What does small business need to know about GDRP?


GDRP (General Data Protection Regulation) is the European Union (EU) legislation to protect online privacy. It creates the right values around how companies and users should think about personal information.

Australian small business needs to start thinking about user/client privacy regardless of whether they do business in the EU.

Why? Because this is the beginning of a global push towards greater user privacy. GDRP is the world’s most comprehensive, wide-ranging and almost universally applicable online privacy legislation. Other countries legislation will only strengthen it.

The EU says Australia does not have adequate privacy laws. We have the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (Australian Privacy Law). Think of GDRP as a ‘superset’ of those laws that Australian small business has conveniently and largely ignored. Australian Laws will soon fall in line with GDRP.

GDRP has sent many Australian companies scrambling to advise users of new privacy policies.

Why? Because any Australian business is now global whether it is as simple as using cookies to collect information from some hapless web-surfing EU resident or supplying goods or services to a local company that may have EU shareholders.

Or maybe you are sourcing goods or services that come in whole or part from the EU. That can be as simple as using a software app developed there or cloud services located there. You would be surprised at the EU pedigree of some of the worlds most popular software/apps.

Your EU customers or suppliers have obligations under the GDRP. They understand that it is a big stick and small carrot and the law will come down hard on those who break it.

What does it really mean to small business?

Largely it is about privacy by design. What that means is that businesses must clearly identify what information is collected, what it is used for, and obtain specific consent before it is collected.

If users don’t consent, then there must be no degradation in the service or offer. There is no more implied consent, e.g. “By using this website, you agree to our terms and conditions”.

GDRP lays out some key responsibilities

  • consent
  • contractual obligation to the individual
  • compliance with legal obligations
  • the necessity to protect vital interests
  • the necessity for a task carried out in the public interest and
  • legitimate interest of the owner or any related third party. This needs to be in your Privacy Policy

Part of the GDRP superset of Australia’s current Privacy Laws includes:

  • A user’s inalienable right to easily (online) access, edit, a delete their personal data
  • A user’s right to refuse to provide personal data and suffer no consequences like degraded accessibility to a website.
  • Some data may be needed to complete a transaction, but you need to explain at every step what the data is used, g. Your address is for delivery = OK?
  • You cannot use any customer data necessarily collected for future marketing purposes (defined data lifecycle) without consent. That will mean clearer concise explanations about what it could be used for.
  • The right not to be subject to automatic decision making including profiling
  • You must protect that information from breach, use by third parties and abuse from your company.

The big stick may not apply to directly to you

The big stick will apply to all your EU users and suppliers, so they will want to ensure any Australian company complies before they do business with you.

Companies like Facebook, Instagram and WhatsApp (All Zuckerberg companies) simply cannot operate in the EU without substantial change. This legislation has teeth and in the interim, they must immediately either comply or face substantial multi-billion-dollar fines.

What does small business do now?

We hope this achieves three things.

First, to scare the bejesus out of you. It may not be Armageddon (Am a getting out of here), but lack of compliance could bite you. Fines of 4% of turnover or $30 million apply.

Second, is to understand that there is no such thing as implied consent anymore. No more buying email lists, no more capturing emails from free offers, e-books or reports, no more sending marketing emails to previous customers, no more default tick boxes etc. You must have consent.

Third, get a copy of the both the Australian and GDRP privacy laws and work tirelessly to comply.

You can read all about GDPR from watchdog ICO that has to enforce it.

You should also read the simple 12 step guide published by ICO.