An experienced Gold Coast web design agency creating unique digital solutions since 2004.

Chat 07 5520 7781

Request a Quote

Have You Heard About GDPR?

You may have received information recently from Google or other providers regarding the European Union General Data Protection Regulation (the GDPR), came into force on 25 May 2018.

So, what is GDPR and is it something that you as an Australian business should be concerned about. We have put together the following to help explain and give simple answers.

What is the GDPR

GDPR is the new European Union regulation that surrounds data protection, retention and privacy. It is designed to regulate and protect the personal data of individuals who reside in the EU through the cycle of collection, retention, use, transfer/sharing and deleting of data.

The GDPR covers similar ground to the Australian Privacy Act and The Australian Privacy Law. However the GDPR is considered more wide-ranging and comprehensive. It is also reasonable to assume it will become the ‘standard’ as the privacy legislation across the globe.

What is the summary of GDPR

In simple terms the central requirements of GDPR are:

  • Provide Explicit Consent for you to use the data for purposes you intend
  • Provide Access to users to their information
  • Provide the Option to Remove their information
  • Provide detailed Privacy Policies that are accurate and current

For those that have more interest read on ……

How does it impact Australian Businesses

The first question to ask yourself is ‘do you supply goods or services to individuals in the EU?’ If you do then your business will be expected to comply.

The second questions is ‘do you deal with any personal information held by EU corporate customers or suppliers?’ In other words, do you have any suppliers that are passing any information on EU citizens down the line which process personal information for your business, if you do then you should also comply.

How does GDPR differ from Australian Privacy Law?

While the GDPR is complex in detail, essentially the differences are:

  • In Australia consent to collect private data can be ‘implied’ (as an example you set a ‘Join Out Mailing List’ field on an online form to default to ‘Yes’, therefore automatically saving that user’s data for promotional purposes) where under GDPR it must be a specific ‘statement or by clear affirmative action’. In other words, the user has to physically action/approve their agreement.
  • Under both systems, consent must be able to be withdrawn at any time.
  • In Australia you need to provide the right to access and the right to correct personal data. The GDPR adds additional rights such to erase data and the right not to be subject to decisions based solely on automated processing.
  • For GDPR you will need to communicate more information to individuals, this is generally through your Privacy Policy, than is required Under Australian Privacy Law.

Tips for compliance

Privacy Policy – The first step is to make sure your Privacy Policy and/or Terms & Conditions are accurate, up to date and clearly communicate to the user exactly what data you are collecting, how you intend t use it and how they can easily contact you if they wish to check, amend or delete their data. We recommend running your Privacy Policy past your legal people to ensure it covers all aspects of privacy requirements.

Consent – all consent should be action based opt-in, no setting checkboxes to ‘Yes’ or ‘I Agree’ by default. For an online store using ‘Agree to terms’ on both sign-up and check-out is suggested.

Only Collect What You Need – only collect what you really need. If you don’t need a date of birth or other details don’t ask for them. If you do then tell the user why you need it and how it will be used (Privacy Policy)

SSL Security (Encryption) – any website capturing personal information in any way should have site-wide SSL. This is now common expectation.

GDPR Checklist – a full checklist is available here

Summary

The above is a quick interpretation to assist our clients. We suggest that if you are dealing with customers or suppliers from the EU that you check with your legal contacts to explore the detailed requirements, also with your accountant about transaction data retention requirements, particularly if your online store is the primary record of your transactions.