GDPR (General Data Protection Regulation)

GDPR privacy policy

Our office is conveniently located in Sydney: 801, Level 8/100 William St, Woolloomooloo NSW 2011 (view in Google Maps).

Does the GDPR Apply to You?

As you may be aware, the European Union (EU) has introduced a new regime of General Data Protection Requirements (GDPR) as of 25 May 2018 and applies to businesses, regardless of size. A GDPR compliant Privacy Policy is now required by law.

The GDPR applies to you if:

  • You offer goods and/or services to individuals in the EU (i.e. if anyone in the EU has purchased or can purchase from you either online or offline); and/or
  • You monitor behaviour of individuals in the EU; and/or
  • You have an establishment in the EU.

How to Write a GDPR Privacy Policy?

Here’s our top 8 tips from a legal perspective.

1. Check whether the GDPR applies to your business:

First of all, the GDPR applies if your business offers goods or services to customers residing in the EU or monitors their behaviour (even if you don’t have an office in the EU).

Relevantly for Australian businesses, if your business has any EU customers whatsoever (both current and/or historical), the GDPR will apply to you no matter the size of your business.

2. You may be collecting ‘personal data’ without realising:

It’s important to recognise that ‘personal data’ means any information relating to an identified natural person or from which a natural person can be identified.

This includes details that you may be collecting from your customers. These details can be a name, address, phone number, email address and any credit card details.

It also includes cookies or any other information collecting software.

3. Prepare a privacy policy:

If your business falls within the GDPR’s scope, you’ll need to consider, prepare and implement privacy and information management practices.

This essentially involves devising a privacy policy that is transparent and accessible for your customers by link on your website.

4. Obtain your customers’ informed and explicit consent:

Under the GDPR, you must explicitly ask for and obtain an individual’s consent to process their personal data.

Secondly, you must make it as easy to withdraw as to give. Also, you must make the customer aware of this right to withdraw.

The easiest way to obtain this record of consent is by way of checkbox (which is not pre-checked) and / or email confirmation before the point of purchase, acknowledging that your privacy policy, terms and conditions and cookies policy (or any combination of these) have been read and understood.

Silence, pre-checked boxes or inactivity are not considered consent.

5. This includes seeking consent from existing contacts:

If you’ve previously been collecting data from customers without actively seeking their explicit and informed consent, you should inform them of the changes in your privacy requirements due to the GDPR and seek their updated consent.

6. Your customers have a right to be forgotten:

Individuals who no longer consent to having their personal data held and used by your business have the ‘right to be forgotten’ under the GDPR.

Your customers may require you to delete their data in certain circumstances, such as where the information is no longer necessary for the purpose for which it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data.

7. Keep a record of any consent given:

It’s important to make a record of the consent that your customers provide, as you may need to provide evidence if regulators request to see it.

A regulator may wish to see a record of who gave consent, the date they gave it, and what they specifically consented to.

8. Be proactive:

The GDPR is a regime that largely just helps consumers reclaim and protect their personal data.

You may think that as an Australian small business, you’re unlikely to be at a high risk of prosecution for being in breach of the GDPR privacy requirements.

However, the penalties of committing a breach are severe. The fine can go up to 4% of your business’ annual turnover.

Also, we’re not sure how vigorous the enforcement of this regulation is going to be yet, so it’s always best to take small steps to be proactive.

Related Documents and Services

Find out more about:

Australian privacy laws, including:

Privacy Policies

Data Protection Policy

Privacy Statements

Privacy Complaints and Procedures

Data Breach and Response Plan

Application to access personal information under the Privacy Act

Change of Personal Information Form


What is the GDPR?

General Data Protection Regulation (GDPR) is a new data privacy law and it replaces the Data Protection Directive 95/46/EC. It started on 25th May 2018 and this regulation applies to all businesses operating in the EU or collecting information belonging to EU citizens.

The law covers all personal data, whether or not it is processed as part of a company’s activities, and applies to both manual and electronic data. It also places obligations on companies based outside of the EU offering goods or services to individuals living in the EU, or to EU citizens anywhere in the world.

The goal of this legislation is to modernise data protection law for the digital age while enhancing individual rights with regards to how their personal data is used by companies, organisations, and public bodies.

What is a GDPR privacy policy?

A GDPR privacy policy is a legal document that describes and explains the company’s use of the data, what information is collected, how you can access it and amend it, and a description of the steps taken to secure data.

A GDPR privacy policy is an important legal document that companies are required to have, if your company is based in the EU, if you offer goods or services to EU citizens anywhere in the world (i.e. if you have any EU citizen customer).

A GDPR privacy policy should include details about how your company will collect and store data, how you will protect it while in use and while at rest, who can access it and how, how long it will be retained for, what they do with any data once they no longer need it, and whether or not they share data with third parties.

If you are unsure on whether or not you need a GDPR privacy policy, please get in touch with Progressive Legal today.

How much is a GDPR fine?

According to “The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher…The more serious infringements…could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.”

It’s best business practice to let your clients and customers know that you are looking after their personal information appropriately by way of a privacy policy.  Most Australian business owners are obligated to provide a privacy policy to their customers by law. It is your responsibility to protect the data rights of your visitors, customers, or employees.

“I highly recommend Progressive Legal to anyone who wants a solid foundation for business success.”

Josie Ison, Founder at Event Entertainers

Need Legal Help? Please Get In Touch

Speak to a privacy lawyer today to get your GDPR compliant Privacy Policy.  Please get in touch with us via phone or the contact form on this page.