How to Comply with GDPR (or Not)

Last updated: 31 August 2021

How to Comply with GDPR – The new General Data Protection Regulation (GDPR) in the European Union (EU) came into effect in May 2018. This new legislation covers personal data collection and the privacy of EU residents.

So why should Australian online businesses care? Because these new regulations will cover you if you do business with EU residents or businesses – or even if you collect email addresses from visitors to your website from the EU!

This guide is not intended to be legal advice and is not a comprehensive checklist to ensure GDPR compliance. However, it will help small and medium sized Australian online businesses – who may have some EU customers and website visitors – understand better how to meet and comply with the new regulations.

Legal issues covered in this guide

Click on any of the questions below to jump to that section of this legal guide.

If after reading this guide you still have a question, get in touch as we’d love to keep adding your questions to this comprehensive guide.

GDPR Basics

What is GDPR?

GDPR is a set of EU regulations that require businesses to protect the personal data and privacy of EU residents.

GDPR replaces the existing EU and UK law that protects personal data (EU Data Protection Directive 1995 and UK Data Protection Act 1998). These laws were enacted before the age of social media and before the Internet fully transformed the way we work and live. In many ways, the regulations are designed to try and redress the balance of power between consumers and social media/online advertising companies, such as Facebook, Google and Twitter.

An important change is the expansion of the definition of personal data which now includes information such as:

  • Name
  • Email address
  • Physical address
  • Telephone number
  • Company name
  • Credit card and bank account details
  • Tax file numbers
  • IP address, GPS location data and RFID tags
  • Cookies and data about usage of online services
  • Blog comments, support queries and testimonials
  • Social media handles
  • Date of birth
  • Photos and videos
  • Medical records, genetic and biometric data
  • Sexual orientation, race or ethnicity and political stance
  • Employee details and resumes of job applicants

By broadening the definition, GDPR recognizes the huge scope of personal data collection that currently exists and tries to bring it all within the scope of the new rules.

When does GDPR come into force?

GDPR came into effect on 25 May 2018.

Around that date, businesses that were affected by GDPR contacted their customers and email subscribers to notify them of their updated Privacy Policies and GDPR compliance. In some cases they also asked their existing email subscribers to re-subscribe to their email lists, in order to show “consent” and compliance with the new GDPR rules.

What effect will GDPR have?

The goal of GDPR is to protect EU residents from the misuse or loss of their personal information. The GDPR legislation does this by specifying the 8 Rights of EU residetns that businesses must uphold. EU customers and subscribers can now:

  1. Ask what personal data you are collecting and how it is being used (“Right to be Informed”)
  2. Unsubscribe from any of your emails at any time (“Right to Object”)
  3. Access the personal data you have collected about them (“Right to Access”)
  4. Ask you to correct any inaccurate personal data (“Right to Rectification”)
  5. Export their personal data in an electronic format (“Right to Data Portability”)
  6. Require you to restrict processing of specific types of personal data (“Right to Restrict Processing”)
  7. Opt out of having their personal data used for profiling and in automated systems (“Rights in Relation to Data Profiling”), and
  8. Ask for their personal data to be deleted (and be provided with an audit trail if requested) and third parties to stop using the data (“Right to be Forgotten”)

It’s too early to see any beneficial effects of GDPR for consumers. But some of the negative impacts on businesses are already being seen:

GDPR Update July 2019 – Huge Fines Issued

The UK’s GDPR watchdog, the ICO (Information Commissioner’s Office), has issued huge fines to British Airways and Marriott Hotels for data breaches.

British Airways has been fined £183m (approx. 1.5% of worldwide revenue) for a breach of credit card information, names, addresses, travel booking details and logins of approx. 500,000 customers in 2018. Marriott has been fined £99m for a breach of 383 million guest records and 5 million passport details between 2014 and 2018.

British Airways and Marriott will no doubt appeal and the final fines could be reduced. However, the message is clear – businesses need to take data protection seriously and do everything they can not to be hacked.

GDPR and Australia

Does GDPR apply to Australian businesses?

