Most businesses or organisations with a website collect personal data about their visitors. The way in which Australian businesses can collect personal data is about to dramatically change with the introduction of the European Union’s (EU) General Data Protection Regulation (GDPR) on 25 May 2018. This article acts as a guide for whether your business needs to comply with the GDPR.
What is the GDPR?
The GDPR aims to protect the personal data of individuals based in the EU. The main difference between the GDPR and the Australian Privacy Principles (APPs) is its application. The GDPR not only applies to businesses located within the EU, but also to all businesses (wherever they may be located) that collect personal data from individuals based in the EU. Unlike the APPs, the size of your business is not a relevant factor in determining whether you need to comply.
Additionally, penalties for breaching the GDPR can attract substantial fines – up to 4% of a business’ annual global turnover or €20 million (whichever is greater). Therefore, it is important to ensure compliance.
Does the GDPR Apply to My Australian Website?
The GDPR will affect your website and collection of personal data, if your business:
- is established in the EU;
- offers goods or services to EU-based individuals (free or paid); or
- monitors EU-based individuals’ behaviour.
If you do not have an office or branch in the EU and you do not monitor individuals based in the EU, you should work out whether you offer goods or services to EU-based individuals. However, as most websites are accessible to a global audience, the mere fact that EU-based individuals can access a site does not, by itself, indicate that the GDPR is applicable. It depends on whether your business intends on offering goods or services to EU-based individuals.
For example, factors that indicate an intention to offer goods or services to EU-based individuals can include:
- using a European language on your website;
- using a European currency on your website; or
- mentioning customers or users who are in the EU.
Ultimately, if you tailor your website, marketing or any other aspect of your website to attract and sell to individuals based in the EU, then your business must comply with the GDPR.
Compliance with the GDPR
To comply with the GDPR, you may need to tweak your IT systems, internal processes and legal documents. Accordingly, it is best practice to have a lawyer review your business documents and methods. To comply with the GDPR, you should:
- Update your processes and systems on your website
Your business must comply with the GDPR if you collect personal data and your business:
- is established in the EU;
- offers goods and services to EU based individuals; or
- monitors the behaviour of individuals in the EU.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.