Does your company or organisation (or any of its subsidiaries) monitor, track or target EU data subjects in the context of offering goods or services to them? If the answer is yes, your organisation needs to ensure it is ready to comply with the requirements of the GDPR.

What is the GDPR?

The European Union General Data Protection Regulation (GDPR) commences operation today, 25 May 2018. The GDPR will operate to regulate the processing of personal data of identified or identifiable natural persons (data subjects) in the EU, by controllers and processors of data, who are established in the EU. A “controller” determines the purposes and means of the processing of personal data and a “processor” processes personal data, on behalf of the controller.

Under the GDPR, breach notifications will be mandatory. Where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, notification of the breach must be made to a Supervisory Authority (defined in the Regulations) within 72 hours of a controller or processor first becoming aware of the breach. In addition, where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller is required to communicate the personal data breach to the data subject without undue delay.

Under the GDPR, data subjects have greater rights to obtain confirmation of whether data is being processed about them and to obtain a copy of that data free of charge.  They also have the right to data erasure or the right to be forgotten.

The penalties for non-compliance with the GDPR can be enormous for organisations.  Depending on the type and severity of the infringement, administrative fines may be imposed by Supervisory Authorities of up to 20,000,000 EUR or 4% of an organisation’s total worldwide annual turnover. In addition, any person who suffers material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered.

Will the GDPR apply to organisations registered in or operating from Australia?

Yes. If your company or organisation is located outside of the EU but processes the personal data of data subjects – in the context of offering goods or services to, or monitoring the behaviour of EU citizens – then your organisation is required to comply with the GDPR. If the organisation has a suspected data breach, it will be required to comply with the requirements of the Notifiable Data Breach Scheme under the Privacy Act as well as the GDPR.

If you have any questions about whether your organisation needs to comply with the GDPR and how to achieve that, we recommend seeking legal advice. You may also try Parker, a chatbot developed by Norton Rose Fulbright to assist organisations to navigate the new law – http://www.nortonrosefulbright.com/knowledge/publications/166075/does-the-gdpr-apply-to-your-non-eu-business