What is the GDPR and when does it apply to Australian organisations?
Key compliance obligations under the GDPR
Dealing with overseas transfers
Complying with both the Privacy Act and the GDPR
The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) came into force on 25 May 2018.
The GDPR is a regime of personal data protection requirements adopted by the European Parliament which regulates “personal data”. While the GDPR is EU law, it has unprecedented extra-territorial reach. If the GDPR applies to your organisation, you may need to make a number of significant changes in order to ensure compliance.
Broadly speaking, if your organisation has an “establishment” in the EU or:
- • offers goods or services to; or
- • monitors the online behaviour of people in the EU,
- then it may be subject to the GDPR.
In this subtopic you will learn:
- • what is the GDPR and why it is important;
- • when the GDPR might apply to an Australian organisation;
- • what is meant by offering goods or services to people in the EU;
- • what is meant by monitoring people in the EU; and
- • what questions to ask your organisation so you are able to make an assessment as to whether the GDPR applies to your organisation.
While an organisation’s operations might not currently be caught by the GDPR, this may change in the future. It would be prudent to put in place policies and procedures to monitor an organisation’s international strategy which may change or evolve to focus on attracting clients or customers from the EU. See GDPR Applicability Assessment Questionnaire in guidance notes When might the GDPR apply to an Australian organisation?, What is offering goods or services to individuals in the EU and What is monitoring the behaviour of individuals in the EU?
The GDPR is a regime of personal data protection requirements adopted by the European Parliament which regulates “personal data”. As set out in What is the GDPR and when does it apply to Australian organisations?, the GDPR applies to Australian organisations in certain circumstances.
If the GDPR applies to your organisation (or will sometime in the future due to a change in your international strategy), your organisation will need to have a clear strategy to comply with the GDPR.
This can be a daunting task for Australian organisations, because while some of the concepts and obligations under the GDPR are similar to our own Privacy Act, there are many significant differences (which are explored in greater detail in Complying with both the Privacy Act and the GDPR).
In this subtopic you will learn:
- • what are the key principles which form the framework or “heart” of the GDPR;
- • what are the key terms and concepts under the GDPR;
- • what are the key obligations under the GDPR if you are a “controller”;
- • what are the key obligations under the GDPR if you are a “processor”;
- • a checklist of questions to ask to determine if you are a “controller” or a “processor”;
- • a checklist of questions to ask your organisation in order to assist in your journey to comply with key requirements under the GDPR.
The GDPR is a regime of personal data protection requirements adopted by the European Parliament which regulates “personal data”. As set out in What is the GDPR and when does it apply to Australian organisations?, the GDPR applies to Australian organisations in certain circumstances.
If the GDPR applies to your organisation, you will need to have a strategy in place to comply with key obligations under the GDPR (see Key compliance obligations under the GDPR).
A key compliance issue for Australian organisations is dealing with overseas transfers of personal data outside the EU.
Individuals risk losing the protection of the GDPR if their personal data is transferred outside of the EU.
Chapter V (notably Articles 44–47) of the GDPR governs the transfer of personal data to countries outside the EU. The rationale is that when transfers are made to countries outside the EU, the level of protection afforded to EU individuals by the GDPR should not be undermined. See Recital 101.
Transfers by controllers or processors of personal data to countries outside the EU are prohibited unless the controller/processor complies with the conditions set out in Chapter V.
On that basis, the GDPR restricts transfers of personal data outside the EU, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.
In this subtopic you will learn:
- • what is a transfer outside the EU for an Australian organisation captured by the GDPR?;
- • how can your organisation transfer personal data outside the EU?;
- • transfers on the basis of an adequacy decision;
- • what is the Privacy Shield;
- • what are the standard contractual clauses;
- • what are binding corporate rules;
- • exceptions to the rules on transfers outside the EU; and
- • how to identify key issues with overseas transfers by using our practical checklist.
Many Australian businesses may find themselves in the situation of having to comply with two privacy regimes — under our own Privacy Act 1988 (Cth) (Privacy Act) and under the GDPR.
This subtopic is designed to assist businesses caught by both regimes to understand how they compare, as a first step in the journey of putting the necessary compliance measures, policies and processes in place.
In this subtopic you will learn:
- • preliminary questions to consider;
- • comparing the Privacy Act and the GDPR;
- • unique aspects of the GDPR; and
- • practical issues to consider with complying with both the Privacy Act 1988 (Cth) and the GDPR with our practical comparison table.
As each organisation’s size, scale, resources, budget and operational requirements are different, it is beyond the scope of this subtopic to provide definitive and detailed guidance on a compliance program that will satisfy the requirements of both regimes. In any case, for the reasons noted, it is not possible to provide such advice in the form of “template” or “generic” documentation.
What this subtopic does aim to do, however, is to highlight key similarities and differences between the two regimes, to assist the reader in designing or commissioning the design of a suitable compliance regime and associated documentation.