GDPR will apply to some Australian businesses. If you meet any of the criteria below you will need to comply with GDPR (or risk fines):

  • You collect the email addresses of EU residents
  • You sell goods and services to EU residents
  • You ship products to EU residents
  • You offer goods and services priced in Euros, British Pounds or Swiss Francs
  • You market your goods and services in an EU language (other than English)
  • You refer to customers from the EU on your website (e.g. in testimonials)
  • You have a branch, administrative office or company registered in the EU
  • You process personal data of EU residents (e.g. customer support for EU company)
  • You “monitor the behaviour of EU residents” (e.g. track EU residents with cookies for the purposes of profiling, customizing online ads, etc.)

But complying with GDPR only means complying for the EU personal data that you collect. Although if you do choose to follow GDPR then it’s probably easier to do so for ALL personal data you collect – rather than having separate processes for EU residents only.

Australia has discussed the potential of following the EU’s lead and adopting GDPR-like regulations. They are canvassing businesses for implications and reactions as well as gauging the impact of the GDPR. But time will tell and Australian businesses that have no EU nexus are not required to comply with the GDPR.

Doesn’t Brexit mean I don’t have to comply?

The EU adopted the GDPR legislation in April 2016. Since the UK was still a member of the EU on that date, GDPR also applied to the UK. Then on 23 May 2018, in anticipation of Brexit in 2019, the UK enacted their own Data Protection Act 2018 which contains the same regulations as GDPR, with only some minor amendments.

As a result, despite Brexit, if you have UK customers and newsletter subscribers you are still required to comply with GDPR rules regarding their personal data.

Need to Comply

Does GDPR apply to apps as well as websites?

Yes, the GDPR rules apply equally to apps and websites. In particular, if you’re an app developer, you should:

  • Minimize the amount of personal data you access with your app
  • Get consent from your app users to use their personal data
  • Use secure communications (e.g. HTTPS) and encrypt all user data
  • Update your User Terms and ensure your users have seen them

What are my options for complying with GDPR?

There are broadly 4 different options for dealing with GDPR as an Australian online business. You can choose to:

  1. Not comply with GDPR: Dissuade EU visitors and customers from signing up to your newsletters and buying your products or services. You should include a statement to this effect on your website.
  2. Update your email marketing processes: Implement absolute best practice when it comes to email marketing and collecting and using email addresses ethically. You will need to obtain “active consent” from your EU customers or visitors to be able to collect their personal information and/or send any emails, newsletters, updates or similar. Otherwise you will need to delete any EU residents’ personal data.
  3. Fully comply with GDPR: Be transparent with your visitors and customers about what personal information you collect and how you use it, plus put robust compliance processes and procedures in place to ensure you comply with the regulations when handling personal information.
  4. Fully comply with GDPR and appoint a DPO: This option is only required if you collect “sensitive information” on EU residents or collect personal data on a large scale.

What should I do if I don’t want to comply with GDPR?

State that you do not sell or market to EU visitors and customers: You may choose not to do business with EU customers and avoid GDPR compliance requirements. In which case, your website should say so:

  • Add a notice on your website, with wording such as “We do not offer any of our goods or services to residents of the EU or Switzerland.”
  • Remove any mentions of EU customers on your website (e.g. in testimonials)
  • Remove any options to buy your products and services in Euros, British Pounds or Swiss Francs
  • Remove any options to ship products to the EU and UK
  • Remove any EU language (other than English) on your website
  • Drop any existing customers that you service in the EU and UK

And, worst case scenario, you could block all website traffic from the EU and UK!

Compliance Requirements

What should I do if I only send email newsletters to EU residents?

If you play “fast and loose” with your email marketing – for example, make it difficult to unsubscribe, don’t really tell people you’re going to send them emails or come close to spamming your email lists – then complying with GDPR will have a big impact on your business. But if you’re an ethical email marketer and already following best practice, then the changes you need to make are less onerous.

