How do I make our Privacy Policy GDPR Compliant?

How do I make our Privacy Policy GDPR Compliant?

The General Data Protection Regulation (GDPR) is the core piece of legislation for European digital privacy. It sets the legal framework for how businesses collect personal information from their customers. The GDPR also outlines what businesses need to include in their privacy policy.

A privacy policy that is GDPR compliant is vital for your business if it operates in Europe. This is a public document that outlines how your business plans to handle the personal information it collects.

Who does the GDPR Apply to

While Australian businesses are regulated by the Australian Privacy Act 1988, Australian businesses of any size need to comply with the GDPR: 

  • If they have an establishment in the EU, 
  • If they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.   

Generally if you run a global online business from Australia, during the normal course of business you will gather personal information from your users. This information includes the processing of shipping addresses and online payment details. Hence, it is advisable that your privacy policy is up to date and compliant with the GDPR. 

On the other hand, even if you operate domestically checking whether your privacy policy is up to date is an important general rule of thumb. All Australian privacy policies need to be inline with the Australian Privacy act. 

The Australian Privacy Act 1988 and the GDPR have many similar features which means some businesses may already be compliant. However it is important if you meet the above criteria you ensure your businesses privacy policy is GDPR compliant. Hence, the EU has in place sanctions of 4% of your businesses global earnings or a fine of 20 million Euros (whichever is higher) if you’re operating without a GDPