What is it?
Every time we open our phones or jump on our laptop, we’re sharing personal information with businesses and organisations.
From sending work emails to Facebook messages; sharing Google docs, paying phone bills and shopping online – we share a lot of information without giving it half a thought. The GDPR laws are to set boundaries on what data is actually being collected and how it is being used.
From the 25th of May, businesses and organisations will need to be able to explain what data they’re collecting and why. It won’t just be a matter of businesses updating their privacy policy, companies are going to be held accountable for the information they are collecting and the reasoning behind it. And the penalties for not complying with the new regulations are huge – up to 20 million Euros or 4 percent of global revenue, whichever is higher.
What does this mean for Australian companies?
If you have any operation in the EU, you have to comply with the new rules. Even if you don’t currently, you run the risk of potential sanctions if European customers eventually sign up to your services.
Basically, the regulations put individuals in control of their data, who sees it and how it is used. Some key points from the jurisdiction include:
- The right to request access. If a user wants to see what data has been collected of them, the company must provide a copy of the information.
- The right to be forgotten. If a user wants to withdraw their contest to have their data used, they have every right to have it removed.
- The right to be informed. Companies need to inform individuals if their data is being gathered.
By not complying with the rules, companies run the risk of being shut out of a market of 500 million consumers.
How to be prepared
- Find out where you are collecting personal data from and document what exactly it is used for. Have a clear understanding of who can access this data and whether or not this presents any risks.
- Don’t keep personal information unless it is really relevant to your business. The aim of the GDPR is to encourage a more disciplined treatment of personal data.
- Develop safeguards within your business infrastructure to avoid any data breaches. As regulations become more strict, so do the penalties. Don’t be caught out by a lack of security and risk facing serious consequences.
- Develop procedures for handling personal data. Have structures in place outlining what data is handled, who handles it and how the data is going to be used.
If your business gathers any type of personal data, understanding these regulations is essential – even if you only operate within Australia. Not complying with these rules puts you at risk the moment you have a European customer sign up to your services.
Personal data can be anything from name, age, IP address and profession to more sensitive information like ethnicity, political views, union memberships and biometric information – so if you’re collecting any of this information, you need to be able to explain why and be able to hand the data over to anyone who asks.
The GDPR laws will be some of the largest changes to privacy regulations in the last decade and we can expect other countries to follow suit. Even if you have no current connection to the EU, it would be a smart move to understand these regulations and how they could potentially affect your business.