How to Comply with GDPR (UK & EU)

Last updated: 4 March 2024

How to Comply with GDPR – The new General Data Protection Regulation (GDPR) in the European Union (EU) came into effect in May 2018. This new legislation covers personal data collection and the privacy of EU residents.

So why should Australian online businesses care? Because these new regulations will cover you if you do business with EU residents or businesses – or even if you collect email addresses from visitors to your website from the EU!

This guide is not intended to be legal advice and is not a comprehensive checklist to ensure GDPR compliance. However, it will help small and medium-sized Australian online businesses – who may have some EU customers and website visitors – understand better how to meet and comply with the new regulations.

Legal issues covered in this guide

Click on any of the questions below to jump to that section of this legal guide.

If after reading this guide you still have a question, get in touch as we’d love to keep adding your questions to this comprehensive guide.

GDPR Basics

What is GDPR?

GDPR is a set of EU regulations that require businesses to protect the personal data and privacy of EU residents.

GDPR replaces the existing EU and UK law that protects personal data (EU Data Protection Directive 1995 and UK Data Protection Act 1998). These laws were enacted before the age of social media and before the Internet entirely transformed how we work and live. In many ways, the regulations are designed to try and redress the balance of power between consumers and social media/online advertising companies, such as Facebook, Google and Twitter.

A significant change is the expansion of the definition of personal data which now includes information such as:

• Name
• Email address
• Physical address
• Telephone number
• Company name
• Credit card and bank account details
• Tax file numbers
• IP address, GPS location data and RFID tags
• Cookies and data about usage of online services
• Blog comments, support queries and testimonials
• Social media handles
• Date of birth
• Photos and videos
• Medical records, genetic and biometric data
• Sexual orientation, race or ethnicity and political stance
• Employee details and resumes of job applicants

By broadening the definition, GDPR recognizes the vast scope of personal data collection currently and tries to bring it all within the scope of the new rules.

When does GDPR come into force?

GDPR came into effect on 25 May 2018.

Around that date, businesses affected by GDPR contacted their customers and email subscribers to notify them of their updated Privacy Policy and GDPR compliance. Sometimes, they asked their existing email subscribers to re-subscribe to their email lists to show “consent” and compliance with the new GDPR rules.

What effect will GDPR have?

The goal of GDPR is to protect EU residents from the misuse or loss of their personal information. The GDPR legislation does this by specifying the 8 Rights of EU residents that businesses must uphold. EU customers and subscribers can now:

1. Ask what personal data you are collecting and how it is being used (“Right to be Informed”)
2. Unsubscribe from any of your emails at any time (“Right to Object”)
3. Access the personal data you have collected about them (“Right to Access”)
4. Ask you to correct any inaccurate personal data (“Right to Rectification”)
5. Export their personal data in an electronic format (“Right to Data Portability”)
6. Require you to restrict processing of specific types of personal data (“Right to Restrict Processing”)
7. Opt out of having their personal data used for profiling and in automated systems (“Rights in Relation to Data Profiling”), and
8. Ask for their personal data to be deleted (and be provided with an audit trail if requested) and third parties to stop using the data (“Right to be Forgotten”)

It’s too early to see any beneficial effects of GDPR for consumers. But some of the negative impacts on businesses are already being seen:

• Some US newspapers have decided to block EU readers and “gone dark” (e.g. Los Angeles Times, New York Daily News, Chicago Tribune)
• Some online businesses have decided to shut down altogether (e.g. Klout, Verve, Unroll.me)
• Complaints have been lodged against major social media companies with potential lawsuits to come (e.g. Facebook, Instagram, WhatsApp, Google)
• Large corporations and SMEs are voicing complaints about the cost of GDPR compliance

GDPR and Australia

Does GDPR apply to Australian businesses?

