What is GDPR and what does it mean to my Australian business?

Kimberly Jones • May 25, 2018
What is the GDPR?

In April 2016 the European Parliament adopted the General Data Protection Regulation (GDPR), which regulates how businesses must handle, secure and share the data of EU residents. The GDPR applies from 25 May 2018, and has important implications for organisations inside and outside of the EU, including Australia.

Who is affected?

The GDPR applies to:
  • EU-based businesses; and
  • Businesses outside of the EU which:
    • offer goods or services to individuals in the EU;
    • have an office in the EU; or
    • monitor the behavior of individuals in the EU (including profiling of individuals through online data).
Am I affected?

Examples of transactions (of a Western Australian business) that may come under the GDPR include:
  • Taking an online booking for accommodation in WA from a tourist travelling from Paris;
  • Obtaining credit card information, from an Australian travelling through Germany, to change their flight home; or
  • Using information from companies profiling potential customers in Spain through their online preferences.
What is personal data?

The definition of personal data for the purposes of the GDPR is wide and includes any information relating to an identified or identifiable natural person. Such a person is referred to as a ‘data subject’. This information can include basic information, such as a name or address, to information about the person’s health, ethnicity, or credit card transactions.

What do I need to do? – Questions to ask yourself about your business

1. How does my business handle personal data?
The first step is to carry out an audit on your current processes and procedures. Knowledge is power. Without knowledge of how your business collects, uses, transfers, stores and removes personal data, it will be impossible to be sure your business is are meeting its obligations.

2. Does my business have a lawful basis for handling personal data?
Under the GDPR, your business must have a lawful basis for processing personal data. There are 6 lawful bases identified: consent, contract, legal obligation, vital interests, public task (processing data in the public interest) and necessity (where processing is necessary for the legitimate interests of your business). You should be able to identify under which category your business is processing an individual’s data.

3. Is my Privacy Policy (and Privacy Collection Notification Statement) relevant to my business and does it comply with the GDPR?
Having a template privacy policy and statement is not enough. A prime focus of the GDPR is transparency and accountability. A well thought out privacy policy and statement will tell your clients and customers the steps your business is taking to protect their data and comply with privacy laws.

4. Do my third party suppliers comply with the GDPR?
You may still be liable for a data breach that did not occur on your watch, if the breach occurred with data shared with a third party. Your business should take active steps to ensure that relevant third party suppliers also comply with data protections laws, including the GDPR.

5. Has my business taken appropriate steps to secure the personal data it is processing?
The protection of personal data has never been more important. Significant penalties apply under the GDPR (and local privacy laws), and there are stringent requirements for notification and reporting on breaches. Taking measures to ensure adequate protection, can include: deciding when to process personal data, deciding when to destroy it, and ways to avoid the misuse or interference with personal data. As well as ensuring your compliance with the GDPR, such measures will give your customers and clients peace of mind in choosing to entrust you with their data.

Large scale & sensitive data dealings

If you are collecting or processing data of EU individuals on a large scale, or are processing sensitive data, further obligations may apply, including the appointment of a data representative in the EU.

If you would like more information on this issue, please contact Bailiwick Legal at (08) 9321 5451. 

