You’ve probably noticed a lot a communications lately updating privacy policies and disclaimers from businesses around the world. Governments are stepping up regulation of online privacy, and small businesses can’t bury their heads in the sand. We’ve put together a quick guide to the key privacy areas you need to be across.
Important changes you need to know about
Law: Businesses that collect personal information and have an annual turnover of $3 million or more, and any business handling sensitive information (such as healthcare), must comply with the Australian Privacy Principles (APP).
What it means for you: In terms of ‘online transactions’, the law applies to any exchange of information such as taking payments, and information delivered via contact forms and lead magnets. Staying privacy compliant doesn’t require much work – but it’s important to be aware that non-compliance could lead to fines of up to $2.1 million.
Law: Disclosure of personal information to parties in other countries must comply with the APP.
What it means for you: Business owners who engage in any outsourcing, such as overseas web design, must take reasonable steps to understand that country’s data collection and handling policies. Also you need to make sure they are not in breach of Australian law.
Law: Email marketing must have a clear opt-out facility under the Spam Act.
What it means for you: Sending promotional emails without an opt-out button, or mail to customers who have already opted out, is a big no-no. Make sure your marketing collateral – especially anything that is automated – complies with opt-out laws.
Law: Only collect personal information that is necessary for your transaction.
What it means for you: If you’re selling someone makeup, for example, there’s no need to get their passport number. You should review your online forms to make sure you’re only asking for relevant information.
Law: The European Union’s General Data Protection Regulation (GDPR) came into effect in May 2018. It applies to any business, anywhere in the world, that processes personal data relating to an individual in the European Union.
What it means for you: While largely similar to the APP, there are some differences that may affect how data must be protected. If you deal with customers from countries in the EU, it’s worth getting across the GDPR, or even getting legal advice, to ensure you comply with the new regulations.
Checklist for remaining compliant
- Have a policy in place for how you collect, use, disclose and store personal information, as well as any complaints that arise from it.
- Develop a privacy notification and make it visible wherever personal information is collected, such as pop-up cookie notifications on your website and email disclaimers.
- Appoint a privacy officer to keep up to date with changes to the law, and document and train your staff accordingly.
- Stay on top of any breaches, report them and follow through on any necessary changes.
What to do if you are in breach
Notifiable data breaches must be reported to the affected individuals as well as the Office of the Australian Information Commissioner (OAIC), especially if the breach is likely to result in serious harm to anyone whose personal information was compromised. You will need to complete a form and conduct a quick assessment of the extent of the breach.