Fulfil GDPR privacy obligations or face possible penalties

On 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) comes into force. Under the GDPR, the EU’s Information Commissioner’s Office (ICO) could fine an Australian organisation the greater of €20 million or 4% of its worldwide turnover for the past twelve months for breaching the GDPR, even if the organisation is not located in the EU. This raises many pressing questions for Australian organisations. Let’s look at them.

How can the GDPR apply to organisations outside the EU?

The GDPR protects “data subjects”, who are, in essence, individuals in the EU, and gives them the right to complain about how an organisation handles their personal data. Therefore, the application of the GDPR is concerned with the location of the individuals being protected rather than the organisation processing the data. If the personal data of an individual from the EU is being processed in Australia, the GDPR says that the organisation must comply with the GDPR.

Practically, what happens if someone complains that an organisation has breached the GDPR?

If a complaint is made against an Australian organisation, we do not expect the ICO to chase down the organisation in Australia. Therefore, if the organisation does not have assets in the EU, there are significant practical challenges to any fine being enforced. However, this does not mean that Australian organisations should ignore the GDPR. Even if they may never actually have to pay a fine, Australian organisations should consider the potential reputational damage of having the ICO find that there has been a breach.

So, what does the GDPR require?

The GDPR contains six data protection principles which set out the main responsibilities for organisations. The principles require that personal data must be:

1. processed lawfully, fairly and in a transparent manner;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
6. processed in a manner that ensures appropriate security of the personal data.

These principles overlap significantly with the Australian Privacy Principles in the Privacy Act, though some terminology is different. In most cases, if an organisation complies with the Australian Privacy Principles, it will also comply with the data protection principles in the GDPR. Therefore, the GDPR may not make a practical difference to an organisation’s privacy practices. However, given the possibility of a €20 million fine, the GDPR should motivate organisations to fulfil their privacy obligations.

How does an organisation know if it has to comply with the GDPR?

There are some simple questions an organisation can ask to work out whether it has to comply with the GDPR. The first is whether the information is personal data. Personal data is information which is capable of identifying a living individual (in the EU). This could be a name, an email address, a photo or some other type of information. If the information is not personal data (or the individual is not in the EU), the GDPR does not apply.

Secondly, is the organisation processing the data? Processing is defined broadly as any operation performed on the data, including collecting and storing it. If an organisation has the data, it is processing it.

Finally, does the organisation have a legitimate purpose for processing the data? An organisation cannot simply process data for any reason.

What are the relevant legitimate purposes?

There are four purposes that are likely to be relevant to Australian organisations:

1. Consent. If an individual clearly consents to the organisation processing their information, the organisation may process it.
2. Contract. If processing the data is necessary for a contract, the organisation can process it without the consent of the individual. This includes processing information to perform obligations under a contract and gathering information before entering into a contract.
3. Legal obligation. If the organisation is required by law to process the information, it can do so without consent.
4. Legitimate interest. If the organisation has a legitimate interest in processing the information, it can do so. For example, if the organisation has a list of contacts and a legitimate interest in marketing to them, it may process the data to market to those people. However, this requires a balance between the legitimate interests of the organisation and the protection of the individuals’ information. If the organisation relies on this ground, the onus will be on it to prove that it went through a considered process before processing the data. This will require completing the legitimate purpose assessment form.

Are there higher standards for sensitive data?

Yes, there are special provisions for processing data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Typically, an organisation will require specific consent to process data of these kinds.

Is there more to it?

Of course! This is only an overview. The GDPR is a far reaching law with significant punitive powers. Australian organisations must be mindful of it when dealing with personal data from the EU. If your organisation has not been taking privacy seriously up to this point, it should take this opportunity to establish good policies and practices. Even if your organisation has established policies and practices, take the time to review them.

Please contact %8D%A3%B6%97%D1%96%91sg%A6%D1%C5%98y for help in drafting or reviewing such policies.

If you would like to subscribe to our not-for-profit newsletter, click here.