The European Union General Data Protection Regulation (GDPR) is a privacy and data protection law which originated in the European Parliament to protect the personal data privacy of European citizens.
I’m an Australian business. Why should I care about the GDPR?
Put simply, the GDPR has “extra-territorial” reach: it applies to people outside the EU. Being an Australian business therefore does not automatically exempt you from the GDPR. There does need to be some connection with the EU (discussed later) before the GDPR will apply, of course, but the GDPR rules determine whether this connection exists.
Knowing when and how to comply with the GDPR – if it applies to you – is important. Firstly, penalties for breach are huge. A breach can result in a maximum fine of €20 million (about AUD $32 million) or a sum equivalent to 4% of your annual global turnover. Of course, the worst case scenario isn’t always going to play out, but with an increasing global focus on privacy and data protection – at the same time as an increasing focus on global deployment of brands, technologies and information – it makes sense to get across compliance to reduce organisational risk.
Getting across compliance is not just about reducing your legal and financial risk, though. It is also worthwhile, to:
(a) give your customers comfort that you know what you’re doing and that you won’t compromise their personal information – this is about brand perception and confidence, and
(b) give your business partners, suppliers and commercial customers comfort that you know what you’re doing, and you won’t place them in an untenable position regarding their own compliance, their customers’ information, and their global reputation.
In fact, if your business deals with any other businesses which are subject to the GDPR, those businesses will generally need you to do things, or sign up to things, as part of their own compliance measures. This is especially so if you deal with (or want to deal with) larger or more sophisticated players in the global market: awareness and appropriate processes for compliance will be a “non-negotiable” expectation.
Ambivalence about data protection regulation is increasingly risky for Australian businesses in today’s globalised, interconnected and data driven economy. The GDPR is undoubtedly a very intricate piece of legislation with unprecedented territorial reach in the area of personal data protection. But it is also the bellwether of an increasingly complex personal data regulatory landscape, and increasingly high societal expectations as to the treatment of personal data, across the world. Therefore, a detailed assessment of forward-looking practices and compliance measures (rather than simply an assessment as to whether your business can "escape" the GDPR's reach at present), is highly valuable in reducing business risk, personal risk to customers, and bolstering ongoing capability, adaptability and compliance in a changing landscape.
How do I work out if the GDPR applies to my business?
The GDPR regulates the processing of personal data. It originated in the European Economic Area (EEA) and intends to protect people who are from the EEA.
The key considerations are therefore these:
1. Does your business process personal data according to the GDPR?
2. Does your business' data processing have a connection to the EEA, according to the GDPR?
If the answers to both of these questions are "yes", then the GDPR will likely apply. These criteria can get quite technical, though, so it is worth taking a closer look.
Question: Does your business process personal data (according to the GDPR)?
Personal data includes any information relating to an identified or identifiable "natural" person (ie. human). Information that could be used to distinguish (i.e. single out) an individual from others, is considered personal. It may be a person’s name, an identification number, location data, or an online identifier such as an IP or MAC address.
Many operations performed on personal data count as “processing” under the GDPR. It includes the collection, recording, or organisation of personal data. Even merely storing or erasing personal data is captured by the GDPR.
Therefore, if your business collects information like customer names and contact details through your website, it processes personal data.
Question: Does your business, or its data processing, have a connection to the EEA (according to the GDPR)?
The GDPR applies to a business' data processing activities if there is a connection with the EEA. The EEA connection could relate to your business (in its data processing activities), or it could relate to the data processing activities themselves.
The connection exists with your business if the GDPR considers your business to have an “establishment” in the EEA, and your business processes personal data in the context of the establishment's activities. An example of an establishment is having an office, branch or subsidiary in the EEA.
The connection exists with your business' data processing activities if the GDPR considers your business to be “targeting” or “monitoring” people in the EEA. You don't need to have a presence in the EEA to have this connection. One example is where your business’ website allows people in the EEA to buy something or tracks their activity on the site, even though your business may have no physical presence or office in the EEA.
As you can see, the answer is not always obvious. In the following GDPR articles, we will further explore how these connections between your business and the EEA might play out in practice.
Please note that this article is intended to provide an overview of the relevance of the GDPR to Australian businesses, and is not legal advice or tailored to your business' circumstances.
Comments