We didn’t think we needed to publish this but as we’ve have been contacted by so many clients and other parties this week, now we thought we’d share a summary of some practical information and guidance around the GDPRs and the privacy laws. Note: this is not legal advice, as obviously you need to know each client’s particular business arrangements, technology platform and circumstances and then apply the relevant laws.
Please note since the GDPRs came out in the European Union (EU) last Friday (25/5/2018), materially, they will only affect Australian businesses who broadly:
· have an establishment in the EU,
· if they offer goods and services in the EU, or
· if they monitor the behaviour of individuals in the EU.
Are Australian businesses affected by the GDPRs?
- modern Australian-based businesses’ potential for international commerce with individual consumers (whether by direct trade, websites, Apps or otherwise)
- plus their future capabilities & any expanded markets or services offering; and
- if you want subscribe to ‘best practice’,
By the way, if you are required to be GDPR-compliant, the legal and financial risks in not doing so are massive (and uninsurable). https://www.eugdpr.org/gdpr-faqs.html
This is of course in addition to the reputational damage that will inevitably occur in this modern, ultrafast-paced world. As a recent case in point, just ask Roseanne Barr…
Status of the the Australian Privacy Act
Further, for anyone that isn’t aware of such, the Australian Privacy Act has had two substantive amendments since 2014; namely:
- On 12 March 2014 there was a new set of Australian Privacy Principles (APPs); and
- On 22 February 2018 the Notifiable Data Breaches scheme was implemented by the Office of the Australian Information Commissioner (OAIC). https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation
For your ease of reference, here’s a link to the OAIC’s very helpful article on “Australian Businesses and the GDPRs” https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation
What your business can do to help ensure it’s GDPR-compliant
Further please note, if your business does not have a ‘business presence’ in the EU, it will generally also have to appoint a ‘representative’ established in the EU member states.
You will also need to undertake a ‘data impact assessment’ and evaluate your current technology platforms and make sure your business has an end-to-end compliance.
For example do you have technology platforms and data storage systems (GoogleDrive, DropBox, MailChimp anyone?) that would hold, maintain or access ‘personal information’ and which uses the cloud, and
- that’s assuming you truly understand what “the cloud” is https://www.zdnet.com/article/what-is-cloud-computing-everything-you-need-to-know-from-public-and-private-cloud-to-software-as-a/); and
- if they are in the cloud, do you know if those providers have cloud-servers that are only situated in Australia (such as Microsoft’s Azure)?
- you’ll also have to identify key people who will be effectively your ‘controllers’ and if you outsource any of your data that contains ‘personal data/identifiers, your third-party ‘processors’ e.g. contractors or external service providers.