General Data Protection Regulations

We didn’t think we needed to publish this but as we’ve have been contacted by so many clients and other parties this week, now we thought we’d share a summary of some practical information and guidance around the GDPRs and the privacy laws.  Note: this is not legal advice, as obviously you need to know each client’s particular business arrangements, technology platform and circumstances and then apply the relevant laws.

Please note since the GDPRs came out in the European Union (EU) last Friday (25/5/2018), materially, they will only affect Australian businesses who broadly:

·        have an establishment in the EU,

·        if they offer goods and services in the EU, or

·        if they monitor the behaviour of individuals in the EU.     

Are Australian businesses affected by the GDPRs?

Appreciably most ‘purely’ Australian businesses don’t get caught by the GDPRs as they simply don’t have any of the above dealings with the EU. Although a lot of you may have personally noted being ‘spammed’ by various “please review & agree to our new Privacy Policy” pop-up messages from certain services and websites lately.

However noting:

  • modern Australian-based businesses’ potential for international commerce with individual consumers (whether by direct trade, websites, Apps or otherwise)
  • plus their future capabilities & any expanded markets or services offering; and
  • if you want subscribe to ‘best practice’,

then you may want to nonetheless still upgrade such so you have a contemporary, GDPR-compliant Privacy Policy.

By the way, if you are required to be GDPR-compliant, the legal and financial risks in not doing so are massive (and uninsurable).

This is of course in addition to the reputational damage that will inevitably occur in this modern, ultrafast-paced world. As a recent case in point, just ask Roseanne Barr…

Status of the the Australian Privacy Act

Further, for anyone that isn’t aware of such, the Australian Privacy Act has had two substantive amendments since 2014; namely:

So whilst a suitably qualified and experienced commercial lawyer should be able to review and update your Privacy Policy to comply with the GDPRs, critically it’s not just a “bespoke legal advice and drafting exercise”.  It is also very much an internal procedures’ review, technology platforms-analysis and governance and compliance aspects for each individual business in relation to how they handle personal information and data.

For your ease of reference, here’s a link to the OAIC’s very helpful article on “Australian Businesses and the GDPRs”

What your business can do to help ensure it’s GDPR-compliant

So any business who thinks they may be affected by the GDPRs should try to at least have a brief review and consideration of various ‘accountability and governance’ plus the ‘consent’ requirements.  Particularly in relation to data processing (and we do appreciate there is a bit to it). However this will be the most time and cost-effective way and will also assist your lawyer in being able to then suitably update your Privacy Policy to comply with the GDPRs.

Further please note, if your business does not have a ‘business presence’ in the EU, it will generally also have to appoint a ‘representative’ established in the EU member states.

You will also need to undertake a ‘data impact assessment’ and evaluate your current technology platforms and make sure your business has an end-to-end compliance.

For example do you have technology platforms and data storage systems (GoogleDrive, DropBox, MailChimp anyone?) that would hold, maintain or access ‘personal information’ and which uses the cloud, and