What is GDPR?
Effective May 25, 2018, the European Union General Data Protection Regulation (GDPR) will be enforced, providing enhanced protection for the personal data of European consumers. The regulation affects any business that deals with data of EU citizens – including businesses that are based outside the EU.
The new law applies to all EU people who subscribe after 25th May AND to all existing EU subscribers on your email lists and databases.
The GDPR requires, among other things, that companies erase personal data on request unless there is a legitimate reason to retain it; inform those affected by data breaches; and design data protection into their products and services.
It’s also worth noting that GDPR is what’s known as a principles-based regulation. That means organisations are responsible for considering what obligations they may or may not need to meet, all based on the unique and specific circumstances of their business and their use of data.
Does The GDPR Apply To Australian Companies?
Yes – if advertising to or collecting data of EU citizens.
Australian businesses that may be covered by the GRPR include:
- an Australian business with an office in the EU
- an Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros
- an Australian business whose website mentions customers or users in the EU
- an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
What Will Australian Businesses Have To Do?
Essentially, companies will have to collect EU residents’ consent to use personally identifiable information (PII)—such as email addresses, birth dates, government-issued identity numbers, credit card and bank account information, IP addresses, mobile device numbers, and biometrics—for explicit purposes.
What Will Be Different?
Australian companies have been following many of these practices for 20 years. The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:
- implement a privacy by design approach to compliance
- be able to demonstrate compliance with privacy principles and obligations
- adopt transparent information handling practices.
However, in Australia ‘consent’ means ‘express consent or implied consent’. The GDPR includes a new definition of consent, which states that it must be:
- freely given
- an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing.
This means no more mass emailing customers and prospects and leaving it up to them to opt out. You will need their express consent to email them newsletters or offers.
Silence, pre-ticked boxes or inactivity are not considered consent.
Also, the practice of ‘bundling’ together multiple requests for an individual’s consent to a range of different data processing operations (known as ‘bundled consent’) is not considered consent where separate consents are appropriate in the circumstances. It may be required that specific consent be gathered for each individual use of data being collected (for analytics, for ad serving, for a CRM and so on).
This means that you may need to update your client contracts, sign-up forms and even add a website cookie consent pop-up.
You might have to update your systems and processes to also handle the fact that the GDPR mandates that customers be able to access and change their preferences at any time and protects certain rights of individuals (such as the ‘right to be forgotten’). These are not expressly provided for in the Privacy Act.
This means ensuring that your Users are able to change, correct and download their profile.
What Living Online Can Do To Ensure Your GDPR Compliance:
We will work with you to ensure the following are compliant and updated on your website and/or mobile apps if required:
- Cookie consent popup
- Sign-up/opt-in forms
- Enquiry forms
- Data storage systems we handle
We will update your legal entity information, data collection contact fields and ensure compliance in the following applications:
- Google Analytics / 360 Suite
- Google AdWords
What You Need To Do To Ensure Your GDPR Compliance:
- It is recommended to appoint a data protection officer. The GDPR states that a data protection officer (DPO) should oversee an organisation’s data protection strategies and compliance programme.
- Locate all the individual personal data you have collected for clients (EU) specific but a good exercise across the board. Ensure you know where to find it if audited.
- Pseudonymise personal data where practical. This can be by encryption or other data protection mechanisms. Keep the key to unlocking the personal data in a separate place.
- Become accountable. The Regulation includes provisions that promote accountability, so the DPC advises organisations to make an inventory of all the personal data they hold and examine it under the following questions:
- Why are you holding it?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties, and on what basis might you do so?
- Review your consent requests. The GDPR lists specific requirements for lawful consent requests. Ensure newsletter signups etc. are not using implied consent options for EU countries.
- Investigate further if minors (under 18) are involved as there are specific clauses related to their data.
- Build express consent into your client on-boarding contracts or purchasing process if you deal with European customers.
- Plan for data breaches. One of the biggest challenges that the GDPR presents to organisations is its data breach notification requirements. Organisations must report data breaches to their supervisory authority within 72 hours of discovery, and provide them with as much detail as possible. Infringements can be subject to a maximum penalty of €20 million or 4 per cent of annual worldwide turnover (whichever is higher).
- Double check your responsibilities and ensure compliance. There are many online resources (eg. The Australian Office of the Australian Information Commissioner GDPR Guide) and it is also worthwhile to seek legal advice on compliance as hefty fines apply for breaches.
Note: This content does not constitute legal advice and should not be relied upon as such. Please seek professional legal counsel advice to suit your specific situation.