Since the EU’s GDPR (European Union’s General Data Protection Regulation) came into force in late May 2018, there’s been a lot of concern and confusion throughout the Australian businesses about how it can possibly affect them. Most of these companies have already been under the obligations of the Australian privacy law to begin with, and it may be a little confusing to discern the two.
What is GDPR?
Let’s start with what GDPR actually means. Generally speaking, it’s a “new” EU regulation that works with people’s data protection and privacy matters. It is used to monitor the entire process of an EU individuals’ personal data through the entire lifecycle from collection to deletion.
This definition makes GDPR seem relatively similar to two of the Australian privacy laws:
- Australian Privacy Principles;
- Australian Privacy Act 1988 (both regulate the usage, collection and distribution of “personal information” with a bit different definition of that information from GDPR).
Despite the obvious similarities in intent and definitions, GDPR is still considered one of the broadest legislation about data privacy and security in the world.
Australian businesses and GDPR
The scope of the GDPR’s influence is way more than most companies think, and it might not consider you personally, but it still may be regulating your customers and suppliers, and they would change their policies in accordance.
This is why GDPR has specific terms for companies that process personal information. Meaning that not you, but your corporate customers would have an additional clause in their contracts with you that states your need to be compliant with GDPR’s regulations, or a variation of those. Your enterprise service providers are within the compliance range as well, since they could store and process your customers personal information.
All of that means that if you want to keep your existing EU customers or obtain them in some form in the future, you’ll have to start working at your compliance status for GDPR. The same extends to subcontractors and your contracts with them if they’re processing your customers personal information in any way.
Differences between GDPR and Australian Privacy Law
In both cases when you’re complying with GDPR – you’re bound to encounter a substantial overlap when it comes to GDPR and Australian Privacy Law. For example, the general idea about transparency, the usage restriction, security efforts and so on – all of that can be found in both GDPR and in the Australian Privacy Law. Both of them also require the “privacy by design” principle to be implemented.
But there are some key differences as well. One of the biggest ones is the GDPR’s concepts of “processors” and “controllers”. “Processors” are companies that process information on behalf of someone, presumably under a legal contract, their limitations from GDPR aren’t that big. “Controllers”, on the other hand, are entities that ensure the GDPR compliance when working with personal data themselves or using a “processor”. Basically, “Controllers” are the ones deciding why personal info is collected and/or processed. And those “Controllers” are regulated by GDPR much more heavily than anything from the Australian Privacy Law. Here are some of the key differences between GDPR and Australian Privacy Law:
- Additional rights of the individual in regards to their personal data. While Australian Law successfully covers accessing and correcting rights, GDPR also adds several more, like the right to data portability, the right to erase your data, and so on.
- Consent is more difficult to receive. Under Australian regulations, consent can be implied. GDPR, on the other hand, requires either a clear affirmative action or a statement.
- Additional appointments. Under GDPR’s regulations you might need to appoint a representative that is established in the EU, and you’ll also need a Data Protection Officer.
- “Lawful basis”. Any data controller under GDPR needs to ensure that their work with individuals’ personal information is on a “lawful basis”, which may be a number of things from consent to necessity to protect vital interests, contractual obligation and so on.
- Data breach requirements. GDPR compliance means that a company would have to report a bigger range of data breaches and have a lot less time than before to do that.
Do Australian businesses need to do anything?
The first, and the most important question you should ask yourself is if you are actually processing any EU citizens’ data. If the answer is “yes”, or any other form of confirmation, then you’re in the range of GDPR’s influence and you should start working on it.
There are eight general steps that you can start with:
- Audit all of the personal info that you currently have in your possession, who can access it and where it is from;
- Review your general data collection methods;
- Make sure that personal data is well protected;
- Share the information about GDPR compliance with key individuals within your organization, ignorance isn’t an excuse for GDPR;
- Straight-out delete every bit of personal data that you’ve got under no lawful reason or parts that you don’t need;
- Take the time to review your third-party providers and if they are prepared for GDPR in the first place.
Digital marketing and GDPR in Australia
There are some specifics and considerations that you’ll need to keep in mind if we’re talking about digital marketing, as well. They can be split in four categories:
- Newsletter subscriptions. Don’t add people to your database without their specific agreement, if you already have done that – look for a way to obtain legal consent or remove their data, and don’t abuse the personal info of people that only subscribed to the newsletter.
- Ecommerce transactions. To fulfill people’s orders you’ll have to collect their information, but don’t add individuals to your email marketing list just because they’ve placed an order, it’s a direct breach of GDPR.
- Analytical data. This part is somewhat questionable since there’s no clear confirmation whether the web analytics in general is considered the “legitimate interest” and is safe from GDPR ramifications. So far it seems that as long as you’re not getting PIIs with Google Analytics – it is a “legitimate interest”, but several more in-depth features, like remarketing list, should require a consent before you’ll be able to legitimately turn it on. All in all, you should tell people you are collecting their data for website analytics and make sure there’s no PIIs collected in any possible way, be it via URL parameters, page titles or others.
What Cipherpoint customers are doing about GDPR?
While GDPR is a relatively new concept for the decades-long businesses, there are some things that companies are doing universally to keep themselves GDPR-ready:
- It’s always important to know as much information on the topic as you can possibly get, especially when it comes to a topic that is quite sensitive, like GDPR. There are various articles about this topic, as well as the direct GDPR resource with the necessary information on the subject.
- Email database segmentation is quite useful for companies that work for multiple countries worldwide, that includes Australian businesses, too. This allows companies to address EU subscribers directly.
- Contacting your EU subscribers to clarify your actions on this topic is a good idea, as well, doesn’t matter if it’s your regular monthly updates or the irregular GDPR-related notice.
- Check it with your third-party collaborators to make sure they’re GDPR-compliant, as well.
- The transparency in these matters is incredibly important, at least because it’s part of the regulations as well.
It’s been a while since GDPR started functioning, but there’s still a lot of businesses that are unclear about whether they fall under GDPR’s regulations or not and haven’t taken any actions towards GDPR. It is heavily recommended for companies to delve into at least the bare minimum for GDPR and understand what data is where to be able to address requests from EU citizens. Fines for GDPR violations are quite high: up to 4% of the yearly revenue or up to €20.000.000, whichever is higher.
Compliance with both GDPR and Australian Privacy Law is never too late, so now is the time to audit your organization on the subject of various personal data you’re working with, the placement of said data and the amount of protections that are in place. Here are some general principles that Australian businesses have to keep in mind in regards to the GDPR:
- Data collection must be lawful, and data processing – transparent;
- Don’t try and collect more data than you need;
- Make sure all of the personal data you’re getting is safe;
- Specify the use cases for the data you’ve got and only use that data for those exact purposes;
- Show your understanding and compliance to GDPR’s principles;
- Don’t keep personal data for yourself longer than necessary;
- Keep personal data error-free and up-to-date.
It is also worth noting that this article should by no means be regarded as professional legal advice and a company that has more specific questions about GDPR compliance in Australia should always address their corporate or external legal counsel.