GDPR privacy laws for Australian Businesses

By now we all would have received several emails in regards to GDPR in relation to your privacy rights – perhaps from Twitter or eBay. These organisations, and others, are getting on the front foot ahead of a new privacy law coming into effect in the European Union this month.

The new law is a major upgrade to online privacy rights for citizens of the EU. What is it all about and why are Australian consumers, on the other side of the world, receiving emails about it?

GDPR stands for ‘General Data Protection Regulation’. It’s a new privacy law that takes effect on May 25, 2018 and is designed to protect all individuals within the European Union (EU) and the European Economic Area (EEA) against data theft and privacy breaches. The idea being that users have complete control over their data, and if you collect any data, you have to tell them why you need it.

Experts say that it updates laws from the mid-1990s, tackles privacy concerns, increases transparency, and codifies concepts such as “the right to be forgotten online“.

What does GDPR mean in practice?

The GDPR will be governed by imposing penalties for organisations that breach people’s online privacy. This includes the deliberate or accidental breaches such as leaking of a person’s or customer’s information and/or data. It makes organisations accountable for personal data being exposed by any means, such as weak security systems, inadequate processes or even disgruntled employees who expose, leak or steal personal data. The steep penalties are designed to pose a significant financial impact to an organisation that does not comply to GDPR.

Furthermore, GDPR also sets out to define the lawfulness of the data you are collecting. If you have a website or systems to collects user information, you may not even be aware of the type of data you or your organisation is collecting. The extent and type of data your systems collect may be in breach of the GDPR.

Will GDPR compliance cost money?

A recent study by a legal tech company, Axiom, noted that Fortune 500 and FTSE 100 companies may need to spend an estimated £800 million to review contracts and verify that they are in compliance with the GDPR. While this may be an over-reach estimate, there will still be money that needs to be found to assess and implement the necessary elements to continue operating without violating the GDPR.

Even for small organisations that only hold smaller amounts of data, the cost of compliance will be a considerable based on the number of hours spent completing an audit, writing and updating procedures and processes, training staff, and verifying information and performing periodic reviews to insure organisations are compliant. And as with any regulation, there will be changes, which in turn, stimulates more audits. The GDPR compliance efforts will not finish on May 25. They will continue, and so will the expenses.

Under the GDPR, the maximum fine for a privacy breach is 20 million euros or 4 per cent of a company’s annual global turnover — whichever is greater. On top of that, there are administrative fines of up to 10 million euros or 2 per cent of global turnover for failures by company management to protect data.

How is GDPR relevant to Australian businesses?

GDPR is a European law. On the face of it, one may conclude that GDPR would have little relevance for Australian companies, however any company who has clients in the EU will be affected. For example, you might be an Australian company selling products or services online. If one of your clients purchases a product or service, and that client is an EU citizen, the GDPR will apply to you and your company.

If you offer a subscription or “sign up for a newsletter” service on your website, the GDPR applies if the end user is an EU citizen. If the EU citizen is travelling or located in Australia at the time of purchase, the GDPR applies.

So even a very small business in Australia may come within the scope of the GDPR.

One may reasonably expect that Australian based companies are protected and only need to comply with Australian Law, but  I wouldn’t be so sure on that.  The Australian government is committed to securing an ambitious and comprehensive Australia-European Union Free Trade Agreement (EU FTA). The scope of the Australia-EU FTA includes enhanced regulatory cooperation, so this means that the EU will seek to get extended powers in Australia.

How GDPR applies to website owners

Do you have a website? Unless you have a specific agreement, your hosting provider is not responsible for your website’s GDPR. Since GDPR came into effect in May 2018 your designer and or developer would probably not have considered GDPR. Going forward however, the GDPR is now another factor that developers must consider.

Your site most likely uses Cookies which can be used to uniquely identify a person, therefore they should be treated as personal data. It will affect those identifiers used for analytics, advertising, but also those used for functional services – like chats and surveys.

Under normal circumstances the operation of a website lies with the owner. There are five main ways in which this will affect website owners:

• How you collect data via forms (contact forms, newsletter signups etc.) and analytics data (SEO)
• What you do with that data
• Where the data is stored
• How you communicate with your customers and contacts
• The code you use including plugins and themes

CMS sites

It is highly likely that your website has been built on a Content Management System (CMS) such as WordPress.  The good news is that there is a dedicated team of WordPress Core contributors working on GDPR-proofing the Core code. They have a website (and associated Slack channel) set up where admins and devs can keep up with the progress and to see what you need to do to get yourself (and your clients) in compliance. Here’s the breakdown of what you’re responsible for:

• Explaining who you are, what data you collect, how long you’re keeping the data, why you need it, and who has access to it
• Getting explicit and clear consent to collect data through an opt-in
• Giving users access to their own data, the ability to download it, and to delete it from your records completely
• In the event of a hack or security breach, notifying your users about it

Contact Forms

Any personal data you collect on an individual via a form may mean you have to put extra safeguards in place. Data covered by the legislation includes not only names and addresses but also photos of individuals, such as avatars and photos they upload.

The crucial thing is that you must be transparent, so when collecting data via any form on your site, you must also provide details of how you will use the data. This means a pop-up, redirection to another page on your site, or an email with the information.

You must also provide people with details of how to contact you to get access to their information or to have it deleted. And you have to inform them if you will be sharing that data in any way.

Checklist:

• With a form, say why you’re collecting the data and how you will use it
• Provide a double opt-in to ensure you have informed consent
• When sending out emails, include information on why you’re emailing them and how you got their data
• When sending out emails, provide an unsubscribe option and a ‘forget me’ option. If someone asks to be forgotten, delete their data – don’t just stop sending them emails
• If you share data, tell the owners of the data and ask for their consent. Don’t share without consent
• Use forms plugins and mailing list providers that are GDPR-compliant
• Include a privacy policy on your website with details of the data you process and hold, what you do with it, whether you share it, how people can access their data and how they can delete it or have it deleted

Using third party themes & plugins

Many sites built on a CMS such as WordPress, Drupal or Joomla use third party themes and plugins. Plugins and themes also collect data and in many cases distribute it to other third party sites. For instance if you are using Google Tag Manager or Analytics, end user data may be sent to Googles servers via and API. The bottom line is that every plugin and theme should be checked to ensure that they are GDPR-compliant. Furthermore, make sure they are configured in a way that is compliant.

What does this mean for me?

Let’s face it – thinking about data legislation isn’t much fun for most of us. If you want to take GDPR seriously, then weigh up the risks, vs costs of complying and not complying.

For further reading please see the guide to securing personal information and identify what systems or processes collect personal information, then read the Australian businesses and the EU General Data Protection Regulation.

The following resources may assist Australian businesses to assess whether they are covered by the GDPR and the steps to be taken to comply:

• European Commission, 2018 reform of EU data protection rules
• Article 29 Working Party (from 25 May 2018, the European Data Protection Board) GDPR guidance
• Asia Pacific Privacy Authorities EU General Data Protection – General Information Document
• UK Information Commissioner’s Office Guide to the GDPR

This post is designed to help you identify what you need to do and to act as a starting point. It does not provide any legal advice, so if you are concerned about GDPR you should probably speak to a lawyer.