Impact of the GDPR on Australian businesses

Even if you merely monitor your clients’ behaviour when they are travelling in the EU, you’ll need to comply with the GDPR.

The GDPR expands the privacy requirements

The GDPR is a much expanded privacy law. Since 25 May 2018, it gives consumers new rights to require their data to be erased or transferred to another entity. These rights don’t currently exist under Australian privacy laws (although it is likely that they will be implemented as part of the open banking regime).

The GDPR’s extensive extra-territorial provisions mean that many businesses outside the EU are caught by it even if they don’t actually trade in the EU.

This is because it also applies to companies, no matter where they are located, who use any means to monitor their customers’ behaviour when they are in the EU. More particularly, it applies where companies:

• Track natural persons on the internet; and

• May subsequently use personal data processing techniques to profile a natural person using that data (even if they don’t actually do so)

In order to:

• Take decisions concerning the person; or

• Analyse or predict the person’s personal preferences, behaviours and attitudes.

Monitoring happens in many ways

Many technologies have inbuilt monitoring devices, of which users may not be aware, let alone deploy. Consider these scenarios, all of which will bring you within the ambit of the GDPR if your customers travel to the EU:

• Does your website track the pages that users look at and can you identify the user from additional information provided by your ISP?

• Does your website, app or other software give users targeted advertising based on the content they access?

• Do you use technology to profile individual customers and monitor their usage e.g. Mailchimp, or myprosperity?

• Do you provide any app to customers that records their usage and behaviour e.g. ewise or Yodlee, or DocuSign, which record the time they sign, and their IP address?

The GDPR requirements are similar but more extensive

If you provide services to clients or monitor them via the internet while they are in the EU, at a minimum, you will need to do the following to comply with the GDPR obligations:

• Amend your privacy documentation - your privacy collection statement and privacy policy and procedures will need to tell customers about their additional rights and contain policies and procedures relating to those rights.

• Obtain consent – to the purposes for which you will manage customers’ personal information where there are no other lawful grounds to manage it.

• Obtain cookie consent from website users - explain the purpose of the cookies e.g. analytics, advertising, or customer preferences, even if the cookies are from third parties on your website e.g. Google Analytics.

If you regularly monitor people on a large scale or manage large amounts of sensitive information, you will also need to appoint a representative in an EU member state and appoint a data protection officer with expert knowledge of data protection law.

Data breaches which are likely to result in a risk to individuals’ rights and freedom must be notified to the EU member state your representative is in within 72 hours after you become aware of the breach. There is no need to notify breaches that do not pose that risk.

What this means for you

For most businesses, it will be sufficient to amend your privacy documents and enhance your consent regimes. The Fold Legal can assist with this – we are updating our privacy materials to assist you to comply.

But businesses who regularly monitor people in the EU on a large scale or manage large amounts of sensitive information collected in the EU will need also representation in the EU.

Chris Deeble, associate – Sydney, The Fold Legal