In general, the new GDPR regulations are mainly about how you handle personal data within your business and require changes to your business processes if you deal with any EU personal data.
You may not know if you are affected so here is a guide to understanding the latest privacy law affecting many Australian businesses.
What is GDPR?
GDPR stands for General Data Protection Regulation which is designed to provide consistent data protection for individuals in 28 EU states. It is seen to be one of the strictest and far reaching privacy and data protection regimes in the world once it is in force.
When is GDPR coming?
Set to come into operation 25 May, the GDPR requires a new set of obligations on businesses that collect, use, store and process EU personal data including businesses that provide services seen to ‘process’ data on behalf of another business. This will catch many hosting and processing businesses.
‘Personal data’ generally means information that may identify an individual such as an email address.
Who is affected by GDPR?
The GDPR law is wide reaching and covers other countries, including Australian businesses which may have or be seen to be collecting any type of EU resident personal data.
You need to comply with the GDPR regulations if you:
- Have a business presence in the EU, including someone promoting or selling your business in the EU;
- Offer your products or services in the EU to EU residents whether these products or services are free or paid and irrespective of the currency;
- Monitor or collect any EU citizen data, including email addresses or online behaviour.
How is GDPR different to the Australian Privacy Law?
There are some similarities: both the GDPR and Australian privacy laws include some similar requirements as both laws foster transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected.
However, there are a number of new obligations and rights that are imposed on any business in any country including Australia, when dealing with EU resident personal data including:
- Right to Erasure:
You may remember the big initiative in the news about the ‘right to be forgotten’ in Europe which meant anyone could ask for all information about them to be removed from the internet including all articles about crimes they committed. The new right to erasure includes the right to be forgotten. If you collect an EU resident’s data, that person can ask you to erase their personal data or restrict how it is used.
- Restriction on transfer of personal information:
There are rules around how a business can transfer personal data information from the EU to Australia and what type of information may be transferred to Australia.
- Consent to collection or use:
Opt-out consents are no longer a valid way to obtain consent. For example, you cannot use personal data for direct marketing of your business and offer an ‘unsubscribe’ or ‘opt-out’ option.
- Requirements to appoint data protection officer:
Some businesses will have a requirement to appoint a data protection officer within their business as well as a representative in the EU in certain circumstances.
What do Australian Businesses need to do?
Australian businesses should review their data processing practices to identify whether, and to what extent, the GDPR applies to them.
If you are required to comply with the GDPR, you need to familiarise yourself with the accountability and governance requirements and put processes to meet the requirements into your business. In other words, you need to understand what these compliance requirements are and put in place measures to comply on or before 25 May.
You also need to be able to show that your processes to manage the personal data requirements will comply. This may include, for example, obtaining consent for the use of the personal data from the EU citizen depending on what and how you use it.
As the new GDPR regulations and requirements are dependent on how each individual business collects and uses data as well as the type of personal data collected, there is no one-stop-shop answer on what your business needs to do to comply. You need to look at your business to see if you are marketing your products or services to EU individuals and if so, understand your compliance requirements for your business to meet the GDPR.
Alternatively, if you do not need to comply with the GDPR, you should consider including a statement on your website that you are excluding EU residents from purchasing your products or services to make it clear that you are not marketing to EU residents.
There are high fines for non-compliance with GDPR so review your business today.