
their data, how long it will
be stored and who receives it.

Consent Get their clear consent
to process the data.

Collecting from children
for social media?
Check age limit
for parental consent.

Warnings Inform people of data breaches
if there is a serious risk to them.
Erase Data Give people
the ‘right to be forgotten’.
Erase their personal data
if they ask,
but only if it doesn’t compromise
freedom of expression
or the ability to research.
Marketing Give people the right
to opt out of direct marketing
that uses their data.
Safeguarding sensitive data Use extra safeguards
for information on
health,
race,
sexual orientation,
religion and
political beliefs.
Data transfer outside the EU Make legal arrangements
when you transfer data
to countries that have
not been approved
by the EU authorities.

The cost of non-compliance

The GDPR gives supervisory authorities the power to impose administrative fines for contraventions, with fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater for certain types of contraventions

GDPR Cost of non-compliance

Share this Post

Questions?

We love to help, get in touch with us