On May 25 this year the European Commission implemented the General Data Protection Regulation (GDPR) which describes very stringent data collection, processing and storage rules for businesses operating in the European Union. Why should anyone in Australia be concerned?
According to the European Commission website, the law applies to:
- a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
- a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.
That means that if your business has a presence in the EU or collects and processes personal data of EU citizens, there’s a possibility you could be affected by the GDPR. Note that this applies to EU citizens currently residing in Australia, so the catchment area is quite wide.
The legislation was introduced in response to repeated egregious data breaches and misuse by large institutions which put the comfort, safety and privacy of unassuming customers at risk. It provides that organisations be more diligent and accountable with personal data, with the threat of very hefty fines for failure to comply.
Under the new rules, customers will have more control over their personal data with the right to access it, transfer it and have it erased.
While only a number of organisations outside the EU are currently affected by the GDPR, there is speculation that more countries will eventually adopt similar rules.
Meanwhile, Australian privacy laws already overlap many of the GDPR provisions.
There are two precepts in the GDPR that all business owners should pay attention to.
The first relates to consent and states that it must be freely given; fully informed; given for a specific purpose; can be clearly shown to have been given with intent; and can be withdrawn.
The second deals with “legitimate interest”, that is, proving that a customer has demonstrated genuine interest in your organisation, and that providing their data will benefit them in the way described by the organisation.
These are relevant when it comes to collecting email lists and compiling customer databases.
You may have received emails recently from a number of institutions advising you of updated terms and conditions and requesting your explicit consent for them to have and use your data. That’s GDPR in action.
Please note that the information given here is incomplete and should not be considered official advise.
For detailed verified information visit the official government websites or consult a professional.
Office of Australian Information Commissioner – GDPR in Australia
Office of Australian Information Commissioner – Privacy Laws
European Commission – GDPR