General Data Protection Regulation guidance for Australian businesses

The Office of the Australian Information Commissioner (OAIC) has published new guidance for Australian businesses on the European Union’s General Data Protection Regulation (GDPR) requirements.

From 25 May 2018, Australian businesses may need to comply with the GDPR if they have an establishment in the European Union (EU), if they offer goods and services in the EU, or if they use data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.

The GDPR includes requirements that resemble those in the Privacy Act 1988, and additional measures that similarly aim to foster transparent information handling practices and business accountability around data handling, such as the ‘right to be forgotten’ which is not reflected in Australian privacy laws.

The GDPR makes clear that a wide range of identifiers can be ‘personal data’ including a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

In the lead-up to the commencement of the GDPR requirements, businesses should confirm whether they are covered by the GDPR, and if so, take steps to implement any necessary changes to ensure compliance.

Read Preparing for the GDPR 12 steps to take now here.

Get in touch here.

Image from CSIRO under CC BY 3.0