What is the GDPR and does it affect my organisation?

The European Union General Data Protection Regulation (GDPR) came into effect on 25 May 2018.

Although the GDPR came into force on the other side of the world, its effects are far reaching and Australian businesses cannot ignore it.

Many Australian businesses have carried out reviews of their privacy policies and notifiable data breach procedures following the amendments to the Privacy Act1 which came into force earlier this year.

Businesses affected by the GDPR will need to ensure that its stringent requirements are complied with, or risk the consequences.

What Australian businesses does the GDPR apply to?

In contrast to the Australian privacy legislation, the GDPR applies to all Australian businesses, irrespective of size, in certain circumstances:

The GDPR applies to:

  • the processing of personal data of a business within the EU, even if the processing takes place outside the EU.
  • the processing of personal data of subject who are in the union by a controller or processor not established in the EU, where the processing activities are related to:
    • the offering of goods or services; or
    • the monitoring of the EU behaviour of persons within the EU.2

Accordingly, the GDPR applies to Australian businesses:

  • with an office in the EU, irrespective of whether or not data is processed there;
  • who has customers within the EU who subscribe to its website;
  • that holds personal data of persons within the EU; and
  • that has persons within the EU on its payroll. (Unlike the Australian privacy legislation, payroll information is not exempt).
The practical effect will be that even if you are a small business with a website to which individuals within the EU subscribe, you will be subject to the GDPR.

Whose information is subject to the GDPR?

Article 3 of the GDPR states:
‘this Regulation applies to the processing of personal data of data subjects3 who are in the Union’
There has been a considerable amount of debate as to who is a ‘data subject’.
There is no reference to an ‘EU citizen’, or to a permanent resident of the EU in the GDPR.
The preferred interpretation is that the GDPR applies to residents of the EU only, but of any nationality.
We anticipate that there will be considerable further debate in relation to this issue in the next few years and we will provide updates as the debate develops.

Data controller and data processor

The GDPR introduces the new concepts of a data controller and a data processor.4
In certain circumstances, a data protection officer must be appointed to monitor and advise on compliance with the GDPR.5  This requirement is likely to lead to major changes in data management frameworks globally over the next few years.
A compulsory data protection impact assessment must be carried out where the type of data processing is likely to result in a high risk for the rights and freedom of individuals.6
Records of processing activities must be kept,7 and codes of conduct are encouraged to contribute to the proper application of the GDPR.
Broadly, a ‘controller’ is required to implement measures which enable data processing to be performed in accordance with the GDPR, and a ‘processor’ must provide sufficient guarantees to satisfy the controller that it will implement appropriate measures to ensure appropriate data processing.

What is the intent of the GDPR?

The GDPR introduces new rights for individuals in an attempt to limit the opportunity for identity fraud, including:
  • The concept of ‘consent’.  The GDPR requires that the consent of an individual to collection of his or her data is freely given.  Consent of the individual is required and it must be ‘freely given, specific, informed, and unambiguous’.8  Accordingly, it is no longer sufficient for a business subject to the GDPR to have a tick box where an individual consents to their personal data being used for ‘marketing’.  The GDPR makes specific reference to the collection of data in relation to contractual arrangements and it appears that particular attention will be given to data collected from an individual which was not necessary for the performance of the contract.9  If asked, a business will be required to prove that it has consent to use personal data with particular consideration given to lapsed and inactive customers.
  • The restriction on the collection of certain data, such as data relating to the racial or ethnic origin, political opinions, or religious beliefs of an individual are prohibited (subject to certain exceptions).10
  • Once data is collected, the controller must provide information regarding the data collected to the data subject, including, but not limited to, the identity and contact details of the controller;
  • A right to “data portability” which is a right to receive personal data an individual has provided to a data controller and to submit that to another data controller.11
  • A right to restriction of processing - an individual can now have a temporary restriction placed on the processing of his or her data if they have concerns about the accuracy of the information to enable the controller to verify the accuracy of the personal data.12
  • A right to be erased or ‘forgotten’13 - individuals now have a right to require data controllers to delete their data in certain circumstances, including, but not limited to the information no longer being necessary for the purpose for which it was collected, or the individual withdrawing his or her consent to the data being held.14
  • Overseas transfers of personal data are also affected.  Consideration will now be given to whether a particular country or international organisation ensures an adequate level of protection.15

Penalties for non compliance

The issue of compliance is another area that could have significant impacts on Australian companies.  If a company is found to not be complying with the GDPR, significant penalties can be imposed.  A financial penalty of up to €20 million or 4% percent of the annual global revenue of the company, whichever is higher, can be levied.

What should your business do now?

It remains to be seen just how far reaching the effects of the GDPR will be, but they cannot be ignored.
If you consider that your organisation is subject to the GDPR, you should obtain legal advice to ascertain what steps you need to ensure that your data collection processes and procedures comply with the GDPR.
Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.
Iain Freeman
Cyber & Data Protection


[1] Privacy Act 1988 (Cth)

[2] Article 3 GDPR.

[3] Article 4(1) GDPR – an identified or identifiable natural person.

[4] Article 24 and Article 28 GDPR.

[5] Article 37 GDPR.

[6] Article 35 GDPR.

[7] Article 30 GDPR.

[8] Article 4 (11) GDPR.

[9] Article 7 GDPR.

[10] Article 9 GDPR.

[11] Article 20 GDPR.

[12] Article 18 GDPR.

[13] Article 17 GDPR.

[14] Article 7 (3) GDPR.

[15] Article 45 GDPR.