As an Australian business, you may have thought that your privacy compliance only had to cover those living in our great southern land. For Australian businesses engaged in commerce in Europe, this may not be the case… You may need to make sure you a have a GDPR compliant Privacy Policy. Keep reading this Legal Kitz blog for more information.
Key points to remember
- If you are an Australian business with offices in the EU, you will need to have a GDPR compliant privacy policy.
- If you are an Australian business intending to offer goods and services or monitor personal data of people in the EU, you will need to comply with the GDPR
- You organisations systems and privacy policy will need to demonstrate compliance with both the Australian Privacy Principles and the GDPR if you do business in the EU
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is a European privacy law often heralded as the toughest security law in the world. Though it is an European instrument passed by the European Union (“EU”), the GDPR has implications for Australian businesses. If Australian businesses target or collect data related to people from the EU, it is likely that they may have an obligation to comply with the GDPR.
The GDPR has generally been quite well received by consumer groups and digital privacy activists due to the level of protection and the rights it affords consumers. However, it can be quite onerous for businesses to comply with their obligations under the regulation and has hefty pecuniary penalties for noncompliance. This blog post will explore how Australian businesses can ensure GDPR compliance within their Privacy Policies.
What is a Privacy Policy used for?
A privacy policy is a legal document that states in simple language how your organisation handles the personal information of those that engage with you. Generally, a privacy policy will cover topics such as:
- Collection of information – how your business collects the information of those you deal with
- Storage of information – outlining how personal information is stored.
- Use and disclosure of information – what procedures must be followed prior disclosure and in what circumstances disclosure or use may be made
- Protection of information – covers how your business protects client data
- Accessing personal information – in what circumstances a person may access their data held by the business and the procedure for doing so.
As an Australian business, you may already have a privacy policy in place to ensure compliance with the Australian Privacy Principles contained within the Privacy Act 1988 (Cth). It is important that you consider your position under the GDPR to ensure that your current privacy policy is comprehensive enough to ensure you are EU-compliant.
Do I need to be GDPR compliant as an Australian business?
Broadly speaking, any Australian business that:
- is based in the EU;
- provides goods or services to people based in the EU; or
- monitors the behaviour of those based in the EU
will be subject to the application of the GDPR. Most Australian SME’s do not have offices within the EU, however, it may be the case that you offer goods or services to people based in the EU.
Usually, this is determined by whether or not a business outside the EU intends to offer goods or services to those within the EU. This may be the case if you operate an ecommerce business that offers transactions in Euro, or if you offer European customers the option to select a European language on your website.
If your business makes any attempt to engage with customers in the EU, you will be required to comply with the GDPR.
What are my obligations under the GDPR?
The GDPR provides specific obligations to “controllers” and “processors” of personal data. If you require advice specific to your obligations as a controller or processor, get in touch with the team at Legal Kitz today.
Generally speaking, there are a number of key protection principles that must be adhered to within your organisation and applied to your privacy policy to ensure compliance.
- Lawfulness, Fairness and Transparency
Your business must make sure you are clear about what data you are collecting and how you intend to use it.
- Purpose Limitation
You must ensure your business only collects personal data for a specific purpose.
- Data Minimisation
Personal data should only be processed as necessary to fulfill the stated purpose for collection.
- Accuracy
Every reasonable step must be taken to erase personal data that is inaccurate within 30 days of a person making a request.
- Storage Limitation
When your business stops needing the personal data, you must delete that data.
- Integrity and Confidentiality
Personal data must be processed in a manner that ensures the appropriate security of that data. You must ensure your business handles data with integrity and confidentiality.
- Accountability
You must be able to demonstrate your compliance with the GDPR.
Having Legal Kitz incorporate the above principles into your privacy policy will ensure that your business is compliant not just in Australia, but also the EU, taking some of the stress out of doing business on the other side of the world.
Legal advice
If you are considering drafting a privacy policy, you should seek legal advice. Legal Kitz business specialists can assist with ensuring that your privacy policy is drafted so that you may avoid disputes from vague terminology or missing essential clauses for the operation of the privacy policy.
Click here to book a FREE consultation with one of our highly experienced solicitors today or contact us at [email protected] or by calling 1300 988 954.
The above information has been collected from relevant government websites and is subject to change. For the latest information regarding new or amended legislation, please refer to state and federal government websites.