Ahead of the GDPR regime coming into force on 25 May, Ascender head of global compliance Anij Janardhanan spoke to Accountants Daily about certain cases where an Australian business can be directly subject to the EU’s GDPR regime.
He said while there are many permutations and combinations as to who is affected, Australian businesses with a presence within the European Union would be likely affected.
“Regardless of whether their data is being held in the EU, if they have an establishment in the EU, they can technically be called as an entity within the EU,” Mr Janardhanan said.
“If an Australian business, for example, has employees deployed in EU customer locations or offices, technically speaking even though they are Australian citizens or non-EU citizens, by the fact that they are in the EU, they are under the scope of the GDPR.”
Mr Janardhanan noted the hefty fines for non-compliance – either up to 4 per cent of the annual global turnover of a firm for breaching GDPR, or €20 million.
He also mentioned the GDPR’s non-territorial scope, whereby the EU, or any enforcer within the EU, could leverage it under certain circumstances using the international law framework.
“There are many concepts that GDPR enforces that are beyond the Australian Privacy Act, or that are different from the Australian Privacy Act,” Mr Janardhanan said.
“What accounting firms will now have to consider is, within their foundations of privacy practices based on the Australian Privacy Act, they will have to consider what gaps they have against the requirements of GDPR, and where applicable, come up with a program to meet those requirements.”
In February, EY examined responses from 745 executives across 19 countries for its Global Forensic Data Analytics Survey.
It found that while 78 per cent considered data protection and data privacy compliance to be a growing concern, only 33 per cent of respondents had a plan in place for GDPR.