Update your opt-in forms: GDPR now requires “active consent” to use someone’s email address. This means that your opt-in and signup forms should have:

  1. A clear description of the types of material you will send by email
  2. An indication of how often to expect these email communications, and
  3. A checkbox that subscribers need to actively tick to show agreement to your Privacy Policy (and possibly also Terms & Conditions) with a link to these notices.

Your opt-in form cannot have a pre-ticked checkbox, as this is not considered giving active consent. The website visitor must show “active consent” by ticking the checkbox themselves.

Update all the email opt-in forms you might use in your business, including:

  • Newsletters (blog articles, announcements)
  • Gated content (ebooks, courses, reports, white papers, webinars)
  • Promotions (sales, deals, gifts, offers)
  • Products/Services (updates, new, removed)
  • Market research (surveys, feedback, ratings, reviews, testimonial requests)
  • Partnerships (business deals, partnership opportunities)

You should also have checkboxes for your Privacy Policy and Terms & Conditions when customers are checking out of your shopping cart. Don’t forget, you’re collecting address, telephone, credit card, etc. information at this stage too – and this needs to have “active consent” too.

Keep “consent” records: The GDPR also requires that you can evidence the nature of consent between you and your subscribers. So begin keeping comprehensive records of how you collect personal data by:

  • Tagging each subscriber in your email list with their signup source, and
  • Keeping of copy of the signup form (e.g. copy of the underlying code, screenshot)

Check unsubscribe and update links: Confirm that all emails you broadcast include both an “Unsubscribe from this list” link and an “Update your subscription preferences” link in the footer. Most email distribution services already include “unsubscribe” links at the bottom of every email by default. But you might have to turn on an option to include the “update” link.

It’s also important to make sure your marketing automation platform and CRM system are set to sync automatically. If a person on your list unsubscribes and continues receiving emails because of a mismatch between the two, you could get in trouble for not being GDPR compliant.

Reconsider buying email lists and referral deals: Don’t buy email lists that aren’t GDPR compliant. To be GDPR compliant each email subscriber needs to have consented to being marketed to and had their email address sold to a third party.

It may be a good idea to stop using “refer a friend” type promotions, where a customer has to enter the email address of a friend to receive a discount. The person being referred can’t clearly give consent to their information being collected and stored and is, therefore, a violation of GDPR standards.

What should I do to fully comply with GDPR?

If the EU and UK are important markets for your online business then you need to fully comply with GDPR. In addition to the points above (What should I do if I only send email newsletters to EU residents?) you should consider the following:

Audit your collection and use of personal data: The first step is to review all the ways you collect and process personal data in your online business. Create a spreadsheet with columns showing all the places you collect data and rows showing how you process that data.

Here are some examples of areas where you might collect personal data (spreadsheet columns):

  • Email marketing
  • Lead capture and quote requests
  • Marketing automation (e.g. HubSpot, FullContact)
  • Incoming telephone calls
  • Sales of products or services
  • Processing of credit card payments
  • Delivery of physical products
  • Setting up an account
  • Online surveys or contests
  • Blog comments
  • Website browsing and serving ads (including cookies)
  • Website and business analytics (e.g. Google Analytics)
  • Automated error reporting
  • Support requests and troubleshooting
  • Two-factor authentication
  • Job applications, etc.

And here are the details that you need to capture about how you process personal data (spreadsheet rows):

  • What personal data is collected (e.g. email address, credit card number)
  • What is the personal data used for (e.g. monthly payment for service)
  • When being collected is the data secure (e.g. HTTPS)
  • Is the personal data required to provide the service (e.g. billing address)
  • Is the personal data used for automated decision making (e.g. credit scoring)
  • Can users opt-out of this personal data being collected (Y/N)
  • How is the data collected (e.g. which opt-in form)
  • Is the data stored locally (Y/N)
  • Who has access to the data locally (e.g. marketing department)
  • Is the data shared with a 3rd party (Y/N and who)
  • Is the data scrubbed before sharing (Y/N)
  • Does the 3rd party comply with GDPR (Y/N)
  • Do you have a Data Processing Agreement with the 3rd party (Y/N)
  • Is the data transferred across international borders (Y/N and where)
  • Does the foreign country have adequate privacy protections (e.g. EU-US privacy shield)
  • When being transferred, is the data secure (e.g. PCI-DSS for credit card processing)
  • How long is the personal data held (e.g. 6 mths after service ended)
  • Can users access and control their data (e.g. update, export, delete)

