After extensive consideration, the EU’s new General Data Protection Regulation (Regulation) has now been finalised. Although it does not come into effect until 25 May 2018, it contains obligations which will effect some Australian organisations and will require time to prepare for.
All Australian organisations, regardless of their size, will need to comply with the Regulation if they:
The Regulation applies to ‘personal data’, which is defined in Article 4 as “any information relating to an identified or identifiable natural person”. This definition is largely analogous to the definition ‘personal information’ in s 6(1) of Australia’s Privacy Act, which is defined as “information or an opinion about an identified individual, or an individual who is reasonably identifiable”.
Whilst many of the requirements under the Regulation overlap with requirements Australian companies already need to meet under Australian privacy laws, there are some additional obligations. The key differences are as follows:
Under Article 37, the following entities will be required to designate a Data Protection Officer (DPO) as part of their accountability programme:
The DPO will be responsible for monitoring and advising on compliance with the Regulation, as well as with the organisation’s internal privacy polices and procedures. Accordingly, the DPO will need to have sufficient expert knowledge of the processing activities for which they will be responsible.
When deleting personal data, data controllers are also required to take reasonable steps to inform other controllers also processing the same data of any links to, copies of, or replication of that data.
Article 20 provides individuals with a right to:
This right only extends to data which the individual provided to the controller themselves, and the transfer can only occur where the individual consents, or where it is required for the performance of a contract.
Under Article 34, all data controllers will be required to notify the appropriate Data Protection Authority without undue delay, and within 72 hours if feasible, where there has been a data breach leading to the loss, access or disclosure of personal data.
The individual to whom the data relates should also be notified if the breach is likely to result in a high risk to their rights and freedoms.
This is a lower threshold than under the new Australian requirement to notify of serious data breaches, and will therefore apply to a wider range of breaches.
Australian organisations should begin preparations now to ensure they are ready for the introduction of the Regulation in 2018. Organisations should:
Organisations should also take this as an opportunity to review their current privacy policies and compliance with Australian privacy laws.