Understanding GDPR compliance for Australian Business in under 10 Minutes
As May was drawing to an end in 2018, the European Union (EU) completed the implementation of a new digital regulation, the General Data Protection Regulation (GDPR), that would not only influence European countries, but every single country in the world. A few months on and there is still a fair amount of confusion of four primary things in the Australian digital community:
- What is the GDPR all about?
- What Australian businesses are affected by the policy? How can I see if my business is affected?
- For those businesses that the regulation applies to, what are the required changes that need to be made in order to comply?
- What are the consequences that may be given if the policy is not complied with?
The following blog aims to rid the confusion surrounding the new policy and clarify the primary talking points for businesses around Australia so that everyone understands the possible influence the GDPR may have on their business.
1. What is the GDPR all about?
There is a very long list of the specifics of what the new GDPR policy includes, but to keep things brief we are only going to touch on the most important considerations for Australian businesses. The General Data Protection Regulation (GDPR) was essentially implemented by the European Union in an effort to protect, and give European consumers control of where and when their personal digital information can be stored and used by businesses online. A vast majority of businesses online collect all anonymous user data in order to understand user experiences, track returning visitors and inform business decisions. There are also other businesses that purely operate in a digital space by collecting and distributing this data information to other businesses. The new policy forces organisations online to implement changes to data analytics and tracking so that digital users in the EU have the choice as to whether their information can be stored and used by each website and business they visit online.
The GDPR primarily consists of 8 privacy-related rights, that all businesses must comply with. These are:
- The right to access personal data;
- The right to be forgotten;
- The right to data portability;
- The right to be informed;
- The right to have information corrected;
- The right to restrict processing;
- The right to object; and
- The right to be notified.
2. What Australian businesses are affected by the policy? How can I see if my business is affected?
The GDPR does not only affect businesses operating in the EU. It can impact any businesses outside of the EU that sells to, or tracks data of any European digital visitors, regardless of whether your business has 10 or 10,000 employees. Specifically, the GDPR automatically applies to any business worldwide that stores any personal data or information of European digital users across any of their website platforms. So if you know that your business receives visitors from this region then this policy definitely applies to you.
If you are unsure if whether this policy applies to you and your business currently has an analytics platform in place, you can easily check whether there have been any visitors to your site using geographic data filters. You can have a look at your previous data (we recommend covering at least a year of data - or even further back just to be sure).
If you're using Google Analytics, you can follow these steps to easily check whether you are gathering European user data:
- Select the "Audience" section on the left side of Google Analytics and go down and select the "Geo" tab.
- Next, select "Location" and use the primary dimension selection of "Continent".
- Now if there are any users categorised next to "Europe" under the column of "Acquisition", this means that you have visitors reaching your site from the European area. This means the GDPR definitely applies to you!
If you do not have an analytics platform in place give us a call to discuss how you can get one in place. Otherwise figuring out whether you have European visitors is a bit of a guessing game. You will need to consider whether any your company's website or online offerings have any components targeted at, or are attractive to audiences from Europe. Be aware that a lot of websites do not intend on drawing in visitors from overseas but usually do so anyway due to similarities in business name or offerings as other businesses overseas. Plus you need to consider how easy it is to surf the internet from anywhere in the world and land on pages from other countries. We recommend that all businesses should be compliant if there is any inkling that they may be attracting European visitors.
3. For those businesses that the regulation applies to, what are the required changes that need to be made to be compliant?
There are a number of actions that will have to be completed in order to keep your company compliant with the GDPR's requirements. Firstly there is the issue of privacy policies. These will need to be updated in order to give users a new sense of transparency into why and how your company is collecting their data. Here's a good example of a structure that clearly addresses what the GDPR states company's need to clarify with their users:
Next, your users need to be aware that they have control and the ability to access or delete their data that your business holds at any time. This means users should have easy access to any accounts they create and have the ability to edit or delete anything previous information provided.
These are the primary changes that need to be made, although there are some other considerations. You can give us a call to discuss these more, or even check out this blog that delves into it a bit deeper.
4. What are the consequences of non-compliance?
The new GDPR regulations state that fines for non-compliance can be up to the amount of €20 million or 4% of total company revenue, whichever is larger. Note that fines for data infringements are considered on a case-by-case basis taking into account a number of criteria into consideration like the intentional nature of the infringement, how many users were impacted and if there have been any previous data breaches. To avoid committing a data breach under the GDPR it is in your best interest to make sure your business' data retention methods are compliant.
We hope this blog was informative and cleared up some of the confusion surrounding the influence of the GDPR in Australia. If you would to chat more about GDPR or ways that we can help your business be compliant, get in contact with us today.