Have you been getting an influx of GPDR emails into your inbox? You may be wondering what’s the go with this and will it affect my business? The answer is: maybe.
The GDPR (under EU law) applies to organisations located within the EU, but legally it will also apply to organisations located outside of the EU if that business offers goods or services to persons located within the EU (incl via the internet) or if you monitor the behaviour of individuals in the EU. The intent and reach of these laws is significant enough to affect many Australian businesses, particularly those that are operating in the digital economy, and the privacy and data protection requirements generally represent a far higher expectation than the Australian Privacy Laws. This means that you should review any Australian agreements that relate in any way to the processing of data in or from the EU, to ensure compliance with the GDPR.
It won’t be surprising to see Australia eventually follow a similar level of privacy – especially with such recent negative reports surrounding Facebook.
The best recommendation is to contact your legal advisor and invest the time in a review of your policies. At some point this will bite hard so it will pay to ensure compliance.
When Does GDPR apply to an Australian Business?
If any one of the following applies to you, then you need to comply with GDPR or you risk facing fines (they are enforceable):
- You collect the email address of anyone in the EU
- You sell goods and/or services to citizens of the EU
- You ship to the EU
- You offer goods and/or services that are priced in Euros, British Pounds or Swiss Francs
- You market goods and/or services in any EU language (other than English)
- You have EU customer testimonials or refer to EU customers in any way on your website
- You have a company presence or company registered in the EU
- You process the personal data of EU citizens
- You monitor the behavior of EU Users (ie tracking cookies etc)
In addition to websites GDPR also applies to Apps as well.
Key Issues to Address
Decide whether you want to or don’t want to comply with GDPR.
If you don’t want to comply:
- You will likely still need to clearly state that you do not market or sell to EU visitors or customers.
- Remove any mention of the EU on your website (eg… Customers, Testimonials, EU Pricing, EU Languages (other than English)).
- Remove any option to ship to the EU & UK.
- Discourage EU & UK visitors from shopping on your site or signing up to an Email Newsletter
If you do wish to comply:
- Have a clear notice regarding any cookies that collect identifiable data (with ability to opt-out).
- Check you are using best practices to store personal data (restricting admin access, logging access, using complex passwords, using SSL to secure data transmission, regular purging of expired data).
- Develop a security breach response plan.
For more information on compliance check out the article here.