Have You Heard About GDPR?
Posted: 11th June 2018
Posted in: Latest News
You may have received information recently from Google or other providers regarding the European Union General Data Protection Regulation (the GDPR), came into force on 25 May 2018.
So, what is GDPR and is it something that you as an Australian business should be concerned about. We have put together the following to help explain and give simple answers.
What is the GDPR
GDPR is the new European Union regulation that surrounds data protection, retention and privacy. It is designed to regulate and protect the personal data of individuals who reside in the EU through the cycle of collection, retention, use, transfer/sharing and deleting of data.
The GDPR covers similar ground to the Australian Privacy Act and The Australian Privacy Law. However the GDPR is considered more wide-ranging and comprehensive. It is also reasonable to assume it will become the ‘standard’ as the privacy legislation across the globe.
What is the summary of GDPR
In simple terms the central requirements of GDPR are:
- Provide Explicit Consent for you to use the data for purposes you intend
- Provide Access to users to their information
- Provide the Option to Remove their information
- Provide detailed Privacy Policies that are accurate and current
For those that have more interest read on ……
How does it impact Australian Businesses
The first question to ask yourself is ‘do you supply goods or services to individuals in the EU?’ If you do then your business will be expected to comply.
The second questions is ‘do you deal with any personal information held by EU corporate customers or suppliers?’ In other words, do you have any suppliers that are passing any information on EU citizens down the line which process personal information for your business, if you do then you should also comply.
How does GDPR differ from Australian Privacy Law?
While the GDPR is complex in detail, essentially the differences are:
- In Australia consent to collect private data can be ‘implied’ (as an example you set a ‘Join Out Mailing List’ field on an online form to default to ‘Yes’, therefore automatically saving that user’s data for promotional purposes) where under GDPR it must be a specific ‘statement or by clear affirmative action’. In other words, the user has to physically action/approve their agreement.
- Under both systems, consent must be able to be withdrawn at any time.
- In Australia you need to provide the right to access and the right to correct personal data. The GDPR adds additional rights such to erase data and the right not to be subject to decisions based solely on automated processing.
Tips for compliance
Consent – all consent should be action based opt-in, no setting checkboxes to ‘Yes’ or ‘I Agree’ by default. For an online store using ‘Agree to terms’ on both sign-up and check-out is suggested.
SSL Security (Encryption) – any website capturing personal information in any way should have site-wide SSL. This is now common expectation.
GDPR Checklist – a full checklist is available here
The above is a quick interpretation to assist our clients. We suggest that if you are dealing with customers or suppliers from the EU that you check with your legal contacts to explore the detailed requirements, also with your accountant about transaction data retention requirements, particularly if your online store is the primary record of your transactions.