The new EU privacy laws (GDPR) are just over a week old, and the sky hasn't fallen in yet. Unless you're Google or Facebook who were served with suits claiming around 4 billion euros each on day one of the new laws coming into effect. Or Apple, Amazon or LinkedIn who joined Google and Facebook as targets of coordinated privacy complaints (around 12,000 each) which have been lodged with the regulators.
The GDPR has real teeth (fines up to the higher of 20 million euros or 4% of turnover), and applies to businesses everywhere, including outside the EU. If you offer goods or services to, or monitor the behaviour of, people in the EU the laws apply to you.
If you are caught, here is what you need to do:
- How you handle personal information: You already have the policies and procedures in place to comply with your obligations to the Australian regulators. You will need to make a few changes to appease your new European overlords, including meeting minimum IT security requirements.
- Your contracts with customers: Your T&Cs will probably need some tweaks
- Your contracts with suppliers: Whenever you hand over personal information to third parties (eg software/cloud storage suppliers, PR/marketing agencies, consultants) you have obligations to include quite specific terms in the contract. These include that the supplier must comply with the GDPR IT security obligations.
- Your contracts with clients: If you're a data processor under the GDPR (someone who processes personal information on behalf a client who actually collected it), then you want warranties from your client that they have all the necessary consents to pass that information on to you. Your client will probably force on you changes to your contract anyway (see 5 above).
Yes, the GDPR is all your privacy nightmares. However, compliance is possible. Ask us how.
We do not disclaim anything about this article. We're quite proud of it really.