SHARE THIS ARTICLE WITH LIKE MINDED SMALL BUSINESS PEOPLE

The GDPR – Do You Really Need to Tune in to These Changes?

mm

The GDPR – Do You Really Need to Tune in to These Changes?

Amongst other things, the General Data Protection Regulation (GDPR) now gives clients the ‘right to be forgotten,’ but what does that mean for your business (and is there some way to magically apply that to our ATO records)?

The European Union’s GDPR became very real recently, when our inboxes began to fill with privacy policy updates, and options to unsubscribe. And businesses who were perhaps a little blasé about the changes, are starting to wonder if they should be paying more attention.

In a nutshell, the GDPR provisions should be understood by every business. Some will need to dash off and implement sweeping changes, while others will only need to make minor adjustments to their policies and methods of handling personal data. Some businesses (hopefully you) will be able to assure themselves that the new rules don’t apply to them and return to their regular viewing.

Australian Privacy Laws.

I’ll keep this brief, so you don’t doze off. Apart from a few exceptions, Australian Privacy Laws only require businesses with a turnover of more than $3 million to display their privacy policy. Many Small Businesses who don’t meet that threshold, still opt to have a privacy policy because it builds confidence with clients who are handing over personal information if they know what you’re going to do with it.

A significant difference between the GDPR and our Australian Privacy Laws is that they apply to all levels of turnover. The penalties for breaches of the GDPR are also much higher.

GDPR extras.

With the GDPR came a few additional obligations that are different from Australian laws. There are plenty of summaries on the glorious internet, but I would recommend this one prepared by the Office of the Australian Information Commissioner as a more comprehensive (but not overwhelming) 11 pages.

So, what should you do?

1. Work out if the GDPR applies to you.

If you:

  • offer goods or services in the European Union (EU); or
  • you ‘monitor the behaviour’ of EU citizens;

then the provisions will apply to how you handle their information.

‘Monitoring behaviour’ might include storing personal data about EU citizens (email addresses, home addresses, phone numbers and dates of birth, etc.) or selling them a product that stores information about them.

2. Understand the differences.

  • Consent to receive marketing material in Australia has always been required before businesses can send newsletters and product updates. But all the things I’ve previous recommended as ‘best practice’ are now law under the GDPR. That means no ‘bundled consent.’ Break down the different ways you intend to use their information, to allow them to select or decline each type.
  • Don’t preselect consent boxes. The client must actively consent to ensure it was a choice and not an oversight.
  • Parental consent is required if contacts are under 16.
  • Higher levels of security and accountability apply when processing or handling personal data.
  • The GDPR gives clients “the right to be forgotten” which means that if their information is no longer required for the service they signed up for, they can ask for it to be erased (I’m fairly sure the ATO have me signed up for life).
  • In some cases, clients can object to the processing of their personal data, for example, for the purpose of direct marketing.
  • Contacts now have a right to ‘data portability’ which essentially allows individuals to see what data is being stored.
  • Contacts also have a right to restrict the processing of their personal data in some cases. An example might be where the data is not correct.

3. Apply them.

This not only means updating your privacy policy but assessing the way you handle information and changing your processes to make sure you comply. To help get your head around the actual application of these changes, you might ask yourself, “How would I respond to a request for access to stored data?”, or “How would I respond to a data breach?”

New processes are a headache for Small Businesses who are already struggling to find enough hours in the day. But, ultimately, you are responsible for how your business is managed, so make a strong cuppa and commit yourself to a bit of reading to work out what changes (if any) you need to make.

Views All Time
Views All Time
337
Views Today
Views Today
2

“The opinions expressed by Smallville Contributors are their own, not those of www.smallville.com.au"



SHARE THIS ARTICLE WITH LIKE MINDED SMALL BUSINESS PEOPLE
Recommended Posts

Leave a Comment