Data collection and analysis is now vital to the success of many Australian businesses. Along with the benefits that come from unlocking the data available through the various digital portals used by businesses to collect customer information, there is also an increasing awareness of the responsibility to protect that data.
The need to protect customer data has been very much at the forefront of the European Union’s new General Data Protection Regulation (GDPR) laws, which will come into effect on May 25. The EU has been very active in trying to especially curb the access giants like Facebook and Google have to user data. These are the big players targeted by the laws, but smaller businesses will also need to comply.
So why do Australian businesses need to worry about EU data regulations?
Because in a world where global commerce is becoming the norm, many Australian businesses are engaging with customers in the EU. That means these businesses need to be across the new regulations.
The Australian Computer Society’s Information Age reported on a survey carried out by business software company Sage that found around 84% of the 324 businesses surveyed “were not very familiar with GDPR or had not heard of it at all, while 82% did not understand what the changes meant for their business”.
Executive vice president for Sage Asia Pacific, Kerry Agiasotis, told Information Age many businesses probably assumed because the laws have been drafted by the EU they would not apply to businesses outside of the EU. But the law is about protecting European residents, which means anyone doing business with customers in the EU has to comply with the law.
“Any business that has information about a EU person that can be identified uniquely falls under this legislation. And that’s what is concerning,” Agiasotis says.
“This could include an IP address. If you had the combination of a name, an IP address and related it to an individual who surfed your website, you would fall under the requirements of this legislation.”
The Australian Government’s Office of the Australian Information Commissioner reiterates the need for Australian businesses that do business in Europe or with European customers to be aware of the new laws and preparing for compliance.
“Australian businesses with customers in the EU, or that operate in the EU, should confirm whether they are covered by the GDPR, and if so, take steps to ensure compliance by May 2018,” the OAIC advises.
The OAIC advisory says many Australian businesses will already be complying with the EU laws by virtue of the fact they should also be complying with the Australian Privacy Act’s Australian Privacy Principles.
However, while there is overlap between the requirements of the Australian and EU laws, there are also significant differences. The GDPR is far broader in its remit than the Australian laws: “The GDPR makes clear that a wide range of identifiers can be ‘personal data’ including a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
For a complete rundown on GDPR compliance requirements for Australian businesses, head to the Office of the Australian Information Commissioner website.