No doubt you've been inundated in recent weeks with a bunch of "We're updating our privacy policy" emails, from every website you've ever signed up to (and many you may have forgotten about). This is due to the introduction of a new set of data privacy laws which formally took effect in Europe on 25 May 2018 - the General Data Protection Regulation (GDPR).

What is the GDPR?

The GDPR has been introduced across Europe to counter some of the more insidious data collection and online surveillance techniques out there today. At a very basic level, the GDPR applies if you collect the personal data of any EU citizen. It includes a bunch of onerous provisions, and has severe penalties for breaches.

How does this apply to Australian website and business owners?

In Australia, privacy policy and handling of customer data is regulated by the Australian Privacy Act 1988 which includes 13 Australian Privacy Principles (APPs). The good news for Australians is that the GDPR and the Australian Privacy Act are compatible, in that both promote transparency and accountability in information handling, and both require businesses to notify of any privacy breaches. However, the GDPR contains several differences which do not currently have an equivalent right under the Privacy Act.

Does the GDPR apply to me?

Just because a website may be accessible to the EU, does not necessarily mean it will be forced to comply with the GDPR. And at this point the legislation is active, but untested in a court of law. The important questions for you to consider right now are:

1. Is your business a legal entity in Europe?
2. Do you have employees in Europe?
3. Do you sell goods or services to customers in Europe?

If your answer is YES to any of these, then your business is subject to the GDPR and, depending on the type of business you conduct, you may need to make changes to:

• Privacy Policy
• Terms and Conditions
• Website forms that collect information from or about customers - forms must now obtain explicit consent from customers regarding use and retention of any information about them
• Your site may need new facilities for customers to view, delete, export and request updates to any information your site holds about them

If your answer is NO, then keep reading!

Does the Australian Privacy Act apply to me?

The Privacy Act includes 13 Australian Privacy Principles. This link provides a quick reference outline of all 13 APPs. These APPs outline how certain organisations must handle, use and manage personal information.

The Australian Privacy Act does not apply to all organisations, and individual organisations must decide how they apply to their own organisation. So make sure you do some research to see if your organisation is included or not.

   Consider this - due to the requirements of the GDPR, and the number of people in the world it applies to, there is now increased focus on data privacy, collection and management. With that in mind, it may be reasonable to assume:

1. There will be changes in the way things are done going forward.
2. It's not difficult to envisage a time when - above and beyond the legal requirements - businesses that do demonstrate a commitment to data privacy, may be preferenced over those that don't.

What to do right now

1. If you don't have a Privacy Policy, outlining how data is collected and managed - consider getting one. This can be combined with a website notice highlighting the existence of the policy. While this does not make a website GDPR-compliant, it does help meet APP1 - "open and transparent management of personal information".
   
   
2. Consider your current and future data collection processes:
   • Do you provide the option of anonymity or pseudonymity (APP2)?
   • Do you handle sensitive information appropriately (APP 3-6)?
   • Do you understand the rules around how you can use or share the data you collect, including for direct marketing purposes and overseas? (APP 7-9)
   • The GDPR requires a business to ONLY collect the data required for the task at hand - do you really need to ask for an address if you're not posting goods to customers?
   • Should you pre-tick boxes in forms? (GDPR - no).
   • Should you provide people with the option to opt-out or opt-in? (GDPR - opt-in).
     
     
3. Encryption of backup files. APPs 10-13 relate to the quality, security, access to and correction of personal information by an individual. But the GDPR goes further, with a "right to be forgotten" requirement, which does not currently have an equivalent in Australian law. This means if an individual wins the right to be forgotten in a court of law, then not only does that individual's personal data need to be removed from existing systems, but also from un-encrypted backups. Clearly you do not want to have to go back one day and open up every single backup file to remove an individual's details! So to preempt this as a possibility, consider encrypting backup files now.

If you need assistance with determining your requirements or implementing new privacy policies or processes, please contact us.