Posted by Minna Boyle on 15 March 2019
At the start of 2018, your inbox was probably getting flooded with emails from companies updating their Privacy Policies for the GDPR.
The General Data Privacy Regulation (GDPR) is a European Union law that came into effect in May 2018.
Why is this such a big deal?
It’s because the GDPR introduced changes to EU privacy laws that impact businesses all around the world.
Any data collected from a customer in the EU is now protected under the GDPR. It doesn’t matter where the data is processed – even Australian businesses with EU customers have to comply.
If you’re worried about how the GDPR could impact your Australian business, check out our 5 quick tips for GDPR compliance.
Privacy Law in Australia
Before getting to the European laws, it’s important to remember that Australia also has privacy laws that Australian businesses must comply with.
The Australian Privacy Principles are quite stringent, but there are some extra considerations under the GDPR. We’ll take you through these differences in this article.
It’s also important to bear in mind that the GDPR is a complex regulation with many different requirements. It’s not possible to follow this 5 tips and know you are 100% compliant.
These tips are designed to help you address some of the most common changes Australian businesses need to make to get in line with the GDPR – if you need further compliance advice you should speak to a European lawyer.
Now let’s look at our 5 quick tips for GDPR compliance.
Once you get this first step out of the way, you’ll be well on the right track.
Know About ‘Personal Data’ Under The GDPR
The types of personal information protected by the GDPR are more extensive than under Australian privacy law. You need to know what data is protected.
Under the GDPR, ‘personal data’ includes:
- Email address
- Phone number
- Mailing address
- Identifying numbers (e.g. bank account number)
- IP addresses
- Biometric data (e.g. finger prints)
- Mobile device identifiers
- Behavioural and demographic profiling data
Get A Cookie Pop-Up
One easy step in the right direction is to add a cookie information pop-up to your website.
This should include a link to your cookies policy outlining exactly what information you collect from your website visitors. You can check out cookie-script.com for a free and simple solution.
Know About ‘Consent’ Under The GDPR
The GDPR has strict requirements for what it means for people to consent for their personal data to be collected.
Some of these are:
- “Opt-in” requirement: If you give customers a check-box option to receive more communications from you, make sure you leave the box unchecked. They have to actively give their consent by checking the box themself.
- “Obvious” requirement: Make sure your requests for consent are not hidden or ambiguous. Using a pop-up on your homepage is a good option.
Store Your Data Properly
It’s a smart idea to clean up and invest in your data storage systems. You should try to find a good, secure CRM that can make sure your data storage is compliant.
At any time, you’re required to know the following things:
- The personal data you’re holding is secure.
- If necessary, you could find and access one person’s data in every place it’s stored.
This might sound pretty intense for a lot of small businesses. The reason for taking these measures is that under the GDPR, EU citizens have extra rights in relation to how and where their personal data is stored.
Subject Access Request
EU customers have the right to ask businesses how, why and where their personal data is being used. They can also request for this data to be deleted immediately, and the business must comply with this request.
If an EU customer asks you how, why and where their personal data is being used, you must provide them with an honest response, along with a copy of their personal data in an electronic format – free of charge.
To save time and stress, it’s smart to have a process in place for this situation. Preparing a template document in advance that outlines to the customer all the ways your business uses the personal data it collects is a good start.
The Right To Be Forgotten
If an EU customer asks you to delete their data, you must immediately delete the customer’s data from everywhere it is stored or used in your business.
This can be quite onerous – it’s not just your CRM or other databases. It’s all possible places that customer data could exist, including cookies, documents and archived emails.
Having a secure, centralised system for holding customer information can make it easier to locate all customer data at any time as needed.
There are serious fines and other penalties for non-compliance with these requirements.
What To Take Away…
These days, it’s important to take privacy law seriously. Particularly as an online business – or any business with a website.
If you’re based in Australia, make sure you comply with the Australian Privacy Principles. However, given that the internet allows you to have customers and users from around the world, sometimes you need to consider foreign laws too – like the GDPR.
And remember – if you’re unsure about your GDPR compliance, you should get advice from a qualified, European lawyer.