What is the GDPR?
The GDPR is a new piece of European Union (EU) data and privacy legislation that came into effect on 25 May 2018. The GDPR not only applies to businesses located within the EU, but to other businesses worldwide that collect the data of individuals located in the EU.
It’s very important to note that the size of your business is not a relevant factor in determining whether you need to comply with the GDPR. There’s no small business exemption in the GDPR, unlike in Australian privacy law. Penalties for breaching the GDPR can attract substantial fines – up to 4% of the offending business’ annual global turnover or €20 million (whichever is greater).
The high fines and wide scope of the GDPR is why it’s getting so much attention. Needless to say, it’s therefore important to understand if you need to comply with the GDPR and what steps you would need to take to become compliant.
Do You Need to Comply?
The GDPR applies to your business if you collect data and you are:
- established in the EU;
- offering goods or services to EU-based individuals (free or paid); or
- monitoring EU residents’ behaviour.
If you don’t have an office or branch in the EU and you don’t monitor individuals based in the EU, it’s essential to work out whether you “offer goods or services” to EU-based individuals. As most websites are accessible to a global audience, the mere fact that EU-based individuals can access a site does not, in itself, indicate that the GDPR applies to your business. Rather, it matters whether you are aiming to offer goods or services to EU-based individuals.
Factors that indicate an intention to offer goods or services to EU-based individuals can be:
- using a European language on your website;
- using a European currency on your website; or
- mentioning customers or users who are in the EU.
If you tailor your website or your marketing to attract and sell to individuals based in the EU, your business will have to comply with the GDPR.
What Are Your Obligations?
Under the GDPR, businesses are categorised either as ‘controllers’ or ‘processors’. The distinction is important, as there are certain obligations that only apply to controllers or processors.
Businesses that decide how personal data will be processed are controllers. However, if you're processing data based on instructions from another business, you’re considered a processor.
Being a controller doesn’t automatically mean that you can simply rely on the expertise of the processor to handle your users’ data. If a processor doesn’t handle the data correctly, you, as a controller, can still be held liable in certain circumstances.
Lawful Ways of Processing Data
Under the GDPR, your business needs to have a legal basis for collecting and storing personal data. There are different ways to prove that you are lawfully processing data but most likely you will rely on:
- contractual necessity; or
- legitimate interest.
If you are relying on consent from the user, you have to make sure that it is unambiguous and express. It must be in clear and plain language.
Contractual necessity means there's an agreement in place between your business and the individual about the processing of their personal data. This applies whenever the collection of data is necessary to fulfill a contract. For example, an internet company needs to know where an individual lives to be able to provide the user with internet services in accordance with the contract.
Legitimate interest requires your business to balance the company's interest against the rights and freedoms of the individual from whom you are collecting personal data. You may wish to monitor use and conduct analytics on:
- website or app use;
- pages and links clicked;
- patterns of navigation;
- time spent on a page;
- devices used; and
- where users are coming from.
Gathering this data to improve your services might be in your legitimate interests.
New Rights For EU Individuals
Australian privacy laws, including the Australian Privacy Principles (APPs) don’t reflect some of the new rights established under the GDPR. These include a right to:
- the erasure of your personal data;
- data portability; and
- object to the processing of your personal data.
A person can ask a business to erase their personal data in certain situations, such as where:
- you no longer require the personal data for the purpose of initial collection;
- the person withdraws consent to the processing of their data; or
- you wrongfully collected the personal data.
The right to erasure is also known as an expansion of the ‘right to be forgotten’.
A person has the right to ask for their personal data to be held by a data processor in a structured, commonly used and machine-readable format. They also have the right to transmit their personal data to another business without any hindrance from the business they originally provided their data to.
Objecting to the Processing of Data
Finally, a person can object, at any time, to the processing of their personal data.
What You Need to Do
Becoming GDPR compliant may require you to look over what data you are collecting as well as your systems, internal processes and legal documents. Given that this is a complex area of law, your business may need to engage an IT lawyer to review your documents and processes. However, there are a number of suggested first steps to becoming GDPR compliant.
- individuals have rights to: be forgotten, access their data, erasure, restriction of processing and data portability. You should explain each of these rights;
- individuals under 16-years-old need the consent of a parent or guardian to be able to consent to the processing of their personal data; and
- your business processes personal data in accordance with the principles of data processing set out in the GDPR.
Keep Track of the Collection of Data and Educate Your Staff
Make sure that you keep track of the kind of data your business collects and why it is being collected. Provide training to your employees in relation to aspects of privacy law so they understand why you collect certain data and what their responsibilities are under the GDPR. Some initial questions to discuss with your staff include:
- do we need all the data we collect?
- could we supply our service or products without collecting personal data? and
- are we using the data in accordance with what our users expect?
Update your Processes and Systems on Your Website
Ensure that the privacy notices on your website are visible to your users when you collect personal data from them. You should include a consent statement next to a “tick to accept” box to record a user’s consent to the collection of their personal data.
Remember that such a request must be written using clear and plain language.
Store Personal Information in a Readily Available Format
The GDPR introduces new rights for individuals, such as:
- the erasure of personal data;
- data portability; and
- the opportunity to object to the processing of your personal data.
You should, therefore, make sure that you are not only able to easily erase personal data, but also that you automatically store personal information in a format that is easy for you to:
- extract; and
- provide to your customers upon request.
Make it possible for your customers to easily let you know if they wish to withdraw their consent.
Have Processes in Place for Data Breach Notifications
The GDPR provides a definite time frame for notifying authorities of a data breach. If a data breach is high risk, you must notify the affected individual and the relevant supervisory authority in the individual’s country within 72 hours of becoming aware of the breach.
Prepare a data breach plan so that you are ready if a breach occurs and you can quickly mitigate its effect.
Your business needs to comply with the GDPR if you’re collecting personal data and your business:
- is established in the EU;
- offers goods and services to EU-based individuals; or
- monitors the behaviour of individuals in the EU.
Ensuring compliance will be different for every business, depending on what personal data you are collecting and how. However, a good start for any business is to look over how you collect data in accordance with the tips above. If you’re unsure if the GDPR applies to your business or you need help drafting your privacy documents, contact LegalVision’s IT lawyers on 1300 544 755.