Australian businesses, should consider the following:
- Do you operate a businesses that is established in a member state of the EU?
- Does your Australian-based entity offer goods or services to individuals in the EU?
- Does your Australian-based business monitor the behaviour of individuals in the EU?
If your Australian based business has any sort of business in the EU, then you do need to ensure you are compliant with the new rules.
What is GDPR?
GDPR is a new piece of legislation (effective 25 May 2018) introduced by the European Union. The bill is aimed at giving European citizens more control over how companies use their private data. Under this new bill, the definition of personal data has been expanded to include any information related to a person or data subject, that can be used to directly or indirectly identify the person. In addition to the usual suspects (name, picture, email address, contact number), GDPR also includes an individual’s computer IP address and mobile device identity as identifiers, along with a wider range of identifiers such as economic, cultural, sexual orientation, mental, genetic and so on.
The GDPR and the Australian Privacy Act 1988 share some common requirements, including:
- Implement a privacy by design approach to compliance
- Be able to demonstrate compliance with privacy principles and obligations
- Adopt transparent information handling practices.
However, there are differences and Australian businesses may find, that whether the EU GDPR laws apply or not, it may be a good time to clean up your data protection act, as it may be that over time AU laws move even closer to the EU laws in time.
The Office of Australian Information Commission has outlined a summary table articulating the key differences between the Australian Privacy Act and the EU GDPR. It is not only relating to what sort of data is collected but also how it is managed and protected. It also relates to;
- Accountability and governance - which includes minimising the processing of personal data and transparency as the to the functions and processing.
- Consent - including a new definition of consent, which states that it must be freely given, specific and informed.
- Mandatory data breach notification - any data breach must be notified to relevant authorities within 72 hours of the breach.
- Privacy notices - must be clearly identifiable, in simple language and easily accessible.
In short, there is quite a bit to do to ensure your customer data is protected and meets the new requirements. As CRM experts, Act Today have a clear understanding of the new requirements and can help your business ensure they are compliant.
The new GDPR obligations have already taken effect (as of the 28th May 2018) so now is a great time to get on top of your customer data protection responsibilities.
Contact us today to book in some time with our consultants to you to help you clean up your act in terms of privacy, data collection and compliance.
