The GDPR applies to you if:
Here’s our top 8 tips from a legal perspective.
First of all, the GDPR applies if your business offers goods or services to customers residing in the EU or monitors their behaviour (even if you don’t have an office in the EU).
Relevantly for Australian businesses, if your business has any EU customers whatsoever (both current and/or historical), the GDPR will apply to you no matter the size of your business.
It’s important to recognise that ‘personal data’ means any information relating to an identified natural person or from which a natural person can be identified.
This includes details that you may be collecting from your customers. These details can be a name, address, phone number, email address and any credit card details.
It also includes cookies or any other information collecting software.
If your business falls within the GDPR’s scope, you’ll need to consider, prepare and implement privacy and information management practices.
Under the GDPR, you must explicitly ask for and obtain an individual’s consent to process their personal data.
Secondly, you must make it as easy to withdraw as to give. Also, you must make the customer aware of this right to withdraw.
Silence, pre-checked boxes or inactivity are not considered consent.
If you’ve previously been collecting data from customers without actively seeking their explicit and informed consent, you should inform them of the changes in your privacy requirements due to the GDPR and seek their updated consent.
Individuals who no longer consent to having their personal data held and used by your business have the ‘right to be forgotten’ under the GDPR.
Your customers may require you to delete their data in certain circumstances, such as where the information is no longer necessary for the purpose for which it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data.
It’s important to make a record of the consent that your customers provide, as you may need to provide evidence if regulators request to see it.
A regulator may wish to see a record of who gave consent, the date they gave it, and what they specifically consented to.
The GDPR is a regime that largely just helps consumers reclaim and protect their personal data.
You may think that as an Australian small business, you’re unlikely to be at a high risk of prosecution for being in breach of the GDPR privacy requirements.
However, the penalties of committing a breach are severe. The fine can go up to 4% of your business’ annual turnover.
Also, we’re not sure how vigorous the enforcement of this regulation is going to be yet, so it’s always best to take small steps to be proactive.
Find out more about:
General Data Protection Regulation (GDPR) is a new data privacy law and it replaces the Data Protection Directive 95/46/EC. It started on 25th May 2018 and this regulation applies to all businesses operating in the EU or collecting information belonging to EU citizens.
The law covers all personal data, whether or not it is processed as part of a company’s activities, and applies to both manual and electronic data. It also places obligations on companies based outside of the EU offering goods or services to individuals living in the EU, or to EU citizens anywhere in the world.
The goal of this legislation is to modernise data protection law for the digital age while enhancing individual rights with regards to how their personal data is used by companies, organisations, and public bodies.
According to gdpr.eu/fines: “The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher…The more serious infringements…could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.”
“I highly recommend Progressive Legal to anyone who wants a solid foundation for business success.”