After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. Enforcement date: 25 May 2018 – at which time those organizations in non-compliance may face heavy fines.
The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover, as noted by Wikipedia.
The GDPR also brings a new set of “digital rights” for EU citizens in an age when the economic value of personal data is increasing in the digital economy.
GDPR Implications for Australian Businesses
GDPR is viewed as one of the most aggressive data protection regulations in the world and is designed to consistently protect personal data for EU citizens. The regulation means that any organization interacting with and storing the data of an EU citizen will be subject to fines for noncompliance.
Australian businesses with customers in the EU, or that operate in the EU, should confirm whether they are covered by the GDPR, and if so, take steps to ensure compliance by May 2018.
Australian businesses that may be covered include:
an Australian business with an office in the EU
an Australian business whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in euros
an Australian business whose website mentions customers or users in the EU
an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
What your company must do if it is covered by the GDPR
The European Commission has a infographic that makes it easier for businesses to understand what they must do if they are covered by the GDPR.
To protect the rights of people giving you their data your company must:
|Communication||Use plain language.
Tell them who you are when
Say why you are processing
|Consent||Get their clear consent
to process the data.
Collecting from children
|Warnings||Inform people of data breaches
if there is a serious risk to them.
|Erase Data||Give people
the ‘right to be forgotten’.
Erase their personal data
if they ask,
but only if it doesn’t compromise
freedom of expression
or the ability to research.
|Marketing||Give people the right
to opt out of direct marketing
that uses their data.
|Safeguarding sensitive data||Use extra safeguards
for information on
|Data transfer outside the EU||
Make legal arrangements
The cost of non-compliance
The GDPR gives supervisory authorities the power to impose administrative fines for contraventions, with fines of up to €20 million or 4% of annual worldwide turnover, whichever is greater for certain types of contraventions