What is the GDPR and why is it important?


By Jeremy Davey, Senior Lawyer & Shara Lim, Legal Projects Officer


GDPR stands for General Data Protection Requirements - a powerful new law introduced by the European Union (EU). The GDPR became enforceable on 25 May 2018. It aims to harmonise data protection procedures and enforcement across the EU, helping consumers reclaim and protect their personal data.


The GDPR has global reach, and severe penalties for noncompliance.  Breaches are punishable by the higher of €20 million or 4% of annual company turnover. While the regulatory spotlight will mainly be focused on the EU, it’s important that Australian businesses understand their own exposure and take action to manage their risk.


Does the GDPR apply to my business?

Probably! If you:

  • offer, or have in the past offered, goods and/or services to individuals in the EU (i.e. if anyone in the EU has purchased or can purchase from you either online or offline); and/or

  • monitor the behaviour of individuals in the EU; and/or

  • have an establishment in the EU,

you should prepare to comply with the GDPR, regardless of your business’ size.


Am I collecting personal data?

‘Personal data’ means any information relating to an identified natural person or from which a natural person can be identified. This can include a customer’s name, address, phone number, email address and any credit card details. It can also extend to information gathered using cookies, analytics or any information collecting software.


What should I do now to protect myself?

These tips are general in nature, and are no substitute for specialised legal advice about your business.  We believe they constitute the bare minimum that Australian businesses should do, as soon as possible, to help reduce their risk under the GDPR.


1.      Understand how you collect and use data

  • Perform a comprehensive audit of your sources of data collection and storage. How does data come into your business, and how do you use it? Understanding and documenting your data flow is the crucial first step to GDPR (and general privacy law) compliance.

  • If you use third-party storage or marketing services, your customers’ data might not under as much of your control as you think. Review your third party arrangements – anyone assisting you with the collection, storage or processing of personal data also needs to comply with the GDPR requirements, and you can get into trouble if they don’t.


2.      Prepare (or update) your privacy policy

  • If your business falls within the GDPR’s scope, you’ll need to consider, prepare and implement privacy and information management practices.

  • This means devising a privacy policy that is transparent and accessible for customers, preferably through a link on your website.


3.     Obtain your customers’ informed and explicit consent

  • Under the GDPR, you must be able to show a lawful basis for processing someone’s personal data. The easiest way to prove a lawful basis is to explicitly ask for and obtain an individual’s consent to process their personal data.

  • This record of consent can be obtained by asking them to acknowledge that your privacy policy, terms and conditions and cookies policy (or any combination of these) have been read and understood. The acknowledgement must be active (such as a checkbox) and should be obtained as early as possible.

  • These requirements apply to past customers as well as current and future customers. If you have previously collected data from customers and there is any doubt about whether you had a GDPR-friendly ‘lawful basis’ for doing so, it is likely necessary to inform them of changes in privacy requirements and seek their updated consent.

  • Silence, pre-checked boxes or inactivity are not considered consent.


4.     Keep a record of consent given

  • As regulators may request to see evidence, it is important to make a record of the consent that your customers provide.

  • Relevant details may include the contact information of the person who gave consent, the date of consent, and what they consented to.


5.     Give customers the opportunity to withdraw consent

  • The customer must be aware that consent is as easy to withdraw as to give, and their right to withdraw.

  • Individuals who no longer consent to having their personal data held and used by your business have the ‘right to be forgotten’ under the GDPR.

  • If consent is withdrawn or if information is no longer necessary for the purpose for which it was collected, there is likely no legal ground for processing or keeping the data.


Do I have any future obligations?

  • Although it may seem to be a minor consideration for small business in Australia, the penalties of breaching the GDPR are severe.

  • It is uncertain how vigorously the GDPR will be enforced, so it is important to be proactive about fulfilling your requirements.

  • To do this, it may be helpful to promote company-wide awareness about GDPR obligations, and consider auditing procedures.

  • The Law Squared team can help you navigate changes in your business operations that may arise as a result of the GDPR.

At Law Squared, we partner with passionate entrepreneurs and businesses who need our technical help and expertise. We’d love to have a chat with you, so feel free to drop us an email hello@lawsquared.co.



Stay in the know

Sign up with your email address to receive news and updates.

Name *