GDPR – what it means for Australian businesses

What does it stand for?

GDPR stands for General Data Protection Regulation. It’s a set of regulations that aim to give individuals in the EU control over their private data.

But, due to the global nature of the ‘world-wide’ web, GDPR is influencing the move towards stronger data protection procedures across the globe. Australian businesses, therefore, still need to consider GDPR.

What is GDPR… in a nutshell?

GDPR means that any personal information gathered on a site needs to be done so with consent; and that data can only be used for the purpose agreed to. You’ll notice GDPR whenever you’re presented with a pop-up and words to the effect of – ‘this site uses cookies…’ and then the choice to ‘Accept’ or ‘Decline’.

GDPR requires that any visitor to a site has the right to:

• request what data is being collected
• request to opt out
• request their data be deleted

Who does it apply to?

The GDPR came into place in the EU on May 25, 2018 making the regulations still relatively new. In comparison, Australia’s current privacy regulation is The Privacy Act 1988, which is naturally showing its age (made a year before the internet!). It’s likely it will be revised soon to set a better standard.

GDPR becomes even more imperative for those Aussie businesses with an office in the EU/UK; who are targeting or shipping to EU/UK users or customers; or, who mention EU/UK customers on their website, or through reviews or blog posts. Without complying to GDPR, these online businesses face potentially large fines.

But, let’s imagine you’re a local Australian business or brand without any audience within the EU or UK. Should you still consider GDPR compliance? From Rock’s perspective – YES.

Here’s three important reasons why:

• Transparency is an admirable brand trait. Being open with users can add to brand reputation
• You’ll build a stronger database of willing and receptive users
• Early adopters will have a head start and advantage for when local policies inevitably update.

GDPR compliance reminds businesses and brands to consider their customers and users first. It’s an acknowledgment of respect for privacy and data, and that the business has protection policies in place. It is, therefore, something to consider even before this ‘best practise’ becomes Australian law (as it no doubt will).

How to comply

For your business to be GDPR compliant you need to consider these three pillars:

1. Consent
2. Right of Access
3. Right of Erasure

Consent

Consent must be “specific, freely-given, plainly-worded, and unambiguous affirmation”. It must be opt-in, not opt-out.

Personal data may not be processed at all before the user has explicitly given informed consent.

YES – Cookies Consent – Clear, human, opt-in consent

(Source: Financial Times)

 

 

NO – Newsletter Consent – opt-out as opposed to opt-in

Right of access

This means that individuals have the right to know what private data is being held by the site and how it is being processed.

Users may request this data, and on request must be given:

• Overview of data is being processed
• How it’s being processed
• How it was acquired
• Where it is being shared

Right of Erasure

A user can request that any held personal information be deleted. It is a GDPR requirement that this also be honoured in a timely manner.

Summing up

GDPR is a good thing for keeping the internet fair; and for businesses to demonstrate their respect for their users/customers as their first priority.

We believe that it’s a standard to strive towards, even before we’re legally obliged to in Australia.

If you’re interested in more information on GDPR and how you can make your brand or business compliant, please don’t hesitate to get in touch with Rock.