- You need to be aware of the EU GDPR
- Your company is potentially impacted by this even though you are located in Australia
- The potential fines for breaches are huge
- You need to think privacy first
Europe has historically been far more privacy conscious than the US, Australia and many other regions. The European Union (EU) has developed new legislation called the General Data Protection Regulation (GDPR) that has the potential for significant impacts on companies across the world, including Australia.
The GDPR legislation is due to come into effect on May 25, 2018. This is similar to the privacy legislation in Australia but the potential fines are far more significant with a maximum fine of $20 million dollars or 4% of global turnover whichever is the greater.
This legislation provides very strict rules about how data is treated when it impacts citizens of the European union and includes rights such as:
- Right of Access
- Right to Rectification
- Right to Erasure, and
- Right to Data Portability
You might think that this only is relevant for businesses located in Europe. Unfortunately, this is incorrect. The legislation has significant potential to impact Australian businesses as the legislation states that it applies wherever the entity offers goods and services to EU residents; or monitors EU residents’ behaviour.
From the page at https://www.gdpreu.org/the-regulation/who-must-comply/ the following is offered as guidance to whether a business must comply with the GDPR.
May be insufficient evidence
- The firm’s website is accessible to EU residents
- The firm’s email or other contact details is accessible to EU residents
- The firm is located in a non-EU state that speaks the same language as an EU state
May be sufficient evidence
- The firm markets its goods and services in the same language as that which is generally used in an EU member state
- The firm lists prices in EU member state currencies (the Euro, British pound sterling, Swiss franc, etc.)
- The firm cites EU customers or users
Based on this, the key risk areas for Australian businesses are where they offer information in languages from the EU countries, listing pricing in Euros, Swiss Francs, etc. or where customer testimonials or similar referrer to EU residents.
A typical example of where a company may unwittingly be exposed to the requirement to be compliant under GDPR is the use of local currency on their websites.
Additionally the explicit statement that your company ships to EU countries may also mean that you need to comply with the GDPR.
One way that you can quickly check to see how many users you have to your website from EU countries is to use the Google Analytics geographic reports.
A lesser known potential risk is that companies can initiate action on other companies under the GDPR. This opens the risk that competitors can potentially use this legislation as a way of causing damage to your business.
What should you do?
Australia already has a Privacy Act that provides some of these rights already however the EU GDPR has additional rights that are not covered under the existing Australian Privacy Act.
|Australian Privacy Act||GDPR|
|Right of Access||Y||Y|
|Right to Rectification||Y||Y|
|Right to Erasure||N||Y|
|Right to Data Portability||N||Y|
At a high level there are two key areas that Australian businesses will need to work on to be compliant with the GDPR requirements. These are the right to erasure and the right to data portability.
If you are already compliant under the Privacy Act then you may already have the processes in place to satisfy the requirements of the GDPR. However, if an EU citizen requests that you supply all of their data so that they can take it to another provider then this may present some difficulties to your company. Also the right to be forgotten and to have their customer data erased can provide some significant challenges to your business.
At the very least your company should document the data it is collecting on its customers and to implement processes to meet the GDPR obligations. This will require conducting audits of the data that is collected, why it is collected, where it is stored and how it should be treated.
Data dictionaries, documentation and governance frameworks are now far more important to Australian businesses and the time to act is now.
If you would like to discuss how the GDPR potentially impacts your company or would like an assessment of your digital analytics data please contact us.
For further details on the GDPR please visit https://www.gdpreu.org/