GDPR stands for General Data Protection Regulation. And as of May 2018, it’s the European Union’s (EU) new regulation governing privacy protection and consumer personal data.
The GDPR was created to protect consumer privacy.
But putting the highest levels of protection around personal data might mean increased obligations for many Australian businesses that collect or process the personal data of EU citizens and residents.
What is considered personal data?
Personal Data. According to the GDPR, it can be just about any unique personal identifier at all. Names, ID numbers, device IP and location information are obvious examples of personal data. But the new GDPR definition is far more inclusive.
It’s been expanded to include, “any information relating to an identified or identifiable natural person’.
And the expanded definition is quite comprehensive.
According to the GDPR, personal data can now include any online identifier or factor specific to a natural person’s mental, physical, genetic, physiological, cultural, economic or social identity.
This includes any information that could reveal a natural person’s
- race or ethnic origin
- sexual orientation
- political affiliations
- trade union memberships
- pre existing health conditions
- religious or philosophical beliefs
Who will be affected by the GDPR?
The GDPR does not discriminate. No matter the size of your business, new EU data protection laws can affect any Australian business that offers goods or services to natural persons in the EU. Whether a transaction is made or not.
Or any business that monitors the behaviour of natural persons in the EU. Whether that behaviour is taking place in the EU or not.
Ask yourself these questions
- Does my business allow EU customers to make purchases in a language other than English?
- Does my business use tracking to collect data from natural persons in the EU?
- Does my business have an office location in the EU?
- Does my business use data processing to profile, analyse or predict the behaviour, preference or attitude of natural persons in the EU?
- Does my business accept payment in euros?
- Does my business specifically target EU customers?
If you answered yes any of these, there’s a good chance your business is now covered by the GDPR.
How collecting data will change?
The most significant changes for most businesses covered by the GDPR will have to do with the way data is collected.
Prior to the GDPR, business sites often relied on a simple, pre-checked box in order to collect consumer consent for marketing communication.
Under the GDPR, the simple pre-checked box is no longer considered an acceptable means of collecting personal data.
More deliberate ways of opting customers in will become the norm as the GDPR now requires that consumer consent be, “freely given, specific, informed and unambiguous”.
The new GDPR will make “clear consent” more transparent than ever before.
In the past, generic, catch-all statements like, “we may process your personal data to improve our services,” were often vague, yet officious sounding enough to get by on.
But for consent to be considered valid under new data protection laws, businesses must clearly indicate
- What kind of personal data is to be collected
- How this personal data will be processed
- Who will be processing the personal data
- What purpose(s) will the personal data serve
Important Note: The GDPR applies to both new and existing data.
The GDPR clearly states, “Consent is not freely given if the individual has no genuine or free choice or is unable to refuse or withdraw consent at any time.”
So business must now ensure that withdrawal of consent be as easy as giving consent.
Under GDPR, businesses must now provide proof of consent before sending any communications to contacts.
And consent applies to all data collection practices. These could be offline methods too. Like snail mail or telephone.
When collecting data, it will now become critical to capture and store
- Date and time of consent
- Method of consent
- A reference copy of completed sign up form (including exact wording)
Consequences of non-compliance
The GDPR is an unprecedented piece of legislation. It’s by far the most sweeping and aggressive parliamentary measure of its kind the EU has ever designed.
Their charter states: “The protection of natural persons in relation to the processing of personal data is a fundamental right.”
And the GDPR is proof they mean business. Backed by fines that are equally unprecedented.
Failure to comply with the GDPR can result in fines of up to 4% of a non-compliant business’ total global revenue. In other words, enough to destroy many companies should they be found in breach of the new data consent regulation.
The GDPR was designed to protect the privacy rights of consumers in the EU.
And it’s going to require some fundamental changes to the way your business collects and processes personal data from the EU.
In an economy that’s become increasingly global, it’s more important than ever to keep the doors to your business open to the largest customer base possible.
Partnering with digital experts that fully understand GDPR compliance ensures that you can continue on with business as usual.
Let TALK update your digital services to satisfy the latest EU regulations. And let the world see what you have to offer.