GDPR will apply to some Australian businesses. If you meet any of the criteria below you will need to comply with GDPR (or risk fines):

• You collect the email addresses of EU residents
• You sell goods and services to EU residents
• You ship products to EU residents
• You offer goods and services priced in Euros, British Pounds or Swiss Francs
• You market your goods and services in an EU language (other than English)
• You refer to customers from the EU on your website (e.g. in testimonials)
• You have a branch, administrative office or company registered in the EU
• You process the personal data of EU residents (e.g. customer support for EU company)
• You “monitor the behaviour of EU residents” (e.g. track EU residents with cookies for the purposes of profiling, customizing online ads, etc.)

But complying with GDPR only means complying with the EU personal data you collect. Although if you do choose to follow GDPR, then it’s probably easier to do so for ALL personal data you collect – rather than having separate processes for EU residents only.

Australia has discussed the potential of following the EU’s lead and adopting GDPR-like regulations. They are canvassing businesses for implications and reactions and gauging the impact of the GDPR. But time will tell and Australian businesses with no EU nexus are not required to comply with the GDPR.

Doesn’t Brexit mean I don’t have to comply?

The EU adopted the GDPR legislation in April 2016. Since the UK was still a member of the EU on that date, GDPR also applied to the UK. Then on 23 May 2018, in anticipation of Brexit in 2019, the UK enacted their own Data Protection Act 2018 which contains the same regulations as GDPR, with only some minor amendments.

As a result, despite Brexit, if you have UK customers and newsletter subscribers, you must still comply with GDPR rules regarding their personal data.

Need to Comply

Does GDPR apply to apps as well as websites?

Yes, the GDPR rules apply equally to apps and websites. In particular, if you’re an app developer, you should:

• Minimize the amount of personal data you access with your app
• Get consent from your app users to use their personal data
• Use secure communications (e.g. HTTPS) and encrypt all user data
• Update your User Terms and ensure your users have seen them

What are my options for complying with GDPR?

There are broadly 4 different options for dealing with GDPR as an Australian online business. You can choose to:

1. Not complying with GDPR: Dissuade EU visitors and customers from signing up to your newsletters and buying your products or services. You should include a statement to this effect on your website.
2. Update your email marketing processes: Implement absolute best practices regarding email marketing and collecting and using email addresses ethically. You must obtain “active consent” from your EU customers or visitors to collect their personal information and/or send any emails, newsletters, updates or similar. Otherwise, you will need to delete any EU residents’ personal data.
3. Fully comply with GDPR: Be transparent with your visitors and customers about what personal information you collect and how you use it, plus put robust compliance processes and procedures in place to ensure you comply with the regulations when handling personal information.
4. Fully comply with GDPR and appoint a DPO: This option is only required if you collect “sensitive information” on EU residents or collect personal data on a large scale.

What should I do if I don’t want to comply with GDPR?

State that you do not sell or market to EU visitors and customers: You may choose not to do business with EU customers and avoid GDPR compliance requirements. In which case, your website should say so:

• Add a notice on your website with wording such as “We do not offer any of our goods or services to residents of the EU or Switzerland.”
• Remove any mentions of EU customers on your website (e.g. in testimonials)
• Remove any options to buy your products and services in Euros, British Pounds or Swiss Francs
• Remove any options to ship products to the EU and UK
• Remove any EU language (other than English) on your website
• Drop any existing customers that you service in the EU and UK

And, worst case scenario, you could block all website traffic from the EU and UK!

Compliance Requirements

What should I do if I only send email newsletters to EU residents?

If you play “fast and loose” with your email marketing – for example, make it difficult to unsubscribe, don’t tell people you’re going to send them emails or come close to spamming your email lists – then complying with GDPR will have a significant impact on your business. But if you’re an ethical email marketer and already following best practices, the changes you need to make are less onerous.

Update your opt-in forms: GDPR requires “active consent” to use someone’s email address. This means that your opt-in and signup forms should have the following:

1. A clear description of the types of material you will send by email
2. An indication of how often to expect these email communications, and
3. A checkbox that subscribers need to actively tick to show agreement to your Privacy Policy (and possibly also Terms & Conditions) with a link to these notices.

