Does GDPR apply to your business? Are you sure?

Prepared by Julia Winzar.

Six months on from the commencement of the European Union General Data Protection Regulations (GDPR) and there still seems to be a lot of confusion amongst Australian businesses about how the GDPR applies to them and what steps they need to take to ensure compliance with the GDPR requirements.

Some businesses are not even aware that the GDPR applies to them. The fact that the GDPR will apply to your business if you are providing your products or services directly to individuals located in the EU or if you have an office in the EU seems to be well understood. However, there is a common misconception that this is the only way that your business will be caught. The GDPR will also apply if you are “monitoring” the activities of an individual in the EU. Monitoring activities will include activities such as performing AML checks (even if your customers are Australian based, beneficial owners or directors may not be), fraud prevention monitoring and other types of transaction monitoring.

Other common misconceptions include that the GDPR will only apply where:

  • Your customer is an EU resident or citizen. The GDPR obligations in fact apply to individuals when they are “located” in the EU, so this will extend to customers that are in the EU for a short period of time (even technically when they are travelling).
  • A significant percentage of your customer base are resident in the EU. There is no threshold test under the GDPR and as a result, the GDPR obligations can apply where only a small number of your customer base are located in the EU.

Once the business determines that it is subject to the GDPR, the next step is to identify the steps it needs to take to ensure compliance with these obligations. There are a number of similarities between the GDPR requirements and your existing obligations under the Australian privacy laws, however there are also some key differences.

One of the more onerous obligations under the GDPR is the requirement to appoint a representative in the EU. The role of the EU representative is to act as a point of contact for EU individuals and as an intermediary between the business and the relevant EU regulatory authority. The engagement process can be quite involved with a majority of the EU representatives we have assisted our clients to deal with requiring the client to undergo an in-depth due diligence process to confirm that they are in compliance with the GDPR obligations.

Other key obligations under the GDPR include the items set out below:

– Review your current service provider agreements to identify service providers that:

  • process EU personal information on your behalf (processing activities include storing, collecting and sorting personal information)
  • are located overseas to whom you disclose EU personal information.

Agreements with these service providers will need to be updated to include a set of standard  contractual clauses.

– Update your privacy statements/notices of collection to include additional GDPR notification matters.

Update your data breach response procedures to ensure that any data breaches involving the personal information of EU individuals are notified to the relevant EU regulatory authority where required and within applicable timeframes.

Update your internal privacy procedures to ensure they reflect the additional GDPR requirements and rights given to individuals in relation to their personal information.

Keep a record of all processing activities, including information about the purposes of the processing, categories of data subjects and personal information, categories of recipients to whom the personal information has been disclosed and a general description of the technical and organisational security measures the business has implemented.