Skip to main content

Are you ready for GDPR?

Living in a digital age can provide ample benefits. Unfortunately, there are also dangers to having your personal information accessible across the internet.  Companies all over the world have access to users’ personal data that previously would have been unattainable, and the potential ways that data can be used (or abused) is endless.

In January 2012, the European Commission recognised these potential dangers and set out plans to give European citizens more control over how their personal data is used.  One of the key components of the reform is the GDPR (General Data Protection Regulation) which replaces the EU’s outdated Data Protection Directive which has been in place since 19951.  Technology and the ways in which the internet is used have obviously changed considerably since the Data Protection Directive was implemented, and it fails to address concerns over how data is stored, collected and transferred.

The GDPR has been designed to legally enforce and regulate the responsibility that businesses have in regards to the data they’re retaining.  Businesses will now be required to protect the personal data and privacy of EU citizens during online transactions.  It also regulates the exportation of personal data outside of the EU. 

This means that while the GDPR has been initiated by the EU, it doesn’t just apply to businesses that are based in Europe.  It will also apply to organisations outside of the EU that offer goods or services to, or monitor the behaviour of EU citizens.  It applies to all companies processing and holding personal data of users residing in the EU, regardless of where the company is physically located.

So what actually constitutes ‘personal data’? It covers any information that is related to a natural person that can be used to directly or indirectly identify that person.  This could be for example, a name, photo, email address, bank details, an IP address, even posts on social media platforms such as Facebook.

For a company to be GDPR compliant, they are required to ensure that personal data is obtained legally and under strict conditions, as well as managing it in such a way to protect it from misuse and exploitation.  If this sounds a little vague to you, you would be correct. Each organisation will be responsible for examining exactly what steps need to be taken to comply and it may be different depending on the nature of the company.  These steps could include provisions such as staff training, hiring a Data Protection Officer, internal audits, reviews of polices, as well as data minimisation and pseudonymisation.


Summary of GDPR features:


  • Consent - The request for consent must be given in an intelligible and easily accessible form. It must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must also be as easy to withdraw consent as to give it.
  • Right to access - Data subjects must have the right to obtain confirmation as to whether their personal data is being collected, where and for what purpose.
  • Right to be forgotten - Data subjects have the right to request any data collected about them be erased.
  • Breach notification - Notification of breaches will become mandatory in all member states. This must be done within 72 hours of first having become aware of the breach.

While it may be tempting for companies to ignore the GDPR requirements, failure to comply can result in fines ranging from 10 million euros to 4% of the company’s annual global turnover.  Examples of fine-able offences may include failure to report a data breach, unauthorised internal transfer of personal data, or ignoring subject access requests for their data.

Any Australian company that is holding or utilising data obtained from users in the EU will need to be aware of their obligations regarding the GDPR.  Failure to do so can result in significant fines and also lead to a loss of trust from their customers 2

It's likely that GDPR-similar regulations will come into effect in Australia in the near future, so complying with GDPR now for all customers, EU or otherwise, would be preparing companies for future regulations in Australia and other markets.3

The GDPR will be in force from 25 May 2018, so businesses should ensure they are familiar and compliant with the requirements before this date.

Contact us if you'd like to discuss how you can make your website compliant.