GDPR for Australian Businesses
Speak to a privacy lawyer today to get your GDPR compliant Privacy Policy.
IT and Startup Lawyers provide technology, commercial and corporate law services to startups and small to medium size enterprises. Our Privacy Lawyer can assist with the GDPR for Australian businesses by advising on privacy compliance and drafting Privacy Policies which are compliant with both the Australian Privacy Act 1988 (Cth) (Privacy Act) and the General Data Protection Regulation (GDPR).
What are the implications of the GDPR for Australian Businesses?
Consider the consequences of compliance failure. Fines exceeded €126 million by 2020.
The introduction of the GDPR by the European Union (EU) in early 2018 caused a flurry of confusion and concern for its stringent requirements that seemingly impacted businesses not only in the EU, but across the globe.
This concern is not without its merit. The consequences for non-compliance with the regulation can result in heavy fines of up to 4 percent of global annual revenue or €20 million, whichever is higher. Since its introduction, the regulator has in fact fined Google €50 million, an internet service provider €9.6 million, Cathay Pacific €560,000 and many more companies totalling more than €126 million.
The question heavy on the minds of Australian businesses, does the GDPR apply to us?
Do Australian businesses need to be GDPR compliant?
Understand your compliance obligations
Determining whether a business falls within the purview of the GDPR is not a black and white question. The GDPR provides scope for businesses not physically located within the EU to fall within its jurisdiction.
Article 3 of the GDPR sets out the territorial scope of the GDPR, that is where it applies. It states:
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
So, what compliance obligations are there relating to the GDPR for Australian Businesses?
Well firstly, if you are an Australian business offering goods or services, whether paid or free, to EU citizen or resident then you certainly fall within the GDPR. The grey area is within the second portion of the article which relates to monitoring of EU citizens and residents. This is where a Privacy Lawyer with experience in this area can come in handy to help you understand your risks and obligations.
Two years on, the GDPR is certainly something that businesses, particularly those working with a global customer base, should be considering when drafting their Privacy Policy.
So how can Australian businesses be GDPR compliant?
Need assistance with privacy compliance?
The fundamental concept of the GDPR is “privacy by default and design”, this means that businesses are required to have clear processes and procedures to protect data. Furthermore, articles 12, 13 and 14 of the GDPR set out the need for businesses to communicate to individuals certain information related to privacy.
Therefore, the best way to comply with the GDPR is to create a compliant Privacy Policy that your company adheres to and publish it so that your customers can clearly understand their rights and responsibilities.
Some of the fundamental components your Privacy Policy will need to include are under what circumstances your business collects and stores information, how exactly it is collected and stored, what is done with information that is stored and how individuals can access their data or request for its amendment or erasure.
Is a GDPR Privacy Policy different to an Australian Privacy Policy?
There is some crossover between Australian and EU privacy law, but there are also differences.
The Privacy Policy requirements of the GDPR for Australian Businesses are not necessarily onerous, however they do need to be considered.
Fortunately for Australian businesses, GDPR Privacy Policies and an Australian Privacy Policies are generally similar. However, there are some notable differences. These include that the Privacy Act has exemptions in place for certain small businesses, whereas the GDPR applies to any sized business within the jurisdiction discussed above. Additionally, the GDPR clearly gives individuals the rights to the erasure of any data stored.
Considering the consequences for non-compliance and the complexities of the GDPR, we highly recommend Australian businesses get assistance from a Privacy Lawyer when drafting their Privacy Policy. At IT Lawyers Brisbane we have helped companies across Australia ensure they have GDPR compliant Privacy Policies and look forward to helping you with yours!
