The General Data Protection Regulation (GDPR) is a new legal framework to help preserve the rights to a private life for EU residents. It is legislation designed to enable individuals to have better control of their personal data. It will come into play on May 25 2018.
If you are in charge of a business operating within Australia you may well be asking yourself, does this legislation affect my business? Well the answer, even if you do not conduct direct business with citizens in the EU, could well be yes.
A Summary of the GDPR Regulations
So what is the GDPR and how will it impact Australian Businesses?
You may find this in-depth discussion on the GDPR useful. If you are completely new to the conversation, then the team at WebProfits also put together a video which introduces some of the key points for Australian Businesses, which you can view below.
For a more detailed analysis you may find this in-depth discussion on the GDPR useful.
But generally speaking the GDPR includes specific regulation for;
- How companies collect and process their personal data
- Who is responsibile for data protection and
- Penalties for organisations that do not comply with the new regulations
Does the GDPR Impact Your Business?
If your business sells goods and services in the EU, is established in the EU or monitors the behaviour of individuals in the EU – it is important that you adopt practices that adhere to the GDPR before 25 May, 2018. Even if your business operates exclusively in Australia, you will still need to understand the laws of the GDPR in case you process the personal data of any person living in the EU.
Australia's own privacy laws are due for an update next year, so adapting to the GDPR now could prepare many Australian businesses for what is to come.
What is 'Personal Data'
Personal Data is defined under the GDPR as any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly to identify the person. So this can be anything from a name, photo, email address, IP address, and cookie information.
The Issue of Consent
For audiences in the EU if email is used in re-marketing it will require an opt in for personalised advertising. We recommend that this is set up before 25 May 2018, Mailchimp has a great article on this. With regard to cookies here is a best practice resource to help you get started.
The GDPR requires you to retain personal data no longer than is necessary for the purpose you obtained it for. With regard to personal data within Google Analytics, it now has a feature that enables the automatic deletion of user and event data. The feature is called Data Retention. We recommend that you set your data retention controls in line with your individual requirement for the GDPR.
Do You Need to Appoint a Data Processing Officer (DPO)?
The GDPR states that DPO's need to be appointed in the case of:
- public authorities,
- businesses that engage in large-scale systematic monitoring,
- businesses that engage in large-scale processing of sensitive personal data.
If your business doesn’t fall into one of these categories, then you do not need to appoint a DPO. Refer to Article 37 of the GDPR for clarification.
Requests for Personal Data
Under the GDPR the responsibility lies with the data controller (you) to provide all personal identifiable data to an individual upon request. Please take note of the following:
- You should provide that data in a commonly used electronic format.
- You need to respond to requests free of charge, but you may refuse or charge a fee if the request is not reasonable.
- You can ask to confirm their identity.
Supporting Information - GDPR Subject Access Requests Report
For an in-depth overview of how businesses in Australia need to respond to the GDPR please read this OAIC government article.
- Read the GDPR in a web friendly format or view the Regulation in original PDF form
- 5 Things You Must Know about Email Consent under GDPR
- GDPR Impact for non EU Companies
- GDPR Tracker App - The handy app for managing your GDPR compliance