What does GDPR laws mean for Australian businesses?
The deadline for GDPR is here, but what does that mean for Australian businesses?
Chances are that you’ve noticed a deluge of emails and app updates all centred around privacy updates. It’s not that every company on Earth has simultaneously grown very concerned about the issue. Instead, it’s to make sure that they meet the requirements for GDPR compliance.
What is GDPR? It’s about General Data Protection Regulation, or in other words ensuring that people’s data is handled with privacy in mind. This requirement, which comes into effect May 25 2018, places the onus on keeping people’s data safe on the companies that collect it. This was crafted as a European Union regulation, but the international nature of the internet has made this a global issue.
There are key points to the GDPR, and business owners need to make sure they:
- Process the data in a manner that is lawful, fair and transparent – in other words, make it very clear to the user what data is being collected, why it’s being collected and how it will be used
- Use the data for legitimate purposes – in other words, use it only for the reasons outlined above
- Limit the use only to what is necessary – in other words, don’t collect data that isn’t required for the main purpose, but could be used for other applications later that were not originally consented to
- Process the data in a way that maintains its accuracy – in other words, preserve the integrity of the original data, and ensure it’s kept up to date where relevant
- Store the data for no longer than necessary – in other words, automatically delete the data when there is no real reason to keep it
- Process the data in a secure fashion – in other words, use secure encryption when transferring data between systems or over the internet, and make sure all reasonable attempts to prevent the intrusion of viruses or hackers into databases are taken
The short version of all this is that people who live in the European Union have a right to know what people who collect their data (primarily their name, details and digital and physical mailing addresses) are going to do with it. As we live in an interconnected digital world, our information has value and we have the right to control it as much as possible.
An interesting part of the GDPR, known as the right to be forgotten, does not have an Australian law equivalent but will be required as part of the full GDPR compliance checklist. This means that the user can at any time request that their account and any relevant details will be erased completely and not used by the business any more.
Before the advent of the GDPR, a person’s information that was freely given to one company (through, say, a newsletter email subscription) could be freely sold, resold or repurposed by advertisers or other companies. GDPR compliance forces companies to make it explicit what data is being consented for use, and in what capacity.
But what does this mean for Australian businesses?
According to the Office of the Australian Information Commissioner (OAIC), implementing the GDPR is only required if an Australian business has an operation in, offers goods or services to, or collects data about anyone in, the EU. This applies to Australian businesses of any size.
Chances are that, if you run an online shop or any service that requires users to enter their personal details out of Australia designed for a global market, a portion of your customers are based in the EU. Therefore it may make sense for your business to implement the GDPR to protect yourself and your customers.
How do you become GDPR compliant?
Thankfully, getting up and running with the GDPR is easy. There are two major steps to the process.