What the GDPR means for Australian Business and Website Owners
If you are a business owner or corporation in Australia, you have no doubt been alerted to the introduction of the General Data Protection Regulation (GDPR) which was first proposed in 2012 and officially implemented on the 24th of May 2018 in an effort to create consistent data privacy laws in the EU member states.
There is a stack of information out there about the requirements, the possible repercussions of not complying with the regulation, what you as a business owner needs to do… the list goes on and on!
So, we’ve broken it all down so it’s a bit easier to understand what’s going on.
What is the GDPR?
As previously mentioned, GDPR stands for General Data Protection Regulation and was introduced by the EU with the intent to ensure there is accountability from businesses when it comes to data handling and the sharing of information on their users/clients.
What does the GDPR have to do with Australian companies?
The Australian Government has issued the following statement in regards to GDPR compliance:
From 25 May 2018 Australian businesses of any size may need to comply with the GDPR if they
- have an establishment in the European Union (EU),
- if they offer goods and services in the EU, or
- if they monitor the behaviours of individuals in the EU.
Even if you don’t actively market or sell to countries in the EU, as mentioned in the first two points, the third point may still apply to your business, and specifically your website.
If your website is accessed by someone in the EU and they proceed fill out your contact form, sign up for your newsletter or otherwise provide any personally identifiable information, they may be under the protection of the GDPR.
What does my business need to do accommodate the requirements for the GDPR?
Irrespective of how big or small your company is, if you are collecting personal data from users who are accessing your website from the EU (yes that includes your database for your EDM), you should get a few things in place. Whilst initially it may be time consuming to research and implement the required changes, if systems are put in place properly the first time, it will prevent confusion and possible penalties in the future. Some tips include:
- Educate your team so everyone is aware of what to look for and what systems are being put in place throughout the business.
- Categorise your data and determine which data is impacted by the GDPR guidelines.
- Add consent check boxes to your website’s contact and newsletter signup forms
- Review contracts of third-party vendors to ensure they are adhering to GDPR guidelines if data is being shared.
- Allow customers and /or users to request that all their data be provided to them or deleted.
What happens if I don’t comply with the GDPR?
The extent to which the GDPR enforcement authority will actively pursue or persecute Australian businesses in breach of the regulations is unknown at this point. However, the large potential fines (0.4% of annual turnover or up to US$20M) and the fact that ultimately it is a positive step for personal privacy means there is no reason not to be pro-active about complying with the regulation. It’s also a great excuse to update your privacy policies.
Why do we need a GDPR?
The GDPR was instigated to protect internet users from the unauthorized access and use of personal information and data. This is to protect data and personal information from being used without permission by third parties in addition to protecting users from fraudulent activities such as those activities listed below:
Phishing is a type of fraud whereby someone sends you an email, posing as a Bank or another trusted company, in an attempt to acquire your username, password, credit card details or other personal information. These deceptive messages often mimic legitimate and trusted organisations, like banks or goverments, and can be sent via email, SMS, instant messaging or social media platforms. The purpose of these emails is to mislead you into clicking on links to a fake website where you are encouraged to enter confidential details or you may accidentally download a ‘Trojan’ or ‘key logging’ program, which could compromise your security.
Trojans are malicious software programs that are inserted into a computer system for the purpose of causing harm, such as stealing personal and financial information.
Scams and spam
Electronic junk mail is commonly known as spam. These are electronic messages you haven’t signed up for that are sent to your email account, mobile phone number, or instant messaging account. The content of spam messages varies. Some messages promote authentic products or services, while others will attempt to mislead you into following a link to a scam website where you will be asked to enter your bank account or credit card details.
If you would like more information on what updates are required on your website to ensure the GDPR is being addressed and properly adhered to, contact our Shared Marketing office for more details.
DISCLAIMER: We are not lawyers, so please do not take this article as legal advice in any way. Many aspects of the GDPR are subject to interpretation, we would advise that you consult with your lawyer if you would like to be sure that your business and website are compliant and have taken the necessary steps to adhere to the GDPR.