What Types of Businesses Are Subject to the GDPR?
The General Data Protection Regulation (GDPR) harmonises data privacy laws in Europe. However, only specific types of businesses need to comply with it.
The GDPR reshaped the way data protection and privacy is handled across the European Union (EU) and European Economic Area. The regulation has been in force since May 2018.
GDPR and Australian Businesses
The nature of your business’ operations and not its size will determine whether you fall under the data protection regulation or not. When an organisations’ operating activities present a high risk to individuals’ rights and freedoms they will trigger more stringent rules. Conversely, not all SME’s will be subject to the GDPR obligations in their entirety.
For example, organisations don’t have to keep records of their processing activities when they have less than 250 employees. However, if processing personal data is a regular activity or the process poses a threat to individuals’ rights and freedoms, than the entity must keep records. This is also the case where the data is sensitive in nature.
Similarly, SME’s are only required to appoint a data protection officer if processing personal data is their main business and poses specific threats to the individuals’ freedoms. An example of this involves monitoring individuals or processing sensitive data such as criminal records. Where personal data is involved on a large scale, this becomes particularly true. The Office of the Australian Information Commissioner (OAIC) has more detailed information regarding the GDPR if you need more clarity.
Data concerning companies?
The GDPR exclusively applies to personal data regarding individuals. They don’t govern data concerning companies or other legal entities. However, where information relates to one person companies such as a sole trader the rules may still apply. This is an important distinction and will only occur if the personal data in question allows the identification of a natural person.
Conclusion of GDPR
Ultimately, the GDPR can apply to Australian businesses who deal with any personal data in the EU. Fundamentally, the more personal information an organisation deals with the more stringent the regulations will be. At the end of the day it’s important to ensure you understand your data privacy obligations. It is advisable to consult a business lawyer to avoid penalties for failing to be properly compliant with the GDPR.
Gopi currently works in the content team as a Legal Intern for Lawpath. He is in his fourth year of a Bachelor of Law and Commerce (Accounting) at Macquarie University. Gopi is interested in cyber law and future innovations in the legal industry.