Most businesses or organisations with a website collect personal data about their visitors. The way in which Australian businesses collect personal data changed with the introduction of the European Union’s (EU) General Data Protection Regulation (GDPR) on 25 May 2018. This article explains the GDPR and whether your business needs to comply with the GDPR.
What is the GDPR?
The GDPR aims to protect the personal data of individuals based in the EU. The main difference between the GDPR and the Australian Privacy Principles (APPs) is its application. The GDPR not only applies to businesses located within the EU, but also to all businesses (wherever they may be located) that collect personal data from individuals based in the EU. Unlike the APPs, the size of your business is not a relevant factor in determining whether you need to comply.
Additionally, penalties for breaching the GDPR can attract substantial fines – up to 4% of a business’ annual global turnover or €20 million (whichever is greater). Therefore, it is important to ensure compliance.
Does the GDPR Apply to My Australian Website?
The GDPR affects your website and collection of personal data, if your business:
- is established in the EU;
- offers goods or services to EU-based individuals (free or paid); or
- monitors EU-based individuals’ behaviour.
If you do not have an office or branch in the EU and you do not monitor individuals based in the EU, you should work out whether you offer goods or services to EU-based individuals. However, as most websites are accessible to a global audience, the mere fact that EU-based individuals can access a site does not, by itself, indicate that the GDPR is applicable. It depends on whether your business intends on offering goods or services to EU-based individuals.
For example, factors that indicate an intention to offer goods or services to EU-based individuals can include:
- using a European language on your website;
- using a European currency on your website; or
- mentioning customers or users who are in the EU.
Ultimately, if you tailor your website, marketing or any other aspect of your website to attract and sell to individuals based in the EU, then your business must comply with the GDPR.
Compliance With the GDPR
To comply with the GDPR, you may need to tweak your IT systems, internal processes and legal documents. Accordingly, it is best practice to have a lawyer review your business documents and methods. To comply with the GDPR, you should:
- Update your privacy policy
Having a privacy policy that is compliant with the APPs is a good start. However, as the GDPR provides individuals with additional rights, you may need to update your current privacy policy. - Update your processes and systems on your website
Ensure that the privacy notices on your website are visible to your users every time that you collect personal data from them. Under the GDPR, you must have a lawful basis for processing the personal data. For example, obtaining consent for collecting personal data is one of the six lawful bases. To obtain consent, you can include a consent statement and a link to your privacy policy next to a ‘tick to accept’ box.
Key Takeaways
Your business must comply with the GDPR if you collect personal data and your business:
- is established in the EU;
- offers goods and services to EU based individuals; or
- monitors the behaviour of individuals in the EU.
Ultimately, compliance depends on what personal data your business collects and how your business collects it. If you need help putting effective cybersecurity measures in place, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 258 4780 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.
