3 ways the GDPR will af­fect your busi­ness in Australia


How Do I Know if it Will Affect Me?

The General Data Protection Regulation (‘GDPR’) ap­plies if the data con­troller (an or­gan­i­sa­tion that col­lects data from EU res­i­dents), or proces­sor (an or­gan­i­sa­tion that processes data on be­half of a data con­troller like cloud ser­vice providers), or the data sub­ject (person) is based in the EU. This means if your on­line web­site, ap­pli­ca­tion or busi­ness col­lects or processes data from a sub­ject ‘based in the EU’ your busi­ness can be be li­able un­der these new laws. In par­tic­u­lar, these three types of busi­nesses should be wary:

1.Australian busi­nesses that have an es­tab­lish­ment in the EU

2.Australian busi­nesses that sell goods and ser­vices in the EU; and

3.Australian busi­nesses that mon­i­tor be­hav­iour of in­di­vid­u­als in the EU.

If your busi­ness sells soft­ware you might fall un­der all three of these busi­ness cat­e­gories.

However, it is only im­por­tant to con­sider the GDPR in re­gards to any per­sonal datayour busi­ness might man­age. The GDPR makes clear that a wide range of iden­ti­fiers can be clas­si­fied as ‘per­sonal data’, in­clud­ing a name, an iden­ti­fi­ca­tion num­ber, lo­ca­tion data, an on­line iden­ti­fier or one or more fac­tors spe­cific to the phys­i­cal, phys­i­o­log­i­cal, ge­netic, men­tal, eco­nomic, cul­tural or so­cial iden­tity of that nat­ural per­son.

What Do I Need To Do?

If you have re­alised that you might be li­able un­der the GDPR then there are a few steps you should take as soon as pos­si­ble. The GDPR has a lot in com­mon with Australia’s Privacy Act, so hope­fully your busi­ness al­ready com­plies with most of Europe’s reg­u­la­tion. However, WorkingMouse has noted three main dif­fer­ences be­tween the laws that we have raised with our clients who have over­seas cus­tomers. All busi­nesses with soft­ware that is avail­able to clients in Europe should en­sure com­pli­ance with the fol­low­ing (in ad­di­tion to Australia’s Privacy Act com­pli­ance):

1. Consent

Article 6 of the GDPR tells us that one of the con­di­tions for the law­ful­ness of pro­cess­ing per­sonal data is con­sent. This is de­fined in Article 4 as:

“any freely given, spe­cific, in­formed and un­am­bigu­ous in­di­ca­tion of the data sub­jec­t’s wishes by which he or she, by a state­ment or by a clear af­fir­ma­tive ac­tion, sig­ni­fies agree­ment to the pro­cess­ing of per­sonal data re­lat­ing to him or her”.

The UK’s Information Commissioner’s Office fur­ther clar­i­fied what changes some of the terms in this de­f­i­n­i­tion will re­quire for com­pli­ance. For ex­am­ple, “clear af­fir­ma­tive ac­tion” means that pre-ticked opt-in boxes for data col­lec­tion will no longer be sat­is­fac­tory. Consent re­quests must also:

  • Be sep­a­rate from other terms and con­di­tions. Consent should not be a pre­con­di­tion of sign­ing up to a ser­vice un­less nec­es­sary for that ser­vice.
  • Be spe­cific in iden­ti­fy­ing the dif­fer­ent types of data pro­cess­ing and re­quir­ing con­sent for each type.
  • State any third par­ties who may be en­ti­tled to the data.
  • Store all records of what the per­son con­sented to.
  • Be easy to with­draw at any time. This in­cludes telling peo­ple they have the right to with­draw at any time and mak­ing it easy to do so. It must be as easy to with­draw as it was to give con­sent.

Basically, while your web­site prob­a­bly al­ready has con­sent re­quests, they are likely less ex­plicit or as ob­vi­ous as re­quired by the GDPR. Looking at so­lu­tions such as two-step ver­i­fi­ca­tion can help demon­strate your busi­ness’ com­pli­ance with the reg­u­la­tion.

