What Your Business Needs to Know About the EU’s New Privacy Laws

by LegalVision

What Your Business Needs to Know About the EU’s New Privacy Laws

The European Union General Data Protection Regulation (also known as GDPR) is a new piece of European Union (EU) legislation that comes into effect on 25 May 2018. The main aim of the GDPR is to protect the personal data of individuals based in the EU.

The key difference between the GDPR and most other national privacy laws, such as the Australian Privacy Principles (the APPs), is that the GDPR not only applies to businesses located within the geographical territory of the EU, but also to all businesses worldwide that collect the data of individuals based in the EU.

Unlike the APPs, the size of your business is not a relevant factor in determining whether you need to comply. Penalties for breaching the GDPR can attract substantial fines – up to 4% of the offending business’ annual global turnover or €20 million (whichever is greater).

Does the GDPR Apply to My Australian Business?

If you operate a website in Australia and collect data about your users, the GDPR will apply to you if:

  • your business is established in the EU, or
  • you offer goods or services to EU-based individuals (free or paid), or
  • you monitor EU-based individuals’ behaviour.

If you do not have an office or branch in the EU and you do not monitor individuals based in the EU, then working out whether you “offer goods or services” to EU-based individuals is the most relevant question for you to address. 

As most websites are accessible to a global audience, the GDPR is clear that the mere fact that EU-based individuals can access a website does not, in itself, indicate that the business is caught by the GDPR. The crucial factor is whether a business intends to offer goods or services to EU based individuals.

Factors that indicate an intention to offer goods or services to EU based individuals can be:

  • using a European language on your website, or
  • using a European currency on your website, or
  • mentioning customers or users who are in the EU.

The key takeaway is that if you tailor your website, your marketing or any other aspect of your website to help you attract and then sell to individuals based in the EU, then your business must comply with the GDPR.

How Does My Business Become Compliant?

Becoming GDPR compliant may require that you tweak your IT systems, internal processes and legal documents. This is a guide only; your business may need to engage an IT lawyer to review your documents and processes. Below is a simplified guide to becoming GDPR compliant:

  1. Make sure that your privacy policy is compliant with the GDPR
    Having a privacy policy that is compliant with the APPs is a good start but as the GDPR gives users broader rights (e.g. the APPs do not give individuals the right to ask for their data to be erased) your current privacy policy may need to be updated to cover the additional concepts introduced by the GDPR.

  2. Update your processes and systems on your websiteEnsure that the privacy notices on your website are visible to your users every time that you collect personal data from them. Under the GDPR, you need explicit and unambiguous consent from a user when you process their data. It is therefore suggested that when you collect personal data, you also include a consent statement next to a “tick to accept” box to record a user’s consent to the collection of personal data.

Key Takeaways

If you are collecting personal data and your business is (i) established in the EU, (ii) offers goods and services to EU based individuals, or (iii) monitors the behaviour of individuals in the EU, you need to comply with the GDPR. The road to compliance is different for every business depending on what personal data is collected and how, but a good start is to update your privacy policy and your privacy notices. If you are unsure if the GDPR applies to your business or you need help with drafting a privacy policy, it is recommended that you ask a LegalVision IT lawyer. Call LegalVision on 1300 544 755 or visit our website.


We welcome your feedback

Hi there! We want to make this site as good as it can for you, the user. Please tell us what you would like to do differently and we will do our best to accommodate!

Protected by FormShield

We've updated our Privacy Statement, before you continue. please read our new Privacy Statement and familiarise yourself with the terms.