Your opt-in form cannot have a pre-ticked checkbox, which is not considered giving active consent. The website visitor must show “active consent” by ticking the checkbox.

Update all the email opt-in forms you might use in your business, including:

• Newsletters (blog articles, announcements)
• Gated content (ebooks, courses, reports, white papers, webinars)
• Promotions (sales, deals, gifts, offers)
• Products/Services (updates, new, removed)
• Market research (surveys, feedback, ratings, reviews, testimonial requests)
• Partnerships (business deals, partnership opportunities)

You should also have checkboxes for your Privacy Policy and Terms & Conditions when customers are checking out of your shopping cart. Don’t forget, you’re collecting address, telephone, credit card, etc. information at this stage too – and this needs to have “active consent” too.

Keep “consent” records: The GDPR also requires that you keep evidence of consent between you and your subscribers. So begin keeping comprehensive records of how you collect personal data by:

• Tagging each subscriber in your email list with their signup source, and
• Keeping of copy of the signup form (e.g. copy of the underlying code, screenshot)

Check unsubscribe and update links: Confirm that all emails you broadcast include an “Unsubscribe from this list” link and an “Update your subscription preferences” link in the footer. Most email distribution services already include “unsubscribe” links at the bottom of every email by default. But you might have to turn on an option to include the “update” link.

It’s also essential to make sure your marketing automation platform and CRM system are set to sync automatically. If a person on your list unsubscribes and continues receiving emails because of a mismatch between the two, you could get in trouble for not being GDPR compliant.

Reconsider buying email lists and referral deals: Don’t buy email lists that aren’t GDPR compliant. To be GDPR compliant each email subscriber needs to have consented to being marketed to and had their email address sold to a third party.

It may be a good idea to stop using “refer a friend” type promotions, where a customer has to enter the email address of a friend to receive a discount. The person being referred can’t consent to their information being collected and stored, and is, therefore, a violation of GDPR standards.

What should I do to comply with GDPR fully?

If the EU and UK are important markets for your online business, then you need to comply with GDPR fully. In addition to the points above (What should I do if I only send email newsletters to EU residents?) you should consider the following:

Audit your collection and use of personal data: The first step is to review all the ways you collect and process personal data in your online business. Create a spreadsheet with columns showing all the places you collect data and rows showing how you process that data.

Here are some examples of areas where you might collect personal data (spreadsheet columns):

• Email marketing
• Lead capture and quote requests
• Marketing automation (e.g. HubSpot, FullContact)
• Incoming telephone calls
• Sales of products or services
• Processing of credit card payments
• Delivery of physical products
• Setting up an account
• Online surveys or contests
• Blog comments
• Website browsing and serving ads (including cookies)
• Website and business analytics (e.g. Google Analytics)
• Automated error reporting
• Support requests and troubleshooting
• Two-factor authentication
• Job applications, etc.

And here are the details that you need to capture about how you process personal data (spreadsheet rows):

• What personal data is collected (e.g. email address, credit card number)
• What is the personal data used for (e.g. monthly payment for service)
• When being collected is the data secure (e.g. HTTPS)
• Is the personal data required to provide the service (e.g. billing address)
• Is the personal data used for automated decision-making (e.g. credit scoring)
• Can users opt out of this personal data being collected (Y/N)
• How is the data collected (e.g. which opt-in form)
• Is the data stored locally (Y/N)
• Who has access to the data locally (e.g. marketing department)
• Is the data shared with a 3rd party (Y/N and who)
• Is the data scrubbed before sharing (Y/N)
• Does the 3rd party comply with GDPR (Y/N)
• Do you have a Data Processing Agreement with the 3rd party (Y/N)
• Is the data transferred across international borders (Y/N and where)
• Does the foreign country have adequate privacy protections (e.g. EU-US privacy shield)
• When being transferred, is the data secure (e.g. PCI-DSS for credit card processing)
• How long is the personal data held (e.g. 6 mths after service ended)
• Can users access and control their data (e.g. update, export, delete)

Now you have a complete view of all the personal data you collect, use and share. At this stage, it’s a good idea to decide what data you don’t need and minimize the personal data collection. You should also review your data retention periods and decide how long you need or are permitted to keep customer information. There are strict rules around this and they vary depending on the type of information. Then put processes in place to regularly purge your databases of unused or outdated personal data.

