The European Union General Data Protection Regulation (the GDPR) contains new data protection requirements that started 25 May 2018. These will harmonise data protection laws across the EU and replace existing national data protection rules. The introduction of clear, uniform data protection laws is intended to build legal certainty for businesses and enhance consumer trust in online services.
Some Australian businesses covered by the Australian Privacy Act 1988 (Cth) may need to comply with the GDPR, for example
they offer goods and services in the EU.
The GDPR have similar requriements to the Australian privacy law. Both laws require businesses to implement measures that ensure compliance with a set of privacy principles, and both take a privacy by design approach to compliance. Data breach notification is required in certain circumstances. In addition, privacy impact assessments, mandated in certain circumstances under the GDPR, are expected in similar circumstances in Australia.
Given these similarities, Australian businesses may already have some of the measures in place that will be required under the GDPR. Even so, they should begin taking steps to evaluate their information handling practices and governance structures, seeking legal advice where necessary, to implement the necessary changes.