Now you have a complete view of the all the personal data you collect, use and share. At this stage it’s a good idea to decide what data you don’t need and minimize the personal data collection. You should also review your data retention periods and decide how long you need or are permitted to keep customer information. There are strict rules around this and they vary depending on the type of information. Then put processes in place to regularly purge your databases of unused or outdated personal data.

You might consider publishing this review of your processes, calling it a “Personal Data Transparency Report” and linking to it from your Privacy Policy. And make sure you keep it up-to-date.

Update your Privacy Policy: Your Privacy Policy needs to be easily understood and fully transparent about what personal information you gather (from website visitors and customers) and how you use it. Your Privacy Policy should cover:

  • What personal information you collect and how (including cookies)
  • Do you collect personal information from children under 18 years of age
  • How you use personal information (including profiling, such as credit scoring)
  • How you use anonymized personal information
  • How long you retain personal information
  • How you transmit and store personal information and keep it secure
  • Can personal information be transferred to other countries
  • When you share personal information with third parties
  • When you have to disclose personal information to third parties
  • What you will do in the event personal information is lost in a data breach
  • How visitors and customers can unsubscribe from marketing communications
  • How customers can review, update, transfer and delete their personal information
  • Disclaimer about links to other websites
  • Notification of changes to your Privacy Policy
  • Your contact details for questions about your Privacy Policy
  • GDPR compliance clauses on how you meet the GDPR requirements
  • Contact details for DPO if you have or are required to have one
  • Contact details for Complaints and GDPR country contact if you are required to appoint one.

Check your Terms & Conditions too – some businesses will need to change their terms with their customers to match their GDPR requirements.

Notify visitors that you use cookies: Cookies are used for pre-filling in forms, tracking visitor actions, serving personalised ads (e.g. AdWords), conversion tracking and remarketing. The EU already has legislation requiring websites to notify visitors of the use of cookies – you’ll see notification popups like “This website uses cookies. Click to continue.” It is not clear at the moment whether businesses require an opt-out option or simply the right to change the settings in their browser. GDPR does, however, require the right for a customer to be notified how they may opt out.

Providing a cookie opt-out option has not become mainstream yet, but this could change in the following months. Generally, the wording of cookie notification popups are being updated to read something like this “We use cookies to personalise content and ads, provide social media features and to analyse our traffic. We also share information about your use of our website with our social media, advertising and analytics partners. You consent to our cookies if you continue to use this website.”

In addition, some business have chosen to have a specific Cookies Policy, explaining what cookies they use, what third party cookies they use and what these cookies specifically track. Here is an example.

Send re-engagement emails: You’ll need to get your existing EU subscribers to show “active consent” to receiving emails, newsletters, updates or information from your business. You can do this by sending a “re-engagement” email:

  • Explaining you are complying with GDPR
  • Telling them the types of email they can expect to receive from you, and
  • Asking them to confirm permission to use their email address

You will definitely lose some of your subscriber list, but that isn’t necessarily a bad thing. The resulting subscriber list will be of higher quality and your email list distribution costs may go down.

Check your data processors comply: To properly comply with GDPR, you must ensure all third parties (e.g. cloud services, software services, subcontractors, etc.) that handle your customers’ data are also GDPR compliant. These third parties should state that they are GDPR compliant and possibly have a Certificate of Compliance. You also need an updated Data Processing Agreement with them that includes various prescribed GDPR clauses.

In addition, ensure that you have adequate protection for any personal data transferred internationally. The GDPR requires that transfers may only be made where the recipient jurisdiction is assessed as “adequate” in terms of data protection. But to date, the EU has not assessed Australia.

