HOW THE GDPR AFFECTS AUSTRALIAN BUSINESSES
In the news, we have been hearing about data and privacy breaches, with personal information being collected and stored by businesses without an individual’s explicit consent. The General Data Protection Regulation (GDPR) was developed in response to these recent findings and is set to change the data privacy approach worldwide.
WHAT IS GDPR?
The General Data Protection Regulations (GDPR) takes effect on the 25th May 2018. It is a European Union law that provides greater control and knowledge to individuals over their personal data. The GDPR governs the way that business’ can collect, process, store and use this personal information.
WHAT IS REQUIRED UNDER GDPR
The goal of the GDPR is to protect consumer and their personal information from being poorly handled and misused. Businesses will be held to a higher standard and expected to act within the bounds of the GDPR when collecting, storing and using this personal information.
Businesses will be required to adhere to the following pillars:
Explicit Consent – When collecting an individual’s personal information, explicit consent that is specific and unambiguous must be given. In other words, you can no longer send unsolicited information to people who have not specifically opted in to receive it.
To be considered explicit consent, specific, clear wording must be used and opting in must be separate from other terms and conditions. This provides the individual control over future communications with your business.
Rights to Data – under the GDPR, individuals must be informed where, why and how their data is processed, stored and used. An individual can request to have their information deleted from your database, similar to when an individual unsubscribes, their information should be deleted from your database immediately.
Breach Notification – reporting all data breaches that pose a risk to private and personal information to the relevant authorities with 72 hours, and also informing the individuals affected is now required under the GDPR.
Data Protection Officers – for public companies or organisations that process large quantities of personal information, a Data Protection officer must be appointed to oversee the collection, storage and use of personal information. This is to ensure companies are appropriately handling and using an individual’s information for the purpose that it was given.