If you run an online business in Australia, it's likely that you will have to comply with the GDPR. Read about what that means here.
In April 2016, the European Parliament passed the General Data Protection Regulation (GDPR). Although this applies to the 28 member-states of the European Union (EU), Australian businesses are also likely to be affected.
It is likely that as a business owner, you also run a website for it. Having a website has many advantages. Not only can your customers purchase products and find information easily, your brand has an added level of exposure.
In this guide, we’ll discuss what new privacy laws mean for you and how to know when you have to comply with international regulations.
Collecting customer data
In the normal course of operating a business, it is likely that the business will gather the personal information of users. Prior to the advent of online business and eCommerce, businesses collected customer information, albeit in different forms. For example, businesses who had a shop would likely have the records of transactions made and even more personal information.
In some ways, business websites are the same. They collect information from customers such as their name and contact details, activity on the site and their financial information. However, the internet also has added risks of data exploitation through hacks and malware. To protect the privacy of consumers, jurisdictions around the world have enacted legislation directed towards regulating how businesses deal with data.
A new model for privacy?
Who does it apply to?
The GDPR applies to data controllers (businesses), data processors (businesses who process data) and data subjects (citizens). For the purposes of this article, we’re most interested in the requirements for the data subjects. The data subjects are people living or based in the EU – and this is where Australian businesses need to be careful. If your customers count as a ‘data subject’ under the GDPR, then you will want to keep reading.
What do business’s have to do?
- Australian or Norfolk Island Government agencies;
- Businesses or not-for-profits generating an annual turnover of at least $3 million;
- Private health service providers; and
- Businesses or not-for-profits generating an annual turnover less than $3 million who fall within one of the small business exceptions.
The International Sphere
On 25 May 2018, the General Data Protection Regulations (GDPR) came into effect. These regulations substantially altered the privacy obligations of entities operating in the European Union or collecting information about its citizens. It applies to the data processing activities of businesses that are data controllers or processes, subject to certain criteria. It seeks to monitor ‘personal data’ which is ‘any information relating to an identified or identifiable natural person’ under Article 4 of the Regulations.
How does this affect Australian businesses? Australian businesses are required to comply with the GDPR in some instances. This is if:
- If they have an establishment in the European Union; or
- If they offer goods or services, or monitor the behaviour of individuals in the EU.
Not only do customers value their privacy online, but legislation is increasingly reflecting this. Business’s who fail to comply not only risk financial penalties, but also risk losing customer trust. If your business has a presence or serves customers overseas, it’s important that you comply with privacy laws of those jurisdictions.
Not sure where to start? Contact a LawPath consultant on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest legal marketplace.
Ashlee is a legal intern working in the content team at Lawpath. She is interested in information technology law, and all things innovation. Ashlee is currently completing a Dual Degree of Law/Commerce at the University of New South Wales.