Update your Data Processing Agreement: If you are a data processor, then you need to update your Data Processing Agreement with your EU customers. Your Agreement needs to include various prescribed GDPR clauses, including that you:

  • May only process data according to documented instructions from your customer
  • Must provide adequate personal data security
  • Must provide data breach notifications
  • Must assist with any data protection impact assessments, etc.

Implement reasonable data protection measures: You need to be able to demonstrate that you follow generally accepted standards for gathering, storing and protecting personal data. These include:

  • Restricting access to authorised individuals only
  • Keeping a log of who has access and when
  • Using different and complex passwords
  • Regularly changing passwords
  • Using secure data transmission (e.g. HTTPS)
  • Using secure credit card transactions (e.g. PCI-DSS)
  • Encrypting user data (e.g. passwords)
  • Implementing IP anonymization in Google Analytics
  • Regularly purging databases of unused personal data

Have internal Confidentiality Agreements: Within your organisation, employees and subcontractors that have access or are authorised to process personal data should sign a Confidentiality Agreement. This is to reinforce the importance of personal data confidentiality and how seriously you take the matter.

Develop a security breach response plan: GDPR rules now require that if you have a security breach and personal data is exposed, then you must report the data breach to customers and to the relevant supervisory authority within 72 hours. All security breaches also need to be logged in a register. You will need to have effective processes and a documented plan in place to identify, report, manage and resolve data breaches.

Provide ability to update, transfer and delete data: In addition to allowing newsletter subscribers to update their email addresses, under GDPR you need to be able to give your users and customers the ability to review, update, transfer and delete ALL the personal information you hold on them. You might choose to do this through an online solution, like access to their personal account information that they can update themselves. Or you could choose to do this on a “by request” system, where they contact you by email. In either case, the process needs to be easy and responsive.

What should I do if I collect sensitive data or personal data on a large scale?

If you run a business that collects what is considered “sensitive information” such as:

  • Medical or health information
  • Genetic or biometric data
  • Sexual orientation or sex life information
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Political opinions or trade union membership
  • Criminal convictions and offences

Then the GDPR requires additional compliance processes and procedures to be put in place to ensure a higher level of data privacy and security. You also have the same obligation if you collect personal data from EU residents on a large scale (e.g. bank with EU customers).

In addition to the points above (What should I do if I only send email newsletters to EU residents? What should I do to fully comply with GDPR?) you should consider the following:

Nominate a Data Protection Officer (DPO): Your DPO is responsible for monitoring compliance with GDPR, training staff and management and ensuring there is a positive culture of respect for personal information across the business. The contact details of your DPO need to be listed in your Privacy Policy and communicated to your country supervisory authority. In addition, your DPO will need to undertake a “data protection impact assessment” to ensure high risk personal information is kept secure and data breaches are avoided.

What is Legal123 doing to help their customers comply with GDPR?

Legal123 has updated their Privacy Policy template to be easier to read and more “internationally friendly”. Existing customers have been given this template for free, as part of our “free updates so you don’t worry about legislation changes” policy.

For businesses that collect EU and UK resident emails and need to comply with GDPR, we now offer additional GDPR clauses that you can append to your Privacy Policy. In addition, we include an information PDF to make sure you’re aware of the changes you need to make in your business in order to comply – just updating your Privacy Policy is not enough!

Click this link to purchase the Privacy Policy GDPR Clauses.

For customers who need to fully comply with GDPR and have businesses that need to meet more stringent requirements – for example, collect sensitive personal information, offer hosting services to EU clients, etc. – we offer a GDPR review service with advice on how to comply. Contact us for more information.

We hope you found this legal guide on How to Comply with GDPR helpful.

About Vanessa Emilio

Vanessa Emilio (BA Hons, LLB, ACIS, AGIA) is the Founder and CEO of Legal123.com.au and Practice Director of Legal123 Pty Ltd. Vanessa is a qualified Australian lawyer with more than 20 years experience in corporate, banking and trust law. Follow this link to read the full bio of Vanessa Emilio.