When it comes to a concise list of essential business documents, there is no one-size-fits-all,…
The GDPR – Do You Really Need to Tune in to These Changes?
Amongst other things, the General Data Protection Regulation (GDPR) now gives clients the ‘right to be forgotten,’ but what does that mean for your business (and is there some way to magically apply that to our ATO records)?
In a nutshell, the GDPR provisions should be understood by every business. Some will need to dash off and implement sweeping changes, while others will only need to make minor adjustments to their policies and methods of handling personal data. Some businesses (hopefully you) will be able to assure themselves that the new rules don’t apply to them and return to their regular viewing.
Australian Privacy Laws.
A significant difference between the GDPR and our Australian Privacy Laws is that they apply to all levels of turnover. The penalties for breaches of the GDPR are also much higher.
With the GDPR came a few additional obligations that are different from Australian laws. There are plenty of summaries on the glorious internet, but I would recommend this one prepared by the Office of the Australian Information Commissioner as a more comprehensive (but not overwhelming) 11 pages.
So, what should you do?
1. Work out if the GDPR applies to you.
- offer goods or services in the European Union (EU); or
- you ‘monitor the behaviour’ of EU citizens;
then the provisions will apply to how you handle their information.
‘Monitoring behaviour’ might include storing personal data about EU citizens (email addresses, home addresses, phone numbers and dates of birth, etc.) or selling them a product that stores information about them.
2. Understand the differences.
- Consent to receive marketing material in Australia has always been required before businesses can send newsletters and product updates. But all the things I’ve previous recommended as ‘best practice’ are now law under the GDPR. That means no ‘bundled consent.’ Break down the different ways you intend to use their information, to allow them to select or decline each type.
- Don’t preselect consent boxes. The client must actively consent to ensure it was a choice and not an oversight.
- Parental consent is required if contacts are under 16.
- Higher levels of security and accountability apply when processing or handling personal data.
- The GDPR gives clients “the right to be forgotten” which means that if their information is no longer required for the service they signed up for, they can ask for it to be erased (I’m fairly sure the ATO have me signed up for life).
- In some cases, clients can object to the processing of their personal data, for example, for the purpose of direct marketing.
- Contacts now have a right to ‘data portability’ which essentially allows individuals to see what data is being stored.
- Contacts also have a right to restrict the processing of their personal data in some cases. An example might be where the data is not correct.
3. Apply them.
New processes are a headache for Small Businesses who are already struggling to find enough hours in the day. But, ultimately, you are responsible for how your business is managed, so make a strong cuppa and commit yourself to a bit of reading to work out what changes (if any) you need to make.
“The opinions expressed by Smallville Contributors are their own, not those of www.smallville.com.au"
SHARE THIS ARTICLE WITH LIKE MINDED SMALL BUSINESS PEOPLE