GDPR and Australia: How is it affecting owners and employees?
The General Data Protection Regulation (GDPR) has been the major talking point across European Union (EU) businesses for the past year. But having come into effect on 25 May 2018, its reach extends far beyond the EU’s boundaries. In fact, the regulation has the ability to impact any business throughout the world that even has a tentative association with the EU.
What is the GDPR’s relevance to Australian businesses, and how can it affect not only owners, but their employees as well?
GDPR and Australia
There is strict guidance from the Office of the Australian Information Commissioner (OAIC) around what Australian businesses must do now that the GDPR is in effect. For several months now, companies around the world have had to make changes to their systems and policies if they have any dealings with EU operators, according to the OAIC.
- Australian entities that operate businesses established in a member state of the EU.
- Australian-based entities that offer goods or services to individuals in the EU, irrespective of whether a payment is required.
- Australian-based entities that monitor the behaviour of individuals in the EU, where that behaviour takes place within the EU.
It’s worth noting that ignorance is not a defence against GDPR breaches, and Australian businesses with even minor interactions with individuals or companies within the European Union would be wise to review their protocols if they haven’t already done so.
How is the GDPR impacting your business – right now?
So for Australian business that must comply with the new GDPR laws, what does the regulation most affect?
- Collection of data: How, where and for what reason a business collects data may fall under the scrutiny of the regulation. It’s also important that specific employees within the company are assigned the role of ‘data controller’. If in doubt, research the appropriate ways to collect and manage data.
- Consent requirements: When requesting consent to collect data from a consumer, the document must be easy to understand, include the name of the collecting company and any third parties, as well as why the data is being requested, what the company intends to do with it and for how long the data will be kept.
- Marketing to existing databases: Called ‘permission passing’, companies have been required to get their existing EU email database opted-in. Basically, this means getting explicit permission from consumers who are already signed up to a company’s marketing database in order to continue sending collateral post-GDPR implementation.
Simple steps to get in line with GDPR rules
With the GDPR already in effect, organisations have had to make substantial changes to how they manage and interact with data. Some of the most important steps businesses have taken include:
- Gaining explicit customer consent: It doesn’t matter what the business sells or promotes, if they house data on customers then they must get explicit consent to collect and use that data. An easy way to manage this in a GDPR-compliant world is to only collect data that is relevant. That means if a business doesn’t need to know a customer’s home address, then they should simply eliminate that prompt from their sign-up process.
- Auditing currently held data: If a business is unsure about what they should do with the data they already have, an audit is an easy way to comply with GDPR rules. Australian companies must locate any and all identifiable information they have on their customers and then seek customer consent to keep it. What’s relevant should be moved to a central repository, while rest should be deleted immediately.
- Making accessibility easy: Consumers have the right to demand what the GDPR terms as a ‘subject access request’. This means Australian business must now be able to provide customers with a file that houses all the information they have on them. If a company has data spread across multiple systems, they need to ensure they have adequate technology to be able to collect and collate it into a single file.
- Beefing up security: Security breaches were a major – and common – issue in 2017, and that will continue to be the case in the years to come. To follow GDPR protocol, Australian businesses that store any amount of customer data need strong security systems in place to protect their internal data-holding systems, as well as train staff in best practices for organisational security.
- Allowing customers to be ‘forgotten’: In the coming months, more and more customers will realise they have the ‘right to be forgotten’. This means businesses must have a system in place where – upon a request to delete personal information – the company can move that data to a central environment where it can be easily and entirely removed.
Penalties for non-compliance
There are two penalty tiers for non-compliance with the GDPR:
- Lower level: Up to €10 million (AU$15.8 million) or 2% of worldwide annual revenue of the prior financial year, whichever is higher.
- Upper level: Up to €20 million (AU$31.6 million) or 4% of worldwide annual revenue of the prior financial year, whichever is higher.
It’s recommended that Australian business owners read up on the specific GDPR articles that carry these penalties if breached.
With a little time spent researching the specifics of the GDPR and how it relates to your company, Australian business owners need only follow standard principals to remain compliant – such as being transparent about the data being processed, being specific about how it will be used and keeping personal data secure. By remaining vigilant, Australians companies can rest easy knowing they can continue to thrive with European customers despite the new regulation.