GDPR is about to be implemented in May 2018 and, yes, it can impact Australian businesses (big and small) too.
A number of things have changed in the European General Data Protection Regulation (GDPR) since it was rolled out in the 1990s. As technology evolves so does the risks of data breaches. Cybercriminals never cease to find ways to infiltrate sources and extract personal, sensitive data. In 2017 alone, reports of data breaches are quite alarming. This suggests that the longstanding data protection rules are no longer serving their purposes.
As a result, a strengthened GDPR is scheduled to come into force on 25 May 2018 “to harmonize data privacy laws across Europe.” The new regulations highlight how personal data can be used by individuals, government, organisations, and companies. It promises to provide greater security and rights to every entity as well as better data management. Moreover, “heavy” fines and penalties are set out.
Australia may be 9,000 miles away from Europe, but still, its businesses are bound to comply with the GDPR. There are, of course, exceptions to the rule.
To clear up some misconceptions, not all Australian businesses will be impacted by GDPR. However, companies of any size may be required to comply with GDPR if they satisfy any of the following instances:
- an Australian business with an office in the EU
- an Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros
- an Australian business whose website mentions customers or users in the EU
- an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.
Full information on these standards is accessible through the Office of the Australian Information Commissioner (OAIC) website.
GDPR compliance guide
The Australian Privacy Act 1988 and GDPR are grounded by similar general principles. Even so, Australian businesses must ensure compliance because violation of the GDPR can cost your company millions. Fines can go up to 4% of the offending business’ annual global turnover or €20 million, whichever is greater.
To help you prepare your company with GDPR, take these steps:
Seek legal advice. IT lawyers are well-versed about GDPR compliance and they can help you review business policy and implement the necessary changes. They also make sure that the best interests of all parties involved – such as business owner, clients or customers, and employees – are taken into account.
Update business documents and processes. Make certain that all changes of company policy, business practices and governance structure are in order by May 2018. Take heed of your legal counsel’s pieces of advice. Everyone involved has to sign off on the new documents and processes.
Upgrade your IT systems. More importantly, work with your IT team to ensure that your website’s privacy notices are updated and accessible to your users. GDPR requires user consent when it comes to collecting personal, sensitive data. A consent statement with a “tick to accept” box is advised to record user’s consent. For websites with a global audience, GDPR may not apply unless it has an intention to offer or sell goods and services to any EU entity.
As far as email marketing campaigns and cold email campaigns are concerned, here’s a good advice from Woodpecker:
First of all, GDPR has not been designed to kill email marketing or cold emails. It’s not even a regulation about emails, or marketing, or business. It’s about protecting personal data.
You have to remember, though, that sending your email campaigns, doing marketing, running a business you probably process personal data. If at any point you process personal data of EU citizens, this processing should be GDPR compliant – that is to follow certain principles.
So no, you don’t have to stop your email marketing campaigns, or your cold email campaigns when GDPR becomes binding. You should make sure the data used in those campaigns are being processed according to the rules of GDPR.
Notifiable Data Breaches Scheme
Speaking of unauthorised disclosure of personal data, OAIC implemented the Notifiable Data Breaches Scheme (NDBS) last February. The initiative, under the Privacy Act 1988, mandates every entity to report any eligible data breach to the OAIC and the affected individuals.
Anyone can lodge any suspected or known eligible data breach by filling out the Notifiable Data Breach statement — Form. There will be civil penalties of up to $1.7m if a data breach is validated.
To sum up
GDPR will come into force on 25 May 2018. It will require stern protection of personal data and privacy of EU citizens and EU member states. You must abide by GDPR principles if your Australian company or business has a European arm, offers goods and services to EU individuals, and monitors the behaviour of entities in the EU.