What is the GDPR (or General Data Protection Regulation)?
What is the GDPR (or General Data Protection Regulation)?
What is the GDPR (or General Data Protection Regulation)?
10 Aug 2023
In 2016, the European Parliament adopted the General Data Protection Regulation (GDPR) – the strongest set of privacy and security laws in the world. It aims to protect the personal data of EU citizens, with harsh fines levied against organisations that violate its standards.
The GDPR applies to any organisation that has an established presence in the EU, offers goods and services to EU customers, or monitors the online behaviour or people belonging to the EU. This means that an Australian business is required to comply with the GDPR if it has:
• Has an established presence (branch office) in the EU but processes personal data in another country
• Has a website that offers goods and services to EU customers in a European language and enables payment in euros
• Mentions EU customers or users on their website
• Monitors the online activities of individuals belonging to the EU and processes this data to analyse their personal preferences, behaviours and attitudes.
It’s essential that you understand the GDPR obligations for businesses targeting people in the EU. What’s more, a suite of proposed reforms to the Privacy Act in Australia are set to bring some of our data protection laws in line with the GDPR.
An Overview of GDPR Regulations
Data Protection
Under the data protection principles of the GDPR, data processing must be lawful, transparent, and for the legitimate purposes specified to the individual. Businesses are not allowed to collect more personal information than they need for this purpose, and they should only store it for as long as absolutely necessary.
Accountability
Data controllers need to be able to demonstrate that they are GDPR compliant – for example, by documenting all collection, use and disclosure of personal information, and training staff in data handling processes. In certain cases, organisations may be required to appoint a data protection officer to conduct audits and monitor compliance.
Data Processing
The GDPR sets out specific criteria for processing personal data: the individual must provide specific, unambiguous, and documented consent for their information to be collected; or the data must be necessary in order to enter into a contract with the individual, comply with a legal obligation, or perform a task in the public interest. Organisations must document their basis for processing data, and notify the person. Additionally, individuals can withdraw consent for data processing at any time.
Data Security
Organisations must have security measures to protect personal data against loss, destruction, or damage – to ensure that it can’t be accessed by hackers or leaked as part of a data breach. These include technical measures, such as using end-to-end encryption, and organisational measures, like having a data privacy policy and limiting employee access to personal data.
Data Breaches
If there is a suspected data breach, businesses have 72 hours to notify the individuals whose personal information has been compromised, as well as the relevant authority in their country. If they fail to do so, they will face penalties.
Individual Privacy Rights
The GDPR gives individuals significant control over the personal data that they provide to organisations. These include the right to ask the company what information it has about them and what it does with this information. They can also ask for correction to data, object to data processing, and request the deletion or transfer of their personal data.
Similar Reforms to the Privacy Act
In December 2022, the Australian Government released a review of the Privacy Act, and suggested 116 changes aimed at aligning our privacy regime with international standards. Some of the key proposals modelled on the GDPR include:
• The removal of the “Small Business Exemption” which currently excludes Australian businesses who have a turnover of under $3 million per annum.
• A broader definition of personal information that includes data relating to an identifiable person
• New rights for individuals, including the right to access and explanation; the right to object to the collection, use or disclosure of information; and the right to request erasure, de-indexing, or transfer of personal information
• The requirement for businesses to outline what data types are collected, why they collect it, who they share it with, and how long it’s stored for
• The concepts of controllers and processers – controllers determine the purpose and means of processing personal information, whereas processors only process information and have fewer obligations
• The introduction of a new 72-hour timeframe for organisations to notify individuals and a relevant authority following a data breach
These privacy reforms are set to impact over 2.3 million Australian businesses. We expect to see draft legislation in 2023 with the updated Privacy Act coming into force shortly after. If you are interested in how these changes impact you or your business or want to know more, join our newsletter or register for one of our upcoming webinars to find out more.
In 2016, the European Parliament adopted the General Data Protection Regulation (GDPR) – the strongest set of privacy and security laws in the world. It aims to protect the personal data of EU citizens, with harsh fines levied against organisations that violate its standards.
The GDPR applies to any organisation that has an established presence in the EU, offers goods and services to EU customers, or monitors the online behaviour or people belonging to the EU. This means that an Australian business is required to comply with the GDPR if it has:
• Has an established presence (branch office) in the EU but processes personal data in another country
• Has a website that offers goods and services to EU customers in a European language and enables payment in euros
• Mentions EU customers or users on their website
• Monitors the online activities of individuals belonging to the EU and processes this data to analyse their personal preferences, behaviours and attitudes.
It’s essential that you understand the GDPR obligations for businesses targeting people in the EU. What’s more, a suite of proposed reforms to the Privacy Act in Australia are set to bring some of our data protection laws in line with the GDPR.
An Overview of GDPR Regulations
Data Protection
Under the data protection principles of the GDPR, data processing must be lawful, transparent, and for the legitimate purposes specified to the individual. Businesses are not allowed to collect more personal information than they need for this purpose, and they should only store it for as long as absolutely necessary.
Accountability
Data controllers need to be able to demonstrate that they are GDPR compliant – for example, by documenting all collection, use and disclosure of personal information, and training staff in data handling processes. In certain cases, organisations may be required to appoint a data protection officer to conduct audits and monitor compliance.
Data Processing
The GDPR sets out specific criteria for processing personal data: the individual must provide specific, unambiguous, and documented consent for their information to be collected; or the data must be necessary in order to enter into a contract with the individual, comply with a legal obligation, or perform a task in the public interest. Organisations must document their basis for processing data, and notify the person. Additionally, individuals can withdraw consent for data processing at any time.
