Most businesses or organisations with a website collect personal data about their visitors. The way in which Australian businesses can collect personal data is about to dramatically change with the introduction of the European Union’s (EU) General Data Protection Regulation (GDPR) on 25 May 2018. This article acts as a guide for whether your business needs to comply with the GDPR.

What is the GDPR?

The GDPR aims to protect the personal data of individuals based in the EU. The main difference between the GDPR and the Australian Privacy Principles (APPs) is its application. The GDPR not only applies to businesses located within the EU, but also to all businesses (wherever they may be located) that collect personal data from individuals based in the EU. Unlike the APPs, the size of your business is not a relevant factor in determining whether you need to comply.

Additionally, penalties for breaching the GDPR can attract substantial fines – up to 4% of a business’ annual global turnover or €20 million (whichever is greater). Therefore, it is important to ensure compliance.

Does the GDPR Apply to My Australian Website?

The GDPR will affect your website and collection of personal data, if your business:

  • is established in the EU;
  • offers goods or services to EU-based individuals (free or paid); or
  • monitors EU-based individuals’ behaviour.

If you do not have an office or branch in the EU and you do not monitor individuals based in the EU, you should work out whether you offer goods or services to EU-based individuals. However, as most websites are accessible to a global audience, the mere fact that EU-based individuals can access a site does not, by itself, indicate that the GDPR is applicable. It depends on whether your business intends on offering goods or services to EU-based individuals.

For example, factors that indicate an intention to offer goods or services to EU-based individuals can include:

  • using a European language on your website;
  • using a European currency on your website; or
  • mentioning customers or users who are in the EU.

Ultimately, if you tailor your website, marketing or any other aspect of your website to attract and sell to individuals based in the EU, then your business must comply with the GDPR.

Compliance with the GDPR

To comply with the GDPR, you may need to tweak your IT systems, internal processes and legal documents. Accordingly, it is best practice to have a lawyer review your business documents and methods. To comply with the GDPR, you should:

  1. Update your privacy policy
    Having a privacy policy that is compliant with the APPs is a good start. However, as the GDPR provides individuals with additional rights, you may need to update your current privacy policy.
  2. Update your processes and systems on your website
    Ensure that the privacy notices on your website are visible to your users every time that you collect personal data from them. Under the GDPR, you must have a lawful basis for processing the personal data. For example, obtaining consent for collecting personal data is one of the six lawful bases. To obtain consent, you can include a consent statement and a link to your privacy policy next to a ‘tick to accept’ box.

Key Takeaways

Your business must comply with the GDPR if you collect personal data and your business:

  • is established in the EU;
  • offers goods and services to EU based individuals; or
  • monitors the behaviour of individuals in the EU.

Ultimately, compliance depends on what personal data your business collect and how your business collects it. It also depends on whether your business intends on offering goods or services to EU-based individuals. If your business does need to comply, it is a good idea to update your privacy policy and business practices to ensure compliance and avoid facing significant fines. 

If you have any questions, are unsure whether the GDPR applies to your business or need assistance updating your privacy policy and business practices, get in touch with LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.

Johan Lundstedt
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
Would you like to get in touch with Johan about this topic, or ask us any other question? Please fill out the form below to send Johan a message!