Australian Businesses caught by EU General Data Protection Regulation (GDPR)

You have probably received a flurry of emails in recent weeks from organisations notifying you of updates to their privacy policy. This is no coincidence and is as a result of the General Data Protection Regulation coming into force in the European Union. By now you are probably asking yourself, if so many other organisations are updating their policies because of GDPR, should we be doing this as well?

If your business collects or processes personal information from or in relation to European residents, or supplies goods or services in Europe, then your business will likely be required to comply with the GDPR. The GDPR requirements are broad, have effect internationally and can be difficult to navigate.

However, the best thing you can do now is to carefully consider how data flows into and out of your organisation and to whom. Once you have thought about this you can review your operations to assess whether you need to comply with, and how your current systems stack up with, the requirements of the GDPR.

We’re finding that most Australian organisations that are interacting with European Residents are at least going to have to update their current privacy policy, systems and processes to ensure compliance with GDPR. In particular, meeting the consent requirements for the collection and use of personal data from individuals in the European Union will be required, while if your business collects sensitive information (i.e. health or biometric data) from European residents, it may also need to arrange to have an office at which notices can be served by supervisory authorities and individuals in the European Union on all issues related to data processing.

Finally, it is worth noting that the GDPR takes compliance seriously. Businesses in serious breach of the GDPR can be fined the highest of either €20 million or 4% of their total worldwide annual revenue of the preceding financial year. That’s obviously a good incentive to ensure that you get your house in order when it comes to all things privacy related!

The GDPR came into effect on 25 May 2018, so if your business is not already taking action to ensure compliance, please contact Rebecca Halkett for assistance.