By Jeremy Davey, Senior Lawyer & Shara Lim, Legal Projects Officer
GDPR stands for General Data Protection Requirements - a powerful new law introduced by the European Union (EU). The GDPR became enforceable on 25 May 2018. It aims to harmonise data protection procedures and enforcement across the EU, helping consumers reclaim and protect their personal data.
The GDPR has global reach, and severe penalties for noncompliance. Breaches are punishable by the higher of €20 million or 4% of annual company turnover. While the regulatory spotlight will mainly be focused on the EU, it’s important that Australian businesses understand their own exposure and take action to manage their risk.
Does the GDPR apply to my business?
Probably! If you:
offer, or have in the past offered, goods and/or services to individuals in the EU (i.e. if anyone in the EU has purchased or can purchase from you either online or offline); and/or
monitor the behaviour of individuals in the EU; and/or
have an establishment in the EU,
you should prepare to comply with the GDPR, regardless of your business’ size.
Am I collecting personal data?
‘Personal data’ means any information relating to an identified natural person or from which a natural person can be identified. This can include a customer’s name, address, phone number, email address and any credit card details. It can also extend to information gathered using cookies, analytics or any information collecting software.
What should I do now to protect myself?
These tips are general in nature, and are no substitute for specialised legal advice about your business. We believe they constitute the bare minimum that Australian businesses should do, as soon as possible, to help reduce their risk under the GDPR.
1. Understand how you collect and use data
Perform a comprehensive audit of your sources of data collection and storage. How does data come into your business, and how do you use it? Understanding and documenting your data flow is the crucial first step to GDPR (and general privacy law) compliance.
If you use third-party storage or marketing services, your customers’ data might not under as much of your control as you think. Review your third party arrangements – anyone assisting you with the collection, storage or processing of personal data also needs to comply with the GDPR requirements, and you can get into trouble if they don’t.
If your business falls within the GDPR’s scope, you’ll need to consider, prepare and implement privacy and information management practices.
3. Obtain your customers’ informed and explicit consent
Under the GDPR, you must be able to show a lawful basis for processing someone’s personal data. The easiest way to prove a lawful basis is to explicitly ask for and obtain an individual’s consent to process their personal data.
These requirements apply to past customers as well as current and future customers. If you have previously collected data from customers and there is any doubt about whether you had a GDPR-friendly ‘lawful basis’ for doing so, it is likely necessary to inform them of changes in privacy requirements and seek their updated consent.
Silence, pre-checked boxes or inactivity are not considered consent.
4. Keep a record of consent given
As regulators may request to see evidence, it is important to make a record of the consent that your customers provide.
Relevant details may include the contact information of the person who gave consent, the date of consent, and what they consented to.
5. Give customers the opportunity to withdraw consent
The customer must be aware that consent is as easy to withdraw as to give, and their right to withdraw.
Individuals who no longer consent to having their personal data held and used by your business have the ‘right to be forgotten’ under the GDPR.
If consent is withdrawn or if information is no longer necessary for the purpose for which it was collected, there is likely no legal ground for processing or keeping the data.
Do I have any future obligations?
Although it may seem to be a minor consideration for small business in Australia, the penalties of breaching the GDPR are severe.
It is uncertain how vigorously the GDPR will be enforced, so it is important to be proactive about fulfilling your requirements.
To do this, it may be helpful to promote company-wide awareness about GDPR obligations, and consider auditing procedures.
The Law Squared team can help you navigate changes in your business operations that may arise as a result of the GDPR.
At Law Squared, we partner with passionate entrepreneurs and businesses who need our technical help and expertise. We’d love to have a chat with you, so feel free to drop us an email email@example.com.
Stay in the know
Sign up with your email address to receive news and updates.
SEARCHING FOR SOMETHING?
- Anti Encryption Laws
- Brand Protection
- Business Coaching
- Business Development
- Business Formation
- Business Insurance
- Business Legal Strategy
- Business Strategy
- Civil Procedure
- Consumer Law
- Dispute Resolution
- Effective Client Relationships
- End of Year
- Generating Product Value
- Intellectual Property
- Law Firm Strategy
- Legal Tips
- Managing Business Finance
- New Gen
- Online Shopping
- Risk Management
- Start Ups
Thoughtful, insightful and meaningful discussion at last nights Mental Health and Entrepreneurship Panel thanks to… https://t.co/9BEfHFgOk2