The General Data Protection Regulation (GDPR) is a regulation in European law designed to protect the personal data of individuals in the European Union. Its primary aim is to give individuals protection, rights of control over and access to their data held by entities both within and outside the EU.
What is the GDPR
Its full title is the General Data Protection Regulation, and it is a set of rules governing the collection, use and disclosure of personal data of people residing in the EU. It is certainly the most strict set of privacy laws worldwide, and is quickly becoming the benchmark for businesses operating internationally.
But I’m an Australian business, does it apply to me?
Possibly. Unlike Australian privacy law, the test of whether a business is bound by the GDPR is based on the location of its customers, not the location of the business.
If you satisfy any of these three tests you will be bound:
Also, there is no turnover threshold – businesses of any size will be caught. Australian businesses are only bound by the privacy laws here once their turnover exceeds $3 million, so many Australian brands find themselves needing to comply with the GDPR while not having any privacy obligations at home.
How do I comply?
Overall, the rules are quite similar to those in Australia, but just more extreme. There are more strict IT security measures, methods of obtaining consent from customers to use their data, record keeping obligations, and quite specific contractual obligations which must be in place with suppliers who you might disclose personal data to.
You may also be required to appoint a person to act as your representative in the EU.
The data breach reporting obligations are much stricter than in Australia, and you will generally have to report a data breach to the regulator (and the individuals affected) within 72 hours of becoming aware of the breach. You need to have internal procedures in place to assess and manage data breaches.
Also, customers have much stronger rights to tell you what to do with your information. This includes a right to be forgotten (with some exceptions) – if a customer requests it, you must delete all the data you have on them.
What are the consequences if I am in breach?
Severe. The maximum fine a business can face for breaching the GDPR is EUR 20 million or 4% of turnover (whichever is greater).
Google is currently the gold medal holder for largest GDPR fine – in 2019 it was hit with a EUR 50 million fine for not seeking proper consent to use customers’ data for targeting advertising.
Does it also apply in the UK post Brexit?
Basically, yes. While technically not the GDPR anymore, the UK adopted all of the rules of GDPR as their own domestic laws post Brexit.
The GDPR is a pain, but compliance is manageable.