If you collect personal information about customers and they are European citizens or residents or if your business markets to customers in the EU, you must comply with new privacy regulations as of May 2018.
The EU General Data Protection Regulation (GDPR) will come into force on 25 May 2018. The new regulations not only apply to businesses in the European Union (EU), but also to businesses overseas that offer goods or services to citizens or residents of the EU (also known as EU Data Subjects).
This means that businesses in Australia that promote or deliver to the EU will be affected! If you sell any products to customers in the EU or market to any customers in the EU and you collect any information that can be used to identify a person, such as their name, contact details, photos, IP addresses or even social media posts then you must comply with the GDPR.
The GDPR will apply to all personal data from EU Data Subjects that you are holding and processing, including those you already have on your marketing databases. You must ensure that you are compliant with the GDPR and that you have proof that you have obtained consent to collect and send communications to these parties.
Businesses that do not comply with the GDPR may face heavy fines, including up to 4% of annual global turnover or €20 million.
Some of the key elements of the GDPR include:
- Proof of consent: Where data is collected by consent (not as a requirement for the performance of a contract or legal obligation, etc.) there is now a requirement that a business must be able to prove that consent was given by a data subject. It is therefore more important than ever to keep detailed records about correspondence. The form of consent must be concise and clear and not full of legalese.
- Privacy by design: Businesses must hold and process personal data only “absolutely necessary for the completion of their duties” and limit access to the data to those processing it.
- Data breach notification: Mandatory data breach notification within 72 hours of becoming aware of a breach where a breach is “likely to result in a risk for the rights and freedoms of individuals”.
- Right to access: A right for EU Data Subjects to obtain confirmation as to whether or not personal data is being processed, where and for what purpose and to obtain an electronic copy of the personal data (free of charge).
- Right to be forgotten: A right for EU Data Subjects to have their personal information erased, cease further dissemination of the information and potentially have third parties stop processing the data.
If you are concerned about how the GDPR affects your business and would like a review of your Privacy Policies in compliance with the new laws, as well as Australian privacy law, do not hesitate to contact me today on 1300 033 934 or at for a no-obligation chat.