However, if you’re counsel for a corporation which has an EU presence, maybe you did sit up and take notice: especially when you looked into the global reach of the GDPR, and when you saw that organisations who fail to comply can be fined up to the higher of €20 million, or 4% of global turnover. That’s a lot of money in anyone’s books.
Fortunately, in most cases, you can relax – for a moment or two. How the GDPR will apply in practice to us Antipodeans remains to be seen, but what does seem fairly certain is that EU regulators will initially focus on enforcement against those organisations (mostly large US tech companies) that have a significant EU presence. For organisations that don’t, you may have a bit of breathing space, which should give you some time to prepare.
First, figure out if the GDPR applies to you. If the GDPR does apply to you, then this toolkit will help you get compliant.
If you establish that you’re not (yet) subject to the GDPR, don’t stop there. Take a look at what you are doing with personal data; ensure compliance with domestic legal obligations; and set yourselves up for the inevitable regulatory change that will follow as the effects of the GDPR spill over into the Australasian market.
Australia recently introduced mandatory data breach notifications, and the maximum fines for privacy breaches were ramped up. New Zealand is reviewing its 25 year-old Privacy Act, and many of the proposed amendments have their genesis in the GDPR.
In short, regulatory trends introduced by the GDPR are likely to shape the future of Australasian privacy law. And in a global digital economy, consumers expect consistency of approach. Australasian business should look to what their EU counterparts are doing, and set themselves up not only for inevitable privacy reform here, but also to align their offering with customer expectations.
Campbell Featherstone is a senior associate at national law firm Kensington Swan. He works alongside Hayley Miller, a partner who leads the firm’s technology, media and telecommunications practice.
For more information, read Kensington Swan's recent articles on the GDPR:
If GDPR applies to your business – what should you do?
The long arm of the law: European data protection law may apply to your business – are you ready?
GCs expect more cybersecurity responsibility
Blocking half a billion users easier than complying with GDPR