3 key differences between the GDPR and Australia’s Privacy Act

The Global Data Protection Regulations (GDPR) are the most nuanced and comprehensive set of enforceable data privacy laws to take the stage in our history. Commencing on May 25 2018, the regulations will have wide-reaching impacts on what any company collecting data from people within the European Union may do.

Data privacy hasn’t only become a concern to the EU, however. In Australia, the Privacy Act 1988 (the Act) was recently updated with the Notifiable Data Breaches (NBD) scheme, which came into effect in February.

Both of these data privacy regulations affect Australian businesses owners and marketers – but there are some key differences.

The GDPR and the Act are both comprehensive data privacy legislation - but what's the difference?
The GDPR and the Act are both comprehensive data privacy legislation – but what’s the difference?

1. To whom the GDPR and the Act applies

The GDPR and the Act are both enforceable legislation, meaning no affected party is able to opt out.

The GDPR and the Act are both enforceable legislation, meaning no affected party is able to opt out. So, it’s important to understand if and when the laws apply to you.

Both sets of laws apply where the collection of personal data (GDPR) or personal information (the Act) is collected. These are very similarly defined by each legislation as any information relating to an identified or identifiable person.

Where these laws differ, is that the Act includes a threshold stating that businesses with an annual revenue less than $3 million need not comply, provided an exception does not apply. Meanwhile, the GDPR applies to business of all sizes and revenues.

That said, Australian businesses need only be wary of the GDPR if they are offering goods and services to, or are monitoring, individuals in the EU, whereas the Act applies to all eligible businesses in Australia regardless of the location of people data is collected from

2. “Serious harm”

Under the NDB scheme, eligible Australian organisations are now required to report data breaches to relevant parties where “serious harm” is judged to be possible.

Serious harm can be psychological, financial, reputational, emotional, physical or otherwise, but is not specifically defined beyond that. Instead, the internal process of identifying breaches suggests – but does not explicitly state – that the severity of harm is to be determined by the company which experienced the breach and not those whose data was accessed.

In contrast to this, the GDPR’s notifying instructions provide no severity requirements, meaning any and all breaches must be reported unless they are unlikely to result in “a risk to the rights and freedoms” of any person.

3. Penalties for failure to comply

Where any failure to reasonably comply with the GDPR or the Act should occur, the offending business will be fined.

Currently, the highest penalty possible under the Act is $2.1 million. Meanwhile, the most your business can be fined under the GDPR is the highest of the following:

  • 20 million or,
  • 4 per cent of total annual turnover from the preceding year.

Given the much higher penalties, it’s certainly in the best interests of all Australian companies to ensure they are not at risk of contravention with the GDPR as well as the Act.

Most importantly, remember this information is no substitute for legal counsel and you should always seek professional assistance when navigating data privacy laws.

When handling personal data, it’s important that privacy and security are well-respected. For professional trading of your mailing lists, talk to Lead Lists today.