The long reach of the EU's GDPR

Doing business in Europe? The cost of non-compliance with the EU’s new data protection regime may surprise you!

In today’s global digital environment, it has become increasingly complex for Australian businesses of all sizes to protect the personal data that they process. For businesses conducting business solely in Australia, they can take some comfort in the fact Australia law will be their primary area of concern. In this internet age, however, many businesses can find themselves doing business internationally which can bring with it a whole new set of legal complexities. For Australian businesses doing business in the European Union, this is likely to become even more onerous in the near future thanks to the looming introduction of the General Data Protection Regulation (GDPR) - the EU’s strict new data protection regime aimed at providing harmonised and enhanced protection to data subjects within the EU.

Broadly speaking, there is little doubt that data privacy is a hot topic in today’s news. A quick scan of the headlines in any given week will highlight a wide variety of personal data breaches affecting individuals, the private sector as well as governmental authorities. In 2016 alone, there was a 32% increase in hacked sites on the world-wide web, but such threats need not be external to a business, something as a simple a lost company laptop or a rogue employee can create the potential for a major breach of data protection law. It is in this environment that the GDPR has been forged.

The GDPR is at present set to come into force across the EU on 25 May 2018.

Unlike previous EU-wide data protection measures based on Directive 95/46/EC, the GDPR is a regulation, meaning it will come into force automatically in member states and does not need to be individually enacted in each territory through specific legislation (such as for instance the Data Protection Act 1998 in the United Kingdom). On the positive side, the GDPR will replace a patchwork of over 28 sets of national data protection laws and in doing so reduce a cumbersome process of accounting for national differences in data protection law within the EU.

Local Implications

For Australian businesses, it is important to note that the reach of the GDPR is extra-jurisdictional and global. This means if an Australian commercial entity is conducting business with EU residents or monitoring EU residents they will be processing personal data and the GDPR will apply to those Australian businesses. Triggering such thresholds can be deceptively easy and many businesses may do it unwittingly as good data governance is somewhat of a rarity (by some accounts, 50% of the world’s corporate data is ‘dark data’ and not properly accounted for).

Just because a business is compliant with the Australian Privacy Act 1988 does not mean it will be compliant with the GDPR. There are key similarities between the GDPR and the Australian Privacy Act 1988, but the GDPR is broader in scope and there are key differences to consider, such as for instance, the ‘right to be forgotten’ which has no equivalent right in Australia. For those Australian businesses who are up to date with the existing EU data protection regimes, they also need to be aware that there are key differences between the GDPR and Directive 95/46/EC, ranging from a wider definition of what constitutes personal data to changes to consent requirements as well as the need for a business to appoint a data protection officer in some instances.

Furthermore, just because an Australian business is itself GDPR compliant, it does not necessarily mean that it has flowed down such compliance to subcontractors.

Given the global nature of many cloud providers, Australian businesses may wrongly assume that their subcontractors have ticked all the relevant boxes. Whilst larger cloud providers such as Microsoft Azure and Amazon Web Services are proactively taking steps to address GDPR compliance needs in time for the 25 May 2018 deadline, it is imperative that businesses check all relevant subcontractors as some may struggle to comply in time or at all.

A dramatic increase in penalties

Critically, Australian businesses need to be aware that the GDPR is the furthest thing from a toothless tiger when it comes to penalties. Under the GDPR penalties for data protection breaches will increase dramatically. For instance, whereas before in the United Kingdom, a business could be fined a theoretical maximum of £500,000, under the new GDPR such penalties can be as high as the greater of €20 million, or 4% of a company’s global annual turnover. To put that in perspective, if those new penalties were applied against historical breaches during 2015, then, in the United Kingdom alone, the fines paid would increase 90-fold, rising from £1.4 billion to £122 billion for that given year. As a side note, the fact the United Kingdom is leaving the EU will for the time being at least, not affect its enforcement of the GDPR. For some businesses, the size of these new penalties associated with a data breach could be enough to send them into insolvency, making data protection now not just an IT department issue but a strategic boardroom level issue.

Yet despite this environment where the need to manage risk exposure has never been higher, it is estimated that at present, less than 30% of Australian businesses are prepared for the introduction of the GDPR with general understanding about the regulation being at even lower levels.

Indeed, a core issue is that many businesses are unaware they are captured by the legislation or that it even exists (in the Asia Pacific region around 90% of businesses have little or no knowledge of the GDPR). Ignorance of the law, however, is not a defence and with the clock ticking down to 25 May 2018, the window of time in which to become operationally and legally compliant is rapidly shrinking. No business is going to want to be the first to be hit with the GDPR’s draconian new sanctions in the event of a data privacy breach.

For a no-obligation initial consultation regarding all things legal in the world of data protection, please do not hesitate to contact CAL-TECH and find out how we can assist you.