There is an ample of “scaremongering” in regard to the implication of GDPR in Australian businesses, and we want to clear this out.

The European Union General Data Protection Regulation (also known as GDPR) is a new piece of European Union (EU) legislation that comes into effect on 25 May 2018. The main aim of the GDPR is to protect the personal data of individuals based in the EU.

The key difference between the GDPR and most other national privacy laws, such as the Australian Privacy Principles (the APPs), is that the GDPR not only applies to businesses located within the geographical territory of the EU, but also to all businesses worldwide that collect the data of individuals based in the EU.

Unlike the APPs, the size of your business is not a relevant factor in determining whether you need to comply. Penalties for breaching the GDPR can attract substantial fines – up to 4% of the offending business’ annual global turnover or €20 million (whichever is greater).

GDPR to apply for Australian businesses

If you operate a website in Australia and collect data about your users, the GDPR will apply to you if:

• your business is established in the EU, or
• you offer goods or services to EU-based individuals (free or paid), or
• you monitor EU-based individuals’ behaviour.

If you do not have an office or branch in the EU and you do not monitor individuals based in the EU, then working out whether you “offer goods or services” to EU-based individuals is the most relevant question for you to address.

As most websites are accessible to a global audience, the GDPR is clear that the mere fact that EU-based individuals can access a website does not, in itself, indicate that the business is caught by the GDPR. The crucial factor is whether a business intends to offer goods or services to EU based individuals.

Factors that indicate an intention to offer goods or services to EU based individuals can be:

• using a European language on your website, or
• using a European currency on your website, or
• mentioning customers or users who are in the EU.

Business to be compliant with the GDPR

Becoming GDPR compliant may require that you tweak your IT systems, internal processes and legal documents. This is a guide only; your business may need to engage an IT lawyer to review your documents and processes. Below is a simplified guide to becoming GDPR compliant:

1. Make sure that your privacy policy is compliant with the GDPR
   Having a privacy policy that is compliant with the APPs is a good start but as the GDPR gives users broader rights (e.g. the APPs do not give individuals the right to ask for their data to be erased) your current privacy policy may need to be updated to cover the additional concepts introduced by the GDPR.
2. Update your processes and systems on your website
   Ensure that the privacy notices on your website are visible to your users every time that you collect personal data from them. Under the GDPR, you need explicit and unambiguous consent from a user when you process their data. It is therefore suggested that when you collect personal data, you also include a consent statement next to a “tick to accept” box to record a user’s consent to the collection of personal data.

Key takeaways

If you are collecting personal data and your business is (i) established in the EU, (ii) offers goods and services to EU based individuals, or (iii) monitors the behaviour of individuals in the EU, you need to comply with the GDPR. The road to compliance is different for every business depending on what personal data is collected and how, but a good start is to update your privacy policy and your privacy notices. If you are unsure if the GDPR applies to your business or you need help with drafting a privacy policy, it is recommended that you ask an IT lawyer with specialist knowledge in privacy law for help.