What Your Business Needs to Know About the EU’s New Privacy Laws
The European Union General Data Protection Regulation (also known as GDPR) is a new piece of European Union (EU) legislation that comes into effect on 25 May 2018. The main aim of the GDPR is to protect the personal data of individuals based in the EU.
The key difference between the GDPR and most other national privacy laws, such as the Australian Privacy Principles (the APPs), is that the GDPR not only applies to businesses located within the geographical territory of the EU, but also to all businesses worldwide that collect the data of individuals based in the EU.
Unlike the APPs, the size of your business is not a relevant factor in determining whether you need to comply. Penalties for breaching the GDPR can attract substantial fines – up to 4% of the offending business’ annual global turnover or €20 million (whichever is greater).
Does the GDPR Apply to My Australian Business?
If you operate a website in Australia and collect data about your users, the GDPR will apply to you if:
- your business is established in the EU, or
- you offer goods or services to EU-based individuals (free or paid), or
- you monitor EU-based individuals’ behaviour.
If you do not have an office or branch in the EU and you do not monitor individuals based in the EU, then working out whether you “offer goods or services” to EU-based individuals is the most relevant question for you to address.
As most websites are accessible to a global audience, the GDPR is clear that the mere fact that EU-based individuals can access a website does not, in itself, indicate that the business is caught by the GDPR. The crucial factor is whether a business intends to offer goods or services to EU based individuals.
Factors that indicate an intention to offer goods or services to EU based individuals can be:
- using a European language on your website, or
- using a European currency on your website, or
- mentioning customers or users who are in the EU.
The key takeaway is that if you tailor your website, your marketing or any other aspect of your website to help you attract and then sell to individuals based in the EU, then your business must comply with the GDPR.
How Does My Business Become Compliant?
Becoming GDPR compliant may require that you tweak your IT systems, internal processes and legal documents. This is a guide only; your business may need to engage an IT lawyer to review your documents and processes. Below is a simplified guide to becoming GDPR compliant:
- Update your processes and systems on your websiteEnsure that the privacy notices on your website are visible to your users every time that you collect personal data from them. Under the GDPR, you need explicit and unambiguous consent from a user when you process their data. It is therefore suggested that when you collect personal data, you also include a consent statement next to a “tick to accept” box to record a user’s consent to the collection of personal data.