The General Data Protection Regulation (GDPR) is a regulation in European law designed to protect the personal data of individuals in the European Union. Its primary aim is to give individuals protection, rights of control over and access to their data held by entities both within and outside the EU. 

Produced by AFC Patron Member Marque Lawyers, AFC Members have access to the GDPR Compliance Checklist located in the Business Toolkit - View here

What is the GDPR

Its full title is the General Data Protection Regulation, and it is a set of rules governing the collection, use and disclosure of personal data of people residing in the EU. It is certainly the most strict set of privacy laws worldwide, and is quickly becoming the benchmark for businesses operating internationally.

But I’m an Australian business, does it apply to me?

Possibly. Unlike Australian privacy law, the test of whether a business is bound by the GDPR is based on the location of its customers, not the location of the business.

If you satisfy any of these three tests you will be bound:

1. 1. A presence in the EU. If you have an office or stores in any EU country;

1. 2. Offer goods or services to people in the EU. This is the test which causes the most angst. There are a few issues to consider here, the mere fact that people in the EU can purchase your product online is not enough to make you bound. Instead, the regulator will look at whether you target customers in the EU, which could include enabling payment in EU currencies, having EU language versions of your website, and engaging with advertising targeted at people in the EU; or

1. 3. Monitoring the behaviour of individuals in the EU. This includes tracking the online behaviour of customers in the EU who visit your website via cookies.

Also, there is no turnover threshold – businesses of any size will be caught. Australian businesses are only bound by the privacy laws here once their turnover exceeds $3 million, so many Australian brands find themselves needing to comply with the GDPR while not having any privacy obligations at home.

How do I comply?

Overall, the rules are quite similar to those in Australia, but just more extreme. There are more strict IT security measures, methods of obtaining consent from customers to use their data, record keeping obligations, and quite specific contractual obligations which must be in place with suppliers who you might disclose personal data to.

You may also be required to appoint a person to act as your representative in the EU.

The data breach reporting obligations are much stricter than in Australia, and you will generally have to report a data breach to the regulator (and the individuals affected) within 72 hours of becoming aware of the breach. You need to have internal procedures in place to assess and manage data breaches.

Your privacy policy will also need some tweaks to be GDPR compliant.

Also, customers have much stronger rights to tell you what to do with your information. This includes a right to be forgotten (with some exceptions) – if a customer requests it, you must delete all the data you have on them.

What are the consequences if I am in breach?

 Severe. The maximum fine a business can face for breaching the GDPR is EUR 20 million or 4% of turnover (whichever is greater).

Google is currently the gold medal holder for largest GDPR fine – in 2019 it was hit with a EUR 50 million fine for not seeking proper consent to use customers’ data for targeting advertising.

Does it also apply in the UK post Brexit?

 Basically, yes. While technically not the GDPR anymore, the UK adopted all of the rules of GDPR as their own domestic laws post Brexit.

Conclusion

 The GDPR is a pain, but compliance is manageable.