The General Data Protection Regulation may only be set in place for European consumers, but in the world of WWW, every business is affected by these rigorous specifications, regardless of location.
As a result, the Office of the Australian Information Commissioner already released guidance for the Australian business owner, to guide them through the transition to GDPR requirement. Given these are quite heavy and long texts we put together an easy-to-follow guide for the Australian business owner.
#1: Who has to make the transition to GDPR?
Starting with 25 May 2018, every business must comply with GDPR, if:
- The business has an office in the EU;
- You provide services or products to European customers;
- You monitor, profile, or gather personal data from people in Europe (this applies to newsletters or any other online activities that require users provide personal information);
- Your business doesn’t get in direct contact with EU customers, but deals with suppliers that held personal information for European customers.
- Quick note: While there are many resemblances between the Australian Privacy Act 1988 and the new GDPR, Australian businesses still have to make some data protection policy adjustment, as there are also differences. In conclusion, if you are compliant with the Australian Privacy Act, it doesn’t mean you’re compliant with GDPR!
#2: What Does It Mean To Be GDPR Compliant?
In most cases, it means that contract specifications are going to change with everyone who comes in touch with the EU. As a result, companies such as CRMs, data analytics tools, cloud-based systems, and more, will have to renew their agreements with you.
Sadly, Australia is not considered, by the European Commission, as one of the countries that have adequate privacy laws. The result of this will be more regulations and safeguards taken by organizations who want to work with Australian businesses.
Our advice, if you’re not sure where you stand opposite to GDPR, is to seek legal advice. The regulations are stringent and the consequences difficult to endure so it’s best to be prepared and protected.
#3: How is GDPR different than the Privacy Act?
The main differences stand in the burdensome obligations of a controller (the entity that decides why personal information is collected and processed), and in the fact that now there are controllers and processors.
The controller will have to make sure the data is processed according to the GDPR, regardless of the fact that the processing may happen in-house or it may be outsourced to a processor (only deal with personal information based on a contract with the controller).
A controller has to make sure the following are met:
- There is a lawful basis for processing (meaning, the one processing the information should have a form of consent from the owner of said data);
- Consent must be explicit (not implied) and it must be able to be withdrawn at any time;
- New rights for data subjects such as the right to access, modify, and delete data, the right to portability, and more;
- Your business may need a Data Protection Officer or an appointed EU representative;
- Data breach reports are a lot more strict and will have to be reported in a shorter time frame;
Is GDPR for Real?