The above information is a summary and overview of the matters discussed. This publication does not constitute legal advice and you should seek legal or other professional advice before acting or relying on any of the content.
20 Feb, 2024
The Human Rights Commission may take action against employers who fail to actively eliminate sexual harassment, discrimination and victimisation in the workplace, as part of a positive duty reform. While the reform itself was introduced under the Sex Discrimination Act in 2022, a change was put in place last December - and every employer, including those in the agricultural sector, is affected. This change has provided the commission with new powers to investigate and enforce compliance with positive duty and investigate organisations or businesses where it "reasonably suspects" non-compliance. What does this mean for shearing contractors, sheep producers and other primary producers? Speaking at the WA Shearing Industry Association (WASIA) general meeting last month, Bailiwick Legal solicitor Matilda Lloyd said the enforcement power involved inquiries and investigations similar to WorkSafe. She said a complaint did not have to be made for an inspector from the commission to visit and look over a workplace, and see if there is any kind of sexual harassment occurring. "The commission looks at policies and procedures, and essentially you need to be able to demonstrate that you're compliant with this positive duty. "When you think about it in the context of a shearing shed, it is the safety checklist you have in place for when people enter the shed. "Those are the things you need to consider with sexual harassment as well." Ms Lloyd said the commissioner never had the power to conduct an investigation before and, as such, practically how it was going to work was an unknown. "We don't know whether they're going to be coming out and doing regular inspections, what those inspections are going to look like in terms of time or how thorough they are going to be, " sh e said. "They need to be thought of the same way as a WorkSafe investigation, whereby it could happen at any point whether a complaint is made or not. "Investigators will expect employers to show that they are actively trying to eliminate this form of unlawful conduct." If an inquiry occurs, what will happen? If an employer wasn't taking the correct measures to stop sexual harassment, discrimination and victimisation from occurring, they could be issued a compliance notice. Ms Lloyd said if the notice wasn't adhered to and an inspector returned, they could apply to the Federal Court to have that positive duty enforced. What is positive duty? Ms Lloyd said a positive duty was a legal obligation on an employer or person conducting a business or undertaking to take reasonable and proportionate measures to eliminate unlawful behaviours in the context of work, workplaces and working relationships. In the case of shearing contractors, sheep producers and other primary producers, she said that obligation was on the employer and applied to all staff, workers, contractors, customers and people entering, for example, a shearing shed. She said the obligation was "very broad" and applied right across the board. "Enforcing positive duty is pretty straightforward in terms of the employer, but when we look at the other parties involved it is extensive, " Ms Lloyd said. "When we are talking about sexual harassment in the workplace we are talking in the shed and in a vehicle on the way to work or another shed. "It is also offsite, so if you are having work drinks at the quarters or wherever afterwards - that's also a workplace within the definitions of the act. "The obligation applies across the board in all of these circumstances. "And also applies to visitors, so if you have farmers and they bring their wives, it is anyone coming into that shed or environment." In the context of positive duty, what do contractors need to do? Firstly, employers need to understand what sexual harassment, sex-based harassment, discrimination and victimisation is. Ms Lloyd said employers were responsible for leading their team, so it was important to understand what the laws were and how they affected not only them, but their employees. "When we talk about sexual harassment we talk about unwelcome conduct that is of a sexual nature or requests for sexual favours, touching, requesting dates and so forth," she said. "Whereas sex-based harassment is harassment that is targeted at a particular sex. "This could be making sexist comments about a woman because she's a woman or making sexist comments about a man because he's a man. "Then victimisation is about targeting someone because they've made a complaint." Ms Lloyd said a conversation then needed to be had to educate employees, whether that be face-to-face, by Whatsapp or having it displayed in the shed. She said there were resources and guidelines available through the Human Rights Commission, which helped with this. "Have that conversation - as an employer understand what sexual harassment is but then talk to your employees and be serious about educating your employees, " Ms Lloyd said. "It is about actually having that conversation and then thinking about what material can be given to them. "The whole point is to make it easy, so people understand. "Then it goes into training and support - is there someone in your team people can talk to?" The seven standards The commission has released guidelines for complying with the positive duty under the Sex Discrimination Act 1984. The guidelines are centred around seven standards - leadership, culture, knowledge, risk management, support, reporting and response, and monitoring, evaluation and transparency. Examples of practical actions that organisations or businesses can take to meet each of the standards are set out in the guidelines. Ms Lloyd said, as each business is different, it depended on how big a team was, what was going to be practical and cost-effective in the workplace. She said the commission would look at the different standards if there was an investigation or inquiry. How often do employers need to talk to their team about