You might consider publishing this review of your processes, calling it a “Personal Data Transparency Report” and linking to it from your Privacy Policy. And make sure you keep it up-to-date.

Update your Privacy Policy: Your Privacy Policy needs to be easily understood and fully transparent about what personal information you gather (from website visitors and customers) and how you use it. Your Privacy Policy should cover the following:

• What personal information do you collect and how (including cookies)
• Do you collect personal information from children under 18 years of age
• How you use personal information (including profiling, such as credit scoring)
• How you use anonymized personal information
• How long do you retain personal information
• How you transmit and store personal information and keep it secure
• Can personal information be transferred to other countries
• When you share personal information with third parties
• When you have to disclose personal information to third parties
• What you will do in the event personal information is lost in a data breach
• How visitors and customers can unsubscribe from marketing communications
• How customers can review, update, transfer and delete their personal information
• Disclaimer about links to other websites
• Notification of changes to your Privacy Policy
• Your contact details for questions about your Privacy Policy
• GDPR compliance clauses on how you meet the GDPR requirements
• Contact details for DPO if you have or are required to have one
• Contact details for Complaints and GDPR country contact if you are required to appoint one.

Check your Terms & Conditions too – some businesses will need to change their terms with their customers to match their GDPR requirements.

Notify visitors that you use cookies: Cookies are used for pre-filling in forms, tracking visitor actions, serving personalised ads (e.g. AdWords), conversion tracking and remarketing. The EU already has legislation requiring websites to notify visitors of the use of cookies – you’ll see notification popups like “This website uses cookies. Click to continue.” It is not clear at the moment whether businesses require an opt-out option or simply the right to change the settings in their browser. GDPR does, however, require the right for a customer to be notified how they may opt-out.

Providing a cookie opt-out option has not become mainstream yet, but this could change in the following months. Generally, the wording of cookie notification popups is being updated to read something like this “We use cookies to personalise content and ads, provide social media features and analyse our traffic. We also share information about your website use with our social media, advertising and analytics partners. You consent to our cookies if you continue to use this website.”

In addition, some businesses have chosen to have a specific Cookies Policy, explaining what cookies they use, what third-party cookies they use and what these cookies precisely track. Here is an example.

Send re-engagement emails: You’ll need to get your existing EU subscribers to show “active consent” to receiving emails, newsletters, updates or information from your business. You can do this by sending a “re-engagement” email:

• Explaining you are complying with GDPR
• Telling them the types of emails they can expect to receive from you, and
• Asking them to confirm permission to use their email address

You will definitely lose some of your subscriber list, but that isn’t necessarily a bad thing. The resulting subscriber list will be of higher quality and your email list distribution costs may go down.

Check your data processors comply: To properly comply with GDPR, you must ensure all third parties (e.g. cloud services, software services, subcontractors, etc.) that handle your customers’ data are also GDPR compliant. These third parties should state that they are GDPR compliant and possibly have a Certificate of Compliance. You also need an updated Data Processing Agreement with them that includes various prescribed GDPR clauses.

In addition, ensure that you have adequate protection for any personal data transferred internationally. The GDPR requires that transfers may only be made where the recipient jurisdiction is assessed as “adequate” in terms of data protection. But to date, the EU has not assessed Australia.

Update your Data Processing Agreement: If you are a data processor, you must update your Data Processing Agreement with your EU customers. Your Agreement needs to include various prescribed GDPR clauses, including that you:

• May only process data according to documented instructions from your customer
• Must provide adequate personal data security
• Must provide data breach notifications
• Must assist with any data protection impact assessments, etc.

