What is GDPR?

The European Union’s General Data Protection Regulation 2016/679 (the GDPR) contains new data protection requirements that extend the scope of the EU data protection law to all foreign companies processing personal data of EU residents (i.e. All EU countries including the UK (despite Brexit) are required to work under the new data laws.)

 When does it commence?

The GDPR was passed by the European Parliament in April 2016 and is currently undergoing a two-year transitional period.  The new law commences on the 25 May 2018.   Any business found in breach of the law will be liable for fines of up to 4% of worldwide annual turnover.

Who is affected?

 The GDPR applies to all businesses that process data and operate within the EU.  It also applies to any business that monitor EU residents or offer goods or services to EU residents.

 What does it mean for Australian Research companies?

Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

For AMSRO member companies the GDPR and the Australian Privacy Act 1988 (or the Privacy Coshare many common requirements, including to:

  • implement a privacy by design approach to compliance
  • be able to demonstrate compliance with privacy principles and obligations
  • adopt transparent information handling practices.

There are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent right under the Privacy Act.

Australian businesses should determine whether they need to comply with the GDPR and if so, take steps now to ensure their personal data handling practices comply with the GDPR before commencement.

 Example: Australian businesses that may be covered by the GRPR include:

  • an Australian business with an office in the EU.
  • an Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros.
  • an Australian business whose website mentions customers or users in the EU.
  • an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.

What does it mean for conducting research in the EU?

Under the GDPR, all researchers, whether employed within an agency, working independently or based within a client’s research department, need to ensure that they understand the legal basis being used for collecting, using, storing, sharing or otherwise processing personal data at all stages, as part of their research project.

For further information:

If your company is conducting work in the EU and or the UK we recommend the following sources for further information: