All you need to know about GDPR in Australia

While Europe might seem a world away, the European Union’s new General Data Protection Regulation (GDPR) privacy rules are beginning to really hit home for Australian companies. To make it easy on you, this post will explain the implications of GDPR in Australia.

GDPR, which came into effect in May 2018, aims to standardise data privacy laws across Europe, ensuring that personal data is handled more securely. It’s specifically intended to protect EU citizens who, let’s face it, live everywhere — including Australia.

Regardless of where your business is based, if you handle or collect data on even one EU citizen, you must comply with the GDPR law.

The new laws don't just affect those selling goods or services in Europe, they apply to any company around the world that is "processing and holding the personal data" of EU citizens. This includes European visitors to your website, as GDPR builds on the EU Cookie Law, which allows visitors to opt in or out of having cookies active when browsing the web.

This law has teeth

GDPR Australia Checkout Screen — GDPR outlines five rules for businesses that handle the private data of any EU citizen.

It's important for every business to understand its obligations under GDPR, as fines for failing to abide by the law amount to up to two percent of an organisation’s annual turnover or €10 million, whichever is higher. This rises to four percent of turnover or €20 million, whichever is higher, for loss of people’s personal data.

The new rules come as Australia strengthens its own privacy laws, including the new Notifiable Data Breach scheme, which applies to Australian businesses with a turnover of more than $3 million. Failure to abide can result in a maximum penalty of $420,000 for individuals and $2.1 million for organisations.

If you're already complying with Australia's Privacy Act then you've laid the groundwork to comply with GDPR, although the EU laws cover more areas and apply to a wider range of organisations.

GDPR applies to every business, regardless of size or turnover. Those with fewer than 250 employees must keep records of data processing activities.

Those with more than 250 employees must keep much more detailed records, although this extra burden can also fall on some small businesses if they are dealing with highly sensitive information.

GDPR Australia People on Street — The GDPR law aims to protect EU citizens — no matter where they live.
Photo: Curtis MacNewton on Unsplash

A wide range of identifiers can be classified as personal data under GDPR, including:

Name.
Identification number or online identifier.
Location data.
Details of the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

GDPR also adds additional protections to "special categories" of personal data, including:

Racial or ethnic origin.
Religious or philosophical beliefs.
Sex life and sexual orientation.
Political opinions.
Trade union membership.

There are also special protections for the handling of genetic and biometric data for identification purposes.

GDPR breaks down into five key areas, all related to the individual’s personal data. Under this law, EU citizens are entitled to:

Right to access

GDPR gives EU citizens the right to request access to the data you hold on them, which you must deliver within 40 days.

Right to limit processing

Users can object at any time to the processing of their personal data, including for profiling purposes.

Right to data portability

Users must be able to export the data you hold on them and transfer it elsewhere. This means that you need to be able to hand over that data in a commonly used, machine-readable format.

Right to be forgotten

GDPR Australia Woman Saying Halt — GDPR affirms the right of EU citizens to be forgotten.
Photo: Isaiah Rustad on Unsplash

You must comply with user requests to completely erase any data you hold on them. This includes informing third-party processors of the request and removing all copies of that user’s data.

Obligation to report data loss

As the data controller, you have an obligation to report breaches within 72 hours of becoming aware of the incident, unless the breach is unlikely to result in a high risk to the rights and freedoms of individuals. Your data processors must notify you, as the controller, of a breach "without undue delay."

These requirements affect all the data your business collects and handles, including when people visit your website.

Some of this data might be handled by third parties, such as cloud service and storage providers. But this doesn't let you shirk your GDPR responsibilities.

You are still the "controller" of that data under the law and will be held liable for infringements along with the "processor" of the data, such as a cloud service provider.

Your business, as the controller, must only partner with processors who provide sufficient guarantees that they are compliant with GDPR. This relationship needs to be set out in a contract, which must include a clause that forbids the processor from engaging another processor — thus sharing the data you collect — without your authorisation.

GDPR also requires that users consent to the collection and handling of their personal data, including "explicit consent" for those special categories of personal data. This might require changes to your privacy policy as well as your sign-up process and terms and conditions.

GDPR Australia Explicit Consent — It’s no longer okay to pre-tick boxes on your sign-up forms or in your shopping cart.
Photo: Julian Lozano on Unsplash

Pre-ticked boxes as part of a sign-up process are not considered adequate consent under GDPR, nor is bundling multiple consent requests where separate consents are more appropriate in the circumstances.

You must also inform users of their right to withdraw their consent, and then make the process of withdrawing consent as easy as the process of granting it.

Not only does your business need to be in compliance with GDPR, you must be able to demonstrate that compliance. This includes implementing technologies and policies around data protection and data management.

Editor’s note: GoDaddy Email Marketing complies with GDPR and Australia’s Privacy Act, including a signup form that defaults to double opt in and an unsubscribe link that’s automatically added to every email you send.

Just as with Australia's Privacy Act, local businesses can't afford to ignore the European Union’s new General Data Protection Regulations.

Building on Australia's privacy rules, GDPR insists that EU citizens have the right to access the data you hold on them, limit the processing of that data, export it and request it be deleted. Along with these rights, there's an obligation that your business notify authorities of any data breach within two days.

Abiding by these laws requires getting your house in order, understanding the data that your business holds and how that data is used. This includes working with your third-party suppliers, such as cloud services to make sure they are also compliant. At the end of the day you're still responsible for that data under GDPR. Stay compliant!