On 25 May 2018, the General European Data Protection Regulation (GDPR) will come into effect across the European Union.
The GDPR will harmonise the data protection rules essential to data-driven marketing across the European Union. It won’t just affect those companies based in the EU, but may also extend to any organisation holding data about individuals based in Europe. In essence, this means that Australian companies may be affected by the new laws.
The OAIC recently published its Guidance for Australian businesses on the GDPR and how it considers Australian businesses may be affected by the GDPR. According to the OAIC, the GDPR may apply to:
• an Australian business with an office in the EU;
• an Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros;
• an Australian business whose website mentions customers or users in the EU; or
• an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
Whether and to what extend the GDPR applies to Australian companies still remains uncertain, but it is worthy to note that there are many commonalities between the GDPR and Australian Privacy laws.
For example, both frameworks mandate a privacy-by-design approach to compliance, require businesses to demonstrate compliance with privacy principles and obligations, and adopt transparent information-handling practices.
There are also some significant differences between Australian Privacy laws and the GDPR, including expanded rights for individuals under the EU regulation. Under the GDPR, individuals have a right to erasure, which encompasses the ‘right to be forgotten’ and requires organisation to delete individuals’ data in certain circumstances. Importantly, if an organisation is required to erase personal data relating to an individual, it must also take reasonable steps to inform the individual of any links to, copies of, or replication of that personal data.
In addition, EU citizens have a right to data portability, requiring organisations to provide individuals, upon request, with a machine-readable copy of their personal information, and a right to restriction of processing.
It is essential for data-driven marketers and businesses to consider whether their activities are affected by the GDPR, and what steps they must take to ensure compliance as the fines for non-compliance under the GDPR are substantial. Companies may be fined up to €20m or 4% of its annual worldwide turnover for failure to comply.