2. The Right To Be Forgotten

The en­tire reg­u­la­tion of­fers some se­ri­ous re­stric­tions for data con­trollers and af­fords heavy pro­tec­tion to in­di­vid­u­als (data sub­jects). Perhaps one of the strongest pro­tec­tions is the data sub­jec­t’s right to era­sure (also known as the ‘right to be for­got­ten’). Article 17 of the GDPR af­fords the in­di­vid­ual the right to data era­sure with­out un­due de­lay at their ver­bal or writ­ten re­quest.

This means that if as a con­troller of data you are re­quested to erase an in­di­vid­u­als data, and you have dis­closed the per­sonal data to oth­ers (a third party), you must con­tact each re­cip­i­ent and in­form them of the era­sure, un­less this proves im­pos­si­ble or in­volves dis­pro­por­tion­ate ef­fort. If asked to, you must also in­form the in­di­vid­u­als about these re­cip­i­ents.

Applying this prin­ci­ple to an on­line en­vi­ron­ment where per­sonal data has been made pub­lic can be chal­leng­ing due to the vast­ness of the in­ter­net. For these cir­cum­stances the reg­u­la­tion re­quires that rea­son­able steps should be taken to in­form other con­trollers who are pro­cess­ing the per­sonal data to erase links to copies or repli­ca­tion of that data. To de­ter­mine what steps are rea­son­able you should take into ac­count avail­able tech­nol­ogy and the cost of im­ple­men­ta­tion.

In some cir­cum­stances a re­quest for data era­sure could be seen as man­i­festly un­founded or ex­ces­sive. In these cir­cum­stances you might be able to re­quest a “reasonable fee” to deal with the re­quest or refuse to deal with it, if you can jus­tify this de­ci­sion. However, con­sid­er­ing the fo­cus on in­di­vid­ual pro­tec­tion in these reg­u­la­tions, it is bet­ter to be more cau­tious and de­sign your soft­ware to be able to erase data if re­quested.

3. The Right To Data Portability

Another sig­nif­i­cant dif­fer­ence to note be­tween the Australian Privacy Act and the GDPR is Article 12, which grants an in­di­vid­ual the right to data porta­bil­ity. This right is an ex­tremely new idea and re­quires a con­troller to pro­vide the in­di­vid­ual with a copy of their per­sonal data in a struc­tured, com­monly used and ma­chine-read­able for­mat so that the in­di­vid­ual may trans­mit the data to a dif­fer­ent con­troller, or pro­vide an­other con­troller di­rect ac­cess to trans­fer the data to their server.

Examples of struc­tured, com­monly used and ma­chine-read­able for­mats that are suit­able for data porta­bil­ity un­der the reg­u­la­tion in­clude CSV, XML and JSON. However, this does not mean you are obliged to use them. Other for­mats ex­ist that also meet the re­quire­ments of data porta­bil­ity.

Providing data porta­bil­ity on your soft­ware plat­form may be quite com­plex to achieve. There are there­fore some lim­its to trans­mit­ting data to an­other con­troller. For ex­am­ple, this right does not cre­ate an oblig­a­tion for you to adopt or main­tain pro­cess­ing sys­tems which are tech­ni­cally com­pat­i­ble with those of other or­gan­i­sa­tions.

All the big com­pa­nies from Spotify to Instagram have had to im­ple­ment ways for you to down­load a com­plete col­lec­tion of your data on their plat­form, in­clud­ing a com­plete his­tory of what pho­tos you have liked and ex­actly which songs you have lis­tened to.

The GDPR is now in full ef­fect. Online busi­ness, even those based in Australia, should en­sure they are pre­pared to deal with any re­quests or con­cerns raised by in­di­vid­u­als in­ter­act­ing with their on­line pres­ence from within Europe. Though some Australian busi­nesses may not yet, or ever, feel the im­pact from this new leg­is­la­tion, it is im­por­tant that busi­nesses who cur­rently or in the fu­ture plan to have an es­tab­lish­ment in the EU, sell goods or ser­vices in the EU or col­lect data from the EU, be­gin to con­sider some of the sig­nif­i­cant changes to data col­lec­tion from this reg­u­la­tion.

Discover Software


David Burkett

Growth en­thu­si­ast and res­i­dent pom

Get cu­rated con­tent on soft­ware de­vel­op­ment, straight to your in­box.

Your vi­sion,

our ex­per­tise

Book a con­sul­ta­tion