Data Security
Organisations must have security measures to protect personal data against loss, destruction, or damage – to ensure that it can’t be accessed by hackers or leaked as part of a data breach. These include technical measures, such as using end-to-end encryption, and organisational measures, like having a data privacy policy and limiting employee access to personal data.
Data Breaches
If there is a suspected data breach, businesses have 72 hours to notify the individuals whose personal information has been compromised, as well as the relevant authority in their country. If they fail to do so, they will face penalties.
Individual Privacy Rights
The GDPR gives individuals significant control over the personal data that they provide to organisations. These include the right to ask the company what information it has about them and what it does with this information. They can also ask for correction to data, object to data processing, and request the deletion or transfer of their personal data.
Similar Reforms to the Privacy Act
In December 2022, the Australian Government released a review of the Privacy Act, and suggested 116 changes aimed at aligning our privacy regime with international standards. Some of the key proposals modelled on the GDPR include:
• The removal of the “Small Business Exemption” which currently excludes Australian businesses who have a turnover of under $3 million per annum.
• A broader definition of personal information that includes data relating to an identifiable person
• New rights for individuals, including the right to access and explanation; the right to object to the collection, use or disclosure of information; and the right to request erasure, de-indexing, or transfer of personal information
• The requirement for businesses to outline what data types are collected, why they collect it, who they share it with, and how long it’s stored for
• The concepts of controllers and processers – controllers determine the purpose and means of processing personal information, whereas processors only process information and have fewer obligations
• The introduction of a new 72-hour timeframe for organisations to notify individuals and a relevant authority following a data breach
These privacy reforms are set to impact over 2.3 million Australian businesses. We expect to see draft legislation in 2023 with the updated Privacy Act coming into force shortly after. If you are interested in how these changes impact you or your business or want to know more, join our newsletter or register for one of our upcoming webinars to find out more.
In 2016, the European Parliament adopted the General Data Protection Regulation (GDPR) – the strongest set of privacy and security laws in the world. It aims to protect the personal data of EU citizens, with harsh fines levied against organisations that violate its standards.
The GDPR applies to any organisation that has an established presence in the EU, offers goods and services to EU customers, or monitors the online behaviour or people belonging to the EU. This means that an Australian business is required to comply with the GDPR if it has:
• Has an established presence (branch office) in the EU but processes personal data in another country
• Has a website that offers goods and services to EU customers in a European language and enables payment in euros
• Mentions EU customers or users on their website
• Monitors the online activities of individuals belonging to the EU and processes this data to analyse their personal preferences, behaviours and attitudes.
It’s essential that you understand the GDPR obligations for businesses targeting people in the EU. What’s more, a suite of proposed reforms to the Privacy Act in Australia are set to bring some of our data protection laws in line with the GDPR.
An Overview of GDPR Regulations
Data Protection
Under the data protection principles of the GDPR, data processing must be lawful, transparent, and for the legitimate purposes specified to the individual. Businesses are not allowed to collect more personal information than they need for this purpose, and they should only store it for as long as absolutely necessary.
Accountability
Data controllers need to be able to demonstrate that they are GDPR compliant – for example, by documenting all collection, use and disclosure of personal information, and training staff in data handling processes. In certain cases, organisations may be required to appoint a data protection officer to conduct audits and monitor compliance.
Data Processing
The GDPR sets out specific criteria for processing personal data: the individual must provide specific, unambiguous, and documented consent for their information to be collected; or the data must be necessary in order to enter into a contract with the individual, comply with a legal obligation, or perform a task in the public interest. Organisations must document their basis for processing data, and notify the person. Additionally, individuals can withdraw consent for data processing at any time.
Data Security
Organisations must have security measures to protect personal data against loss, destruction, or damage – to ensure that it can’t be accessed by hackers or leaked as part of a data breach. These include technical measures, such as using end-to-end encryption, and organisational measures, like having a data privacy policy and limiting employee access to personal data.
Data Breaches
If there is a suspected data breach, businesses have 72 hours to notify the individuals whose personal information has been compromised, as well as the relevant authority in their country. If they fail to do so, they will face penalties.
Individual Privacy Rights
The GDPR gives individuals significant control over the personal data that they provide to organisations. These include the right to ask the company what information it has about them and what it does with this information. They can also ask for correction to data, object to data processing, and request the deletion or transfer of their personal data.
Similar Reforms to the Privacy Act
In December 2022, the Australian Government released a review of the Privacy Act, and suggested 116 changes aimed at aligning our privacy regime with international standards. Some of the key proposals modelled on the GDPR include:
• The removal of the “Small Business Exemption” which currently excludes Australian businesses who have a turnover of under $3 million per annum.
• A broader definition of personal information that includes data relating to an identifiable person
• New rights for individuals, including the right to access and explanation; the right to object to the collection, use or disclosure of information; and the right to request erasure, de-indexing, or transfer of personal information
• The requirement for businesses to outline what data types are collected, why they collect it, who they share it with, and how long it’s stored for
• The concepts of controllers and processers – controllers determine the purpose and means of processing personal information, whereas processors only process information and have fewer obligations
• The introduction of a new 72-hour timeframe for organisations to notify individuals and a relevant authority following a data breach
These privacy reforms are set to impact over 2.3 million Australian businesses. We expect to see draft legislation in 2023 with the updated Privacy Act coming into force shortly after. If you are interested in how these changes impact you or your business or want to know more, join our newsletter or register for one of our upcoming webinars to find out more.
© Secureroo Pty Ltd, 2021-2023
© Secureroo Pty Ltd, 2023