- First of all, the GDPR applies if your business offers goods or services to customers residing in the EU or monitors their behaviour (even if you don’t have an office in the EU).
- Relevantly for Australian businesses, if your business has any EU customers whatsoever (both current and/or historical), the GDPR will apply to you no matter the size of your business.
2. You may be collecting ‘personal data’ without realising:
- It’s important to recognise that ‘personal data’ means any information relating to an identified natural person or from which a natural person can be identified.
- This includes details that you may be collecting from your customers. These details can be a name, address, phone number, email address and any credit card details.
- It also includes cookies or any other information collecting software.
- If your business falls within the GDPR’s scope, you’ll need to consider, prepare and implement privacy and information management practices.
4. Obtain your customers’ informed and explicit consent:
- Under the GDPR, you must explicitly ask for and obtain an individual’s consent to process their personal data.
- Secondly, you must make it as easy to withdraw as to give. Also, you must make the customer aware of this right to withdraw.
- Silence, pre-checked boxes or inactivity are not considered consent.
5. This includes seeking consent from existing contacts:
- If you’ve previously been collecting data from customers without actively seeking their explicit and informed consent, you should inform them of the changes in your privacy requirements due to the GDPR and seek their updated consent.
6. Your customers have a right to be forgotten:
- Individuals who no longer consent to having their personal data held and used by your business have the ‘right to be forgotten’ under the GDPR.
- Your customers may require you to delete their data in certain circumstances, such as where the information is no longer necessary for the purpose for which it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data.
7. Keep a record of any consent given:
- It’s important to make a record of the consent that your customers provide, as you may need to provide evidence if regulators request to see it.
- A regulator may wish to see a record of who gave consent, the date they gave it, and what they specifically consented to.
8. Be proactive:
- The GDPR is a regime that largely just helps consumers reclaim and protect their personal data.
- You may think that as an Australian small business, you’re unlikely to be at a high risk of prosecution for being in breach of the GDPR privacy requirements. However, the penalties of committing a breach are severe. The fine can go up to 4% of your business’ annual turnover.
- Also, we’re not sure how vigorous the enforcement of this regulation is going to be yet, so it’s always best to take small steps to be proactive.
or fill out the contact form.