How GDPR Impacts Your Business

What the General Data Protection Regulation Means for Australian Business

GDPR stands for “General Data Protection Regulation” and it’s a significant update to data protection laws for the European community. In broad strokes, GDPR gives European citizens full control over their personal data.

You probably zeroed-in on the word “European” and are justifiably curious about why businesses of all stripes are changing their data policies with this new legislation. No doubt, you been hammered with emails recently asking you to opt back into new mailing lists and accept terms and conditions.

The reason everyone is scrambling to comply with these regulations is because Europe is a very large market/audience and it generally leads the world on matters of data privacy. To be fair, our regulations are very comprehensive and if you are compliant with the Australian Privacy Act 1988, you are probably in good shape.

If You Collect Data on European Citizens, You Need to Comply with GDPR

If you do any marketing beyond our borders, you are probably marketing to and collecting data on citizens of countries that enforce GDPR. To be clear, as the office of the Australian Information Commissioner points out in the online document Australian businesses and the EU General Data Protection Regulation:  “Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.”

Ten Steps to Prepare for the General Data Protection Regulation (GDPR)

We’re borrowing this list from our sister company Member Jungle, to list out the areas you need to consider when you are implementing GDPR.

To be compliant with your ongoing data collection activities, when you collect personal data use a checkbox, without a default selection, combined with clear language about what you will do with the data you collect.

1. Publicise - Ensure that key people in your organisation or association know that the law is changing to the GDPR.
2. Consent - Review how you seek, record and manage data consent when collecting personal information for your club and whether you need to make any changes. Update existing consents now if they don’t meet the GDPR standard.
3. Information Maintained - Document what personal data your club collects and maintains, its source and who you share it with.
4. Privacy Notice - Review your membership organisation's active privacy notices and plan in place to make any necessary changes for your GDPR implementation.
5. Data Breaches - Develop procedures to identify, report and investigate a personal data breach.
6. Individuals’ Rights - Review your club’s processes to ensure to respect all the rights individuals have, including how you would delete personal data or provide data electronically and in a user-friendly format.
7. User Access Requests - Update your organisational procedures to handle user requests within the new time limits and provide any additional information.
8. Lawful Basis for Handling Personal Data - State the lawful basis for your data activity in the GDPR, document it and update your privacy notice to explain it.
9. Age -  Do you need to put systems in place to verify members’ ages and does your organisation need to obtain parental or guardian consent for any data processing activity.
10. Data Protection Officers - Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance.