Soon the European Union General Data Protection Regulation (GDPR) will come into effect. All businesses will need to be compliant by 25th May 2018. GDPR compliance in Australia will effect many if not most businesses in an unsuspecting way.
What is GDPR? In short GDPR will give individuals in the EU more control over how any organisation or business use, collect and store their personal data.
These new laws are trying to address the use and abuse of individuals personal data to market businesses products and services. GDPR compliance in Australia will become a prominent issue in the coming months and the penalties are steep for those who do not comply.
In particular the IT giants like Amazon, Google and Facebook have been harvesting this information actively and quite easily for the past 4-5 years. Now, the European Union is offering the people an option to be aware of the way their data may be utilised. The latest Facebook debacle has highlighted why the European Union (and many Australian businesses as a consequence) are about to encounter the new GDPR laws.
Which businesses need GDPR compliance in Australia?
– All EU based businesses
– Businesses with an office, agent or representative in the EU
– If your business offers goods or services to individuals in the EU (free or paid)
– Collection of individuals ‘data’ who reside in the EU (like a form on your website to collect contacts for marketing purposes)
– If your website or business uses has a top level domain e.g.: .fr, uses the currency an EU Member State
You may be thinking ‘oh this doesn’t apply to me’ however I urge you to be aware that GDPR compliance in Australia may raise its head in unexpected ways. You should consider data flow and collection arrangements with all affiliate entities, likewise any advertising which may reach individuals in the EU? So if for example, you advertise on Facebook or use cookies to build a profile about your website visitors and use this to target content at these individual, GDPR this applies to you.
If you have been sitting on the fence with taking steps to ensure your business privacy policy and data retention strategies are in order, then now is the time to address it. Its not hard. Most small businesses in Australia can make a couple of changes to their privacy policy and website data collection facility. It is a matter of giving people the option say ‘yes’ or ‘no’ to collecting their data and informing them of what you intend to do with any information they provide (knowingly or inadvertently).
However, if you have more extensive engagement with the EU then I recommend becoming familiar with European data protection concepts (data controller and data processor) and having a professional prepare your legal documents. It may be necessary to undertake a privacy and information audit of your business and we recommend consulting a professional if your business has substantial trading with any EU Member State.
These are the steps I recommend you take:
1. Implement a GDPR compliant Privacy Policy page on your website.
2. Setup all opt-in data collection forms on your website with a checkbox for that gives declaration of consent
and a link to your privacy policy.
Privacy Policy Providers
I have put together a few links where you can create your Privacy Policy for low cost providers:
– https://privacypolicies.com/ Becareful this one says free but its only free for personal use, commercial use is $27and there is an option to also create a terms of service for an additional small cost.
– https://wordpress.org/plugins/oik-privacy-policy/ This one costs about $150
– https://www.iubenda.com/en This site charges about $30 per year to keep the policy updated each year.
The privacy policy needs to be tailored to your website needs so when you create the policy be sure to consider carefully options that relate to any kind of social media promotion, cookies tracking, apps or data collection of any kind.
Penalties for breaching the GDPR is split into two categories:
• the maximum penalty for lower severity obligations is €10,000,000 (approx. AUD$15.3m) or 2% of the business’ worldwide annual turnover for the preceding financial year – whichever is greater; and
• the maximum penalty for higher severity obligations is €20,000,000 (approx. AUD$30.6m) or 4% of the business’ worldwide annual turnover for the preceding financial year – whichever is greater.
GDPR compliance in Australia is serious business and my final advice is to take the safe route and get compliant quickly. If you need help to do this feel free to call and I will provide you with a quote.
Please note: this article does not constitute legal advice. Consult a professional if you need legal advice.
If you like this article then you may be interested in the Country of Origin Labelling regulations that will be enforcable from 1 July 2018 – yes that’s only a matter of weeks away too!