Implement reasonable data protection measures: You need to be able to demonstrate that you follow generally accepted standards for gathering, storing and protecting personal data. These include:

• Restricting access to authorised individuals only
• Keeping a log of who has access and when
• Using different and complex passwords
• Regularly changing passwords
• Using secure data transmission (e.g. HTTPS)
• Using secure credit card transactions (e.g. PCI-DSS)
• Encrypting user data (e.g. passwords)
• Implementing IP anonymization in Google Analytics
• Regularly purging databases of unused personal data

Have internal Confidentiality Agreements: Within your organisation, employees and subcontractors that have access or are authorised to process personal data should sign a Confidentiality Agreement. This reinforces the importance of personal data confidentiality and how seriously you take the matter.

Develop a security breach response plan: GDPR rules now require that if you have a security breach and personal data is exposed, then you must report the data breach to customers and the relevant supervisory authority within 72 hours. All security breaches also need to be logged in a register. You will need to have effective processes and a documented plan in place to identify, report, manage and resolve data breaches.

Provide the ability to update, transfer and delete data: In addition to allowing newsletter subscribers to update their email addresses, under GDPR you need to be able to give your users and customers the ability to review, update, transfer and delete ALL the personal information you hold on them. You might do this through an online solution, like access to their personal account information that they can update themselves. Or you could choose to do this on a “by request” system, where they contact you by email. In either case, the process needs to be easy and responsive.

What should I do if I collect sensitive data or personal data on a large scale?

If you run a business that collects what is considered “sensitive information” such as:

• Medical or health information
• Genetic or biometric data
• Sexual orientation or sex life information
• Racial or ethnic origin
• Religious or philosophical beliefs
• Political opinions or trade union membership
• Criminal convictions and offences

Then the GDPR requires additional compliance processes and procedures to be implemented to ensure a higher level of data privacy and security. You also have the same obligation if you collect personal data from EU residents on a large scale (e.g. bank with EU customers).

In addition to the points above (What should I do if I only send email newsletters to EU residents? What should I do to comply with GDPR fully?) you should consider the following:

Nominate a Data Protection Officer (DPO): Your DPO is responsible for monitoring compliance with GDPR, training staff and management and ensuring a positive culture of respect for personal information across the business. The contact details of your DPO need to be listed in your Privacy Policy and communicated to your country’s supervisory authority. In addition, your DPO will need to undertake a “data protection impact assessment” to ensure high-risk personal information is kept secure and data breaches are avoided.

What is Legal123 doing to help its customers comply with GDPR?

Legal123 has updated its Privacy Policy template to be easier to read and more “internationally friendly”. Existing customers have been given this template for free as part of our “free updates so you don’t worry about legislation changes” policy.

For businesses that collect EU and UK resident emails and must comply with GDPR, we now offer additional GDPR clauses that you can append to your Privacy Policy. In addition, we include an information PDF to make sure you’re aware of the changes you need to make in your business to comply – just updating your Privacy Policy is not enough!

Click this link to purchase the GDPR Privacy Policy Clauses.

For customers who need to comply with GDPR fully and have businesses that need to meet more stringent requirements – for example, collect sensitive personal information, offer hosting services to EU clients, etc. – we offer a GDPR review service with advice on how to comply. Contact us for more information.

We hope you found this legal guide on How to Comply with GDPR helpful.

About the Author: Vanessa Emilio

Vanessa Emilio (BA Hons, LLB, ACIS, AGIA) is the Founder and CEO of Legal123.com.au and Practice Director of Legal123 Pty Ltd. Vanessa is a qualified Australian lawyer with 20+ years experience in corporate, banking and trust law. Click for full bio of Vanessa Emilio or follow on LinkedIn.

Disclaimer: We hope you found this article helpful, but please be aware that any information, comments or recommendations are general in nature, do not constitute legal advice and may not be suitable for your specific circumstances. Whilst we try our best to ensure that the information is accurate, sometimes there may be errors or new information that has yet to be included. Any decisions you take based on information on this website are made at your own risk and we cannot be held liable for any losses you suffer. Contact us directly before relying on any of this information.