You’ve probably already heard about GDPR (General Data Protection Regulation), but do you know how it affects your business?
This comprehensive set of regulations protects the data of individuals living in the European Union and applies to any business that might hold that data – even ones outside the EU. If you store or use personal data relating to individuals in the EU this legislation applies to you.
GDPR shares many features with the Australian Privacy Act (1988), but it goes further, and it would be a mistake to assume compliance without reviewing and checking to see if you need to take additional steps.
This legislation covers any data you hold that relates to an identifiable person (from the EU). This includes personal data such as name, address, email address, and location data. GDPR also includes additional rules for sensitive data, which includes race, religious beliefs, health, and sexual orientation.
If GDPR does relate to you it is important you act now: GDPR came into effect in May 2018, and there are potentially hefty fines for businesses who aren’t compliant.
How Do I Know If GDPR Affects My Business?
You may need to comply if:
- You target EU customers online – For example, you might sell in Euros, or provide alternative European language options such as French or German on your website.
- You monitor EU citizens online – For example, you track user behaviour online in such a way that you can identify them from the information you hold, or you target your advertising at certain individuals.
- Your customers are EU businesses – Not only do these businesses have to meet GDPR requirements, but they may also be liable if businesses they work with fail to comply. Setting your business up for GDPR may be important for current or future contracts for your business.
How Does GDPR Affect My Business?
Under GDPR, you must have a lawful reason for holding an individual’s data. GDPR identifies six legal reasons for holding or using this information:
- Consent – the individual has given you consent to you their data.
- Contract – it is necessary to hold or use the data to fulfill a contract with that individual.
- Legal Obligation – you are legally obliged to hold the data.
- Protection – holding the data is necessary to protect lives.
- Public Interest – it is in the public interest to hold or use the data.
- Legitimate Interest – it is necessary for the legitimate interests of your business.
Even if you do have a legal reason to hold someone’s data, you must still only use it for the specific purpose for which it is stored. You shouldn’t keep it longer than you need, and you must take steps to keep it safe and up-to-date.
The user’s whose data you hold also have rights, which may affect your business. They have a right to be informed you hold their data, a right to access the data you hold on them, and in some cases can insist you erase that data.
There’s a lot more to it than just that, of course – these are only the basics!
Your Next Steps
Your first and most important step is to establish if you need to comply with GDPR. If you aren’t sure, consult a professional. If you do need to meet GDPR’s requirements, you may have to make several changes. You may need to:
- Audit the data you hold, including deleting any information you don’t need (always a good idea).
- Review how you collect and use data to ensure compliance.
- Check that any third-parties you deal with are compliant; you may need to update your contracts with them.
Call us today on 1800 355 455 or contact us online today.