How GDPR Impacts Australia OUTSIDE The EU

On 25 May 2018, the General Data Protection Regulation (GDPR), takes effect in the European Union.

The regulation offers strict protection requirements over personal data concerning EU citizens. Governments and companies inside the EU have been preparing, but many companies outside of the EU may be unaware how this regulation affects their businesses.

Please understand that this is not just a European issue

GDPR applies to any organisation that:

  • Holds or processes data on EU citizens, regardless of its location
  • Has companies that have employees in the EU
  • Sells or market products or services in the EU
  • Partners with EU organisations

The penalties for non-compliance can be as high as 4% of global revenue.

User consent is a cornerstone of this new law.

GDPR defines personal data as physical address, email address, IP addresses, age, gender, locations, health information, search queries, items purchased, etc.

Many companies today freely harvest this data, use it, share it, and sell it under the auspices of their ever-changing, usually unintelligible click-through “privacy policies”.  In a post-GDPR world, users must issue explicit consent for each attribute collected and for each use or transfer of these attributes. If an organisation’s privacy policy or data sharing agreements change, users must consent to the changes before they take effect.

Organisations collecting this data must allow users to take their data with them or delete it entirely if requested.  Compliance audits will become regular events. GDPR mandates privacy by design and by default.  A quick interpretation means that users must “opt-in” rather than “opt-out” of data collection schemes.

Data minimisation, purpose and storage limitations are important principles in the new regulation.  Simply put, don’t collect more information than necessary, don’t use it for purposes other than what you state, and store it only as long as needed.  Exceptions do exist for health, public safety, and national security reasons.

And this is where it gets quite technical. 

Within each EU member state, the GDPR establishes the position of Supervisory Authority, a government official responsible for overseeing the implementation and enforcement of the regulation.  When organisations detect a breach of EU citizens’ personal data, they are required to report it to the Supervisory Authority in each affected Member State within 72 hours.  The use of encryption on PII can be a mitigating factor in data breaches, which may obviate the need for disclosure to data subjects.

Ideally, data about EU citizens should be housed within the EU. GDPR has provisions for data transfers outside the EU, and the best way to avoid being subject to these conditions is to keep it local.  One weakness of GDPR is that it doesn’t adequately define the term “third country”.  This will likely cause additional legal debate.

In cases where regular transfers of EU subject data are expected to occur between Member States and other countries or international organisations, the EU Commission may make “adequacy decisions” which facilitate these exchanges.

One such example is the EU-US Privacy Shield. The EU-US Privacy Shield framework replaced the former Safe Harbour, which was ruled invalid by the European Court of Justice.  Companies may apply and self-certify that they meet the criteria contained therein.

With a little over a year to go before GDPR implementation, now is the time to prepare. To help customers comply, software vendors, e.g. IAM, IaaS, SaaS, and marketing solutions providers, need to:

  • Build fine-grained consent options into their UIs
  • Provide granular data encryption capabilities
  • Automate privacy policy change notifications and re-consent prompts
  • Respond to personal data export and data deletion requests
  • Where appropriate, allow parents or guardians to control the use of children’s PII
  • Develop GDPR compliance auditing and reporting tools

Organisations that have European operations or do business with EU citizens will need to:

  • Inventory all data
  • Conduct data privacy impact assessments
  • Encrypt PII data at rest and in transit
  • Modify privacy policies, data collection processes, and data handling procedures
  • Develop rapid data breach notification processes
  • Add mechanisms to customer portals so that users can provide consent to data usage
  • Possibly migrate and prune PII from systems
  • Apply for EU Commission approved transfer adequacy programs, e.g. EU-US Privacy Shield

GDPR will certainly enhance EU citizen privacy, but the fines for violations could be substantial.  Make sure your IT systems and data collection processes are ready.

If you have concern for yours, talk to us about your email marketing and how we can assist in your email marketing compliance.

We have released 6 new GDPR compliant email marketing features for all customers. Discover how you can bring your email marketing up to speed with services based within Australia.

Facebook Comment

Make contact

Create sales from leads that didn’t buy the first time around. Make contact or call on

Easy to use Australian email and SMS marketing service helps ambitious businesses with proven email and SMS doubling sales with every send.

Find out more

Discover the simple email marketing tactics that turn your emails into serious sales boosters for your business.

learn more