What does your Australian small business have to do to comply with the GDPR rules coming into place the 25th May 2018? Here’s a simple explanation of what GDPR is and what you need to do.
This has not been caused by a rash of sudden overwhelming guilt, or the fear of joining Facebook on the front page of local papers due to poor personal data practices. Instead, it has been caused by a thing called the GDPR or General Data Protection Regulation.
What is the GDPR?
The GDPR covers every resident of the EU and is designed to give EU residents greater control over their personal information. This law comes into effect on the 25th May, and while it is designed to cover people in the EU, its consequences are more far-reaching.
So, why should Australian small businesses be worried about what is happening on the other side of the world (and no, we are not simply talking about the Royal Wedding)?
According to the OAIC:
The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:
- implement a privacy by design approach to compliance
- be able to demonstrate compliance with privacy principles and obligations
- adopt transparent information handling practices.
There are also some notable differences, including certain rights of individuals (such as the ‘right to be forgotten’) which do not have an equivalent right under the Privacy Act.
Who is Covered by the GDPR?
Let’s start by saying I am not a lawyer, and this is not legal advice. This quick summary is merely what I have gleaned over many many late nights poring over documents, debating with my colleagues in Facebook groups, and watching countless Live Broadcasts & YouTube videos. If you need tailored policies for your business or need legal advice, contact your lawyer.
Let’s start with the bleeding obvious. If you do business in the EU or actively target or sell to people in the EU, congratulations, you must comply with the GDPR in full. This is the time to pull out your phone and call a lawyer who understands the GDPR requirements and book in to see them ASAP.
However, the way the legislation is worded takes it broader. If you track data of people in the EU, then you are covered by the GDPR. For most small businesses with Google Analytics installed, or Facebook Pixels installed, or who have mailing lists, well congratulations, you are also covered!
The upshot of that is, the little corner mechanic in downtown Brisbane that specialises in European cars and gets a number of visitors from the EU who were not sure where the mechanic was located, now needs to comply with the GDPR rulings.
The electrician with a super helpful blog that gets regular visits from people in the EU looking for advice that can transfer to their situation, now needs to comply with the GDPR rulings.
The local consultant with a handy eBook filled with great checklists, and has a handful of random people on their lists from EU countries, now needs to comply with the GDPR rulings.
None of these businesses may have any intention to sell to people in the EU. None may be actively targeting people in the EU, but the internet makes the world very small, so people in the EU found them first.
What Are the Main Things You Need to Do to Comply?
Explaining what is in/out and what you need to do is way beyond the scope of this blog post, but here’s a quick summary.
If you are caught up with the GDPR you need to:
Do a data audit to work out what personal information you collect about people in the EU, whether they are customers, suppliers, employees or candidates. This is not an easy process, although MaAnna over at BlogAid has some great tips to make your GDPR data audit easier.
Work out how you collect personal information and what you do with it when you get it.
Work out how you got consent to gather and use this data, and if your consent process is still valid or if it needs to be adjusted. (Consent in terms of the GDPR is one of the most hotly debated topics, with a lot of disagreement about what you actually need to do. This will be the subject of a separate blog post at a later time once the debate settles down, to go into in more depth.)
Get re-consent if your consent process for EU residents did not meet the GDPR standard of consent. You need to re-consent BEFORE the act kicks in on the 25th May 2018.
Update your opt-in forms to be more explicit and super clear about what people are consenting to, and ensure you have explicit consent (e.g. they have to manually tick a box to agree) rather than implicit consent (e.g. the box is pre-ticked). Remember, this agreement has to be separate to any other terms and conditions agreements.
Update all subscribers on your list about your new or updated policies.
Notify of any data breaches to the relevant authorities within 72 hours, and if the breach is likely to adversely affect individuals, they must also be notified without delay. This requirement is in addition to the Australian requirements for Mandatory Reporting of Data Breaches.
Need to go deeper?
Here are a few of the more useful blog posts/handouts that go into more depth about the GDPR and what you need to do to comply.
What should you do about GDPR?
Putting aside the people who definitely must comply, the situation for all the mum and dad businesses is more than 50 shades of grey.
There are a few options here:
- Head in the sand – Ignore it and hope it goes away (Newsflash: It won’t).
- Build a Wall – You could choose to geoblock everyone from the EU from your website using plugins such as Wordfence. This is resource intensive for your hosting and won’t stop a determined EU refugee from scaling your wall.
- Assess Your Risk – You could adopt a risk management strategy and assess what is the likelihood of someone complaining that you are not GDPR compliant or of a European data agency knocking on your door? If you decide that the risks are low and that your practices comply fully with Australian laws, then you may decide not to bust-a-boiler becoming GDPR compliant.
- Go for Gold – You could choose to see the GDPR as the vanguard of what we will see rolling out across the world in this post-election-fixing world, so get on board and get your processes sorted out now, so you are ready for the future.
- Hybrid – Find a middle ground and do the bits that matter to your business and Australian laws.
I can’t tell you what is right for your business; I can only say what I am doing for my business. I am going with the hybrid strategy.
- I started with a data audit.
- I segmented my mailing lists and have contacted all people in the EU asking them to re-subscribe.
- I am revising my consent processes (some of my third-party providers are dragging their heels on the software needed to make this happen).
- I am telling people on my list about my changed policies.
- I won’t be geoblocking or adding a cookie banner (yet).
Don’t panic if you are not GDPR compliant by May 25th. The world won’t end! Start by doing a risk assessment for your business, and then determine your strategy.