What is the GDPR?
The European Union General Data Protection Regulation (‘GDPR’) came into effect on 25 May 2018 and focuses on individual privacy and data regulation for businesses. It goes beyond Australia’s current privacy regulations. The GDPR contains much stronger rules on data protection and collection.
Does the EU General Data Protection Regulation (‘GDPR’) apply to you?
There are a couple of things to consider when determining whether the GDPR applies to your business.
- Does your business have an online presence?
- Does your business sell goods or services directly to customers in the EU?
- Do you outsource or provide services to parties in the EU?
The GDPR applies to all businesses (or public sector entities) that holds, controls or processes personal data for EU residents or monitors the behaviour of individuals in the EU regardless of the business’s location. This applies to customers and website visitors as well as employees.
If you think the GDPR applies to your business, you are under a direct statutory obligation to ensure compliance and are required to provide evidence to the EU or Australian privacy regulators, if requested.
The consequences for non-compliance are significant. These can include fines up to €20 million or 4% of global turnover (whichever is higher). There are other sanctions which may severely impact your business such as the ability to halt trading in the EU.
Principles of the GDPR
What data can you process and under which conditions? This all depends on the legal reason why you’re processing the data and what you want to do with it.
- The personal data must be processed in a lawful and transparent manner.
- You must have a specific purpose for processing the data.
- These purposes must be indicated to the user at the time you are collecting the data and you must only collect and process that data to fulfil that purpose.
- You must ensure that the personal data is accurate and update to date.
- You cannot store data for a longer time than necessary for the purpose it was collected.
- Your business must install the appropriate technical and organisational safeguards to ensure compliance.
The GDPR encompasses stronger rights for customers, website visitors and users. These include:
- Your business has to inform users if there has been a harmful data breach.
- An individual can move their data.
- A user will have right to access and get a copy of their data that your business has on them.
- Individual has a ‘right to be forgotten’ with clear safeguards.
Steps to ensure compliance
You may need to:
- Amend your privacy policies
- Review contracts
- Ensure policies are compliant with the GDPR
GDPR website compliance
The mere fact that EU-based individuals can access your website doesn’t, by itself, indicate that the GDPR is applicable. It depends on whether your business intends on offering goods or services to EU-based individuals.
Factors to indicate intention to offer goods and services to EU-based individuals:
- European language on your website
- European currency
- Mentioned customers or users who are in EU (customer testimonials)
Once you have determined whether you intend to offer goods and services to EU-based individual, and have reviewed you privacy policies and contracts, we have 8 tips to ensure your business is GDPR compliant.
8 Tips for GDPR compliancy
- Invite users to subscribe to newsletters. Users must “opt in” and the default option to subscribing must be a ‘no’ or blank.
- If you’re requesting consent from the client to contact them for promotional purposes in the future, this needs to be a separate tick box or option.
- You should ask specific permission for each type of data collection for processing and also ask permission to pass details to third parties.
- You must offer an easy unsubscribe option.
- Update contract terms and conditions and privacy policies. These must include details as to why you are collecting the data, how you are collecting it, what you will do with it and how long you will keep it for.
- Modify web processes to remove any personal data after a reasonable time.
- Inform website visitors that cookies are being used on the website and may be used for the purpose of analytics and remarketing.
The GDPR introduction has had a reasonably high profile in Australia and we have been asked to offer advice to many of our clients about whether the GDPR applies to them. If you require company specific advice, we can help by providing:
- Tailored GDPR compliant privacy statements for a company website.
- Advice as to how to manage a data breach.
- Tailored statements in relation to cookies and collection of data for re-marketing.
- Step by step advice for a GDPR compliant company newsletter.
We encourage you to ensure your business is compliant today and to e-mail us at email@example.com with your business specific questions.
Bayston Group are the Business Lawyers you have always wanted. We look after the legal needs of Australian businesses big and small. We are fast, sensible and practical with a truckload of experience. You will wonder how you ever got by without us.