How much should organisations pay for their data service providers to be 'GDPR compliant'? It seems that data processing vendors are passing on their costs of compliance to customers, and with GDPR compliance a hot topic for many organisations in Australia (in addition to complying with new Australian requirements for mandatory data breach reporting), the question of what costs can be passed on is an important one for organisations to consider.

Evidence is emerging anecdotally that data processing vendors are passing on their costs of compliance with the European Union General Data Protection Regulation ('GDPR') to their customers. With GDPR compliance a hot topic issue for many organisations in Australia at the moment (as well as contending with new Australian requirements for mandatory data breach reporting), the question of what costs can be passed on is an important one for organisations to consider. 

The background

The GDPR, which came into effect on 25 May 2018, significantly overhauls Europe's data protection legislation. The GDPR is intended to harmonise data protection law across the EU member states, protect the data privacy of EU citizens and redefine the way businesses approach the protection of personal data. The collection, retention and use of data by companies collecting and processing data is now strictly controlled by the GDPR. 

In line with this, the GDPR introduces concepts including 'the right to be forgotten', accountability and governance, mandatory data breach notification and a new right of 'data portability'. There is a tiered approach to fines for non-compliance with the GDPR up to a maximum of €20 million or 4% of a company's global revenue, whichever is larger. The measures are seen as a key element of the creation of a European Digital Single Market. 

Impact on Australian entities

Perhaps the most significant changes, however, is in the GDPR's extra-territorial scope. It applies to the data processing activities of entities 'established' in the EU. Its application also  extends to extra-European entities in the position of a 'controller' or 'processor' of personal data that either offer goods or services to persons in the EU or monitor the behaviour of persons in the EU. As such Australian companies are likely, in many instances, to be caught by the GDPR's provisions here. 

The GDPR includes requirements that resemble, in a number of key respects, important provisions of the Privacy Act 1988 (Cth) ('Privacy Act') in Australia, such as requirements to: 

  • implement transparent information handling practices;
  • adopt a privacy by design attitude to compliance; 
  • provide data breach notification in certain circumstances; and 
  • ensure demonstrable compliance with privacy principles and obligations. 

There are, however, important differences, which include the lack of a revenue threshold to engage the GDPR (meaning that smaller Australian businesses not caught by domestic legislation will need to comply with the GDPR), the 'right to be forgotten' and other rights of individuals that are not reflected in the Australian act. In practical terms, Australian businesses required to comply with the GDPR will need to do the following to ensure compliance: 

  • draft or update a GDPR compliant privacy policy, which states that only individuals over 16 can consent to the processing of personal data, that the business processes data in accordance with the GDPR and that individuals have the following rights:

    • the right to be forgotten;
    • the right of access by an individual;
    • the right to erasure;
    • the right to restriction of processing; and the right to portability;
  • update their company website to incorporate GDPR required processes and systems, such as user consent infrastructure;
  • ensure that user dater is automatically stored in a format that is easy to extract and provide to users upon request; and
  • utilise at least industry-standard security measures and provide for a system of breach notification to data subjects and regulators within 72 hours of becoming aware of any breach. 

The impact of changes to the Privacy Act in Australia?

In addition to GDPR considerations, Australian businesses also need to be mindful of the amendments to the Privacy Act which came into force in February 2018. These amendments introduced mandatory data breach notification requirements for organisations and specific other entities (including credit reporting bodies and recipients of tax file number information) that are regulated by the Privacy Act and with turnover above AU$3 million.

While many of the GDPR requirements align with the requirements under the Privacy Act, the requirements and applicability conditions are not mirrored. This means that a business subject to the GDPR and the Privacy Act must be aware of its obligations under both. For example, the Privacy Act has a small business exception. This means businesses with less than AU$3 million in revenue may not have to comply with the requirements of the Act. In contrast, the GDPR applies to all relevant businesses with the applicable EU connection, regardless of revenue. In addition, the GDPR includes various additional rights of individuals (such as the 'right to be forgotten') which do not have an equivalent under the Privacy Act.

Passing on the costs

As of May 2018, US companies have spent a combined AU$7.8 billion in preparation for the GDPR's introduction, according to figures compiled by EY and the International Association of Privacy Professionals. Relevant Australian companies may, given the Privacy Act measures already in place, be in a better position than US companies and thus require less direct investment. Nonetheless many are likely to require significant expenditure to ensure compliance, as well as to ensure that their policies and staff training also contend with the new amendments introducing mandatory data breach notification in Australia (as well as under the GDPR). 

Where this is the case, there is a risk that data processing vendors may seek to charge higher fees for new GDPR compliant data processing arrangements, essentially passing on their costs of compliance with the GDPR (and potential the Privacy Act) to organisations that use their services. Stories abound about companies seeking data processing services (such as data hosting) being charged significant extra fees to update existing contractual arrangements to make them "GDPR compliant". It seems likely that Australian companies should expect vendors to seek to pass on their costs here, and it would be wise to start to consider which of those costs, if any, are justifiable.

Organisations will need to be proactive in their approach to pushing back on such cost pass throughs if it is found that compliance costs cannot be justified. While non-compliance may expose companies to substantial penalties, which may result in significant financial consequences and, more alarmingly, reputational damage, how much should be paid to those providing services is a matter to be finely balanced.

*Paralegal Tim Baynham contributed to this article.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.