Does the GDPR affect Australian business?

Introduction

Technology advances and internet usage has changed dramatically over the past 25 years. In 1995, Microsoft releases Windows 95 and introduced Internet Explorer 1. Amazon and eBay were founded. The internet was defined in October by the Federal Networking Council. Less than 1% of the world’s population had an internet connection in 1995.

In 2018, approximately 40% of the world’s population has an internet connection. As at January 2018, there were more than 1.3 billion websites. The first ever website was published in August 1991.

This has resulted in people spending a lot of time online. These days, the internet is regularly for social media or online shopping, or both. This leads to privacy issues over the personal data people have online.

What is GDPR?

The GDPR is short for the General Data Protection Regulation. The European Union (“EU”) introduced the GDPR and came into force on 25 May 2018. It provides greater protection on how their personal data is collected, stored and used. It affects the private information of people residing in the EU or the United Kingdom (“UK”).

GDPR privacy principles

There are six privacy principles in the GDPR:

1. Lawfulness, fairness and transparency: Businesses need to ensure their data collection policies don’t break the law and that they aren’t hiding anything from their customers/clients. This is why having an easily accessible privacy policy is important. To remain transparent, make it clear in your privacy policy the type of data you collect and why you are collecting it.
2. Purpose limitation: Businesses should only collect personal data for a specific reason and clearly outline what that reason is. Only collect that data for as long as necessary to complete the outlined purpose.
3. Data minimisation: Businesses must only process personal data to achieve its processing purposes. There are two reasons for this. Firstly, in the event of a data breach, the unauthorised individual will only have access to a limited amount of data. Secondly, data minimisation makes it easier to keep it accurate and up to date.
4. Accuracy: Accuracy of personal data is an essential part of data protection. The GDPR requires that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
5. Storage limitation: Businesses need to delete personal data when it’s no longer necessary. How long is that? As long as the individual is considered a customer or client. This will vary from business to business. Therefore, it would be appropriate to seek legal advice regarding this.
6. Integrity and confidentiality: The GDPR requires personal data to be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Why does this affect me as an Australian business?

If you have a subscriber list that includes EU subscribers, or you market your goods or services to EU citizens, then you will need to comply with the GDPR. Failure to do so may result in serious fines for breaching privacy.

Some tips

1. Have a privacy policy on your website.
2. Ensure your privacy policy is GDPR compliant. Be mindful that having a privacy policy that complies with the Australian Privacy Policies (“APP”) is a great start, but the GDPR gives individuals even broader rights. Therefore, your privacy policy may require updating to cover the GDPR in addition to the APP.
3. Ensure your privacy policy is easy to find on your website.
4. Store personal data in a readily available format. The GDPR provides individuals the right to: be informed, have access to their personal information, have their personal information corrected, data portability, to object to the processing of their personal information and automated decision and profiling.
5. Remember that under the GDPR, consent must be explicit. Implied consent is not enough. Individuals may withdraw consent at any time.
6. Check your subscriber or mailing list, if you have one. Contact any EU or UK residents on your list and obtain their express consent to keep their information. If express consent is not forthcoming, you will need to delete their information.
7. Update the enquiry/contact us form on your website to include a check box that reads something like “I have read your privacy policy and agree to you storing information on this form”. Do not have the box pre-checked.
8. Make it easy for individuals to unsubscribe from your marketing emails or have their information deleted. Platforms such as MailChimp are good as they have an unsubscribe option in their emails.

Here is an example of a contact us form:

Conclusion

Do not let the GDPR prevent you from having clients who are EU or UK residents. All you need to do is ensure that you’re GDPR compliant.

This article is not intended to replace appropriate legal advice.