this? Ms Lloyd said it should be looked at similarly to safety or work related issues, whether that be a toolbox or regular meeting once a week or every couple of days. She said if a contractor was starting a new job or visiting a place they hadn't been to before, it was about having that conversation upon arrival. "When everyone's preparing for their first break, sit down and have a chat about general safety as well, " Ms Lloyd said. "That's the first step, and then follow it up a month later when you start a new shed. "It is about consistently and actively taking measures to create a safe space. "It seems obvious that once you've gone through your checklist you then talk to the people coming into that environment, who are your workers, and alert them to what you have found. "Similarly, with positive duty, a checklist is proof that you are doing the right thing if you are audited." Does insurance cover sexual discrimination cases? Having insurance does not diminish positive duty, it just safeguards employers against potential damage and loss against their business if they are sued. Ms Lloyd said sexual discrimination cases, which travelled through the Federal Court, were not cheap and often have adverse outcomes from an award of damages perspective. "If we talk about Work Health and Safety, as you know, that is a serious issue you have to take onboard and consider, " she said, "And that's the way I think employers need to frame their conduct when talking about and implementing measures to prevent sexual harassment, discrimination and victimisation." Is an employer covered if they have put everything in place, but those rules are still broken? Ms Lloyd said an employer would be protected if they have been able to eliminate as much as they can with the resources available to them. She said it was important to remember sexual harassment and discrimination is unlawful conduct. "In terms of positive duty, by taking all reasonable steps and measures given the resources available to you, you will be able to mount a solid defence against any claim. "If you've done your duty positively and it can be demonstrated that you've exercised your role in appropriate fashion, then that will be solid defence." For more information on the positive duty reform and seven standards, go to humanrights.gov.au
By Jessica Brunner 11 Sep, 2023
Farm Weekly - Advice to avoid contract dramas
By Matilda Lloyd 11 Aug, 2023
On 1 July 2023 the Aboriginal Cultural Heritage Act 2021 (2021 Act) came into effect following five years of alleged stakeholder consultation and drafting. The new Act replaced the Aboriginal Heritage Act 1972 (1972 Act), which was deemed to be completely inadequate at providing recognition and protection for cultural heritage by the Joint Standing Committee on Northern Australia in A Way Forward, the Final report into the destruction of Indigenous heritage sites. To improve these deficiencies the section 18 consent process under the 1972 Act was replaced with a four-tier management system for Aboriginal cultural heritage which required proponents to undertake a due diligence assessment prior to undertaking activities, including where ground was to be disturbed, for the purpose of determining whether there was any Aboriginal cultural heritage or risk of harm being caused to Aboriginal cultural heritage by those activities. The four-tier system was also accompanied by a new definition of Aboriginal cultural heritage, a new Directory of information related to Aboriginal cultural heritage as well as harsher fines, stop activity orders, prohibition orders and remediation orders which were introduced as new compliance measures to prevent and remedy harm. The objects of the 2021 Act were to recognise, protect, conserve, and preserve Aboriginal cultural heritage and to manage activities that may harm Aboriginal cultural heritage in a manner that provides clarity, confidence and certainty. However, in the weeks up to and then following 1 July 2023, substantial concerns and uncertainty were raised about the 2021 Act (and Regulations) together with a good dose of misinformation and in particular the impact that the new regime would have on freehold landowners and proponents who wanted to undertake their usual and normal (farming) activities on blocks of land greater than 1100m2. During this period Matilda Lloyd and Phil Brunner attended many seminars, in conjunction with WAFarmers, to explain to the agricultural industry and the broader community the new laws. We attended at WAFarmers Zone meetings and grower organised information sessions in Karridale, Busselton, Esperance, Katanning and Perth. Information was also provided in online workshops and information sessions for grower groups and agricultural consultants. On 8 August 2023 the Premier, Roger Cook, announced that the 2021 Act (and Regulations) would be repealed and that the 1972 Act would be reintroduced with simple and effective amendments. The announcement is welcome news however the Government’s rhetoric is that even the 1972 Act applies to freehold farmland. There is more work to be done to exclude freehold (improved) farmland from the operation of the 1972 Act. Currently the 2021 Act remains in force and will be repealed once the Bill for the amended 1972 Act is passed by both houses of Parliament. Bailiwick Legal extends its thanks to WAFarmers and the PGA for their efforts over the last two months. We will continue to work with WAFarmers and farmers to navigate the amended 1972 Act and press for further changes to the Aboriginal cultural heritage laws in WA. If you would like more information about Aboriginal cultural heritage or how these changes may affect you and your business, please contact Bailiwick Legal on (08) 9321 5451 or by email at office@bailiwicklegal.com.au . By Matilda Lloyd (Solicitor) For further information about our legal services, please visit our website: https://www.bailiwicklegal.com.au The above information is a summary and overview of the matters discussed. This publication does not constitute legal advice and you should seek legal or other professional advice before acting or relying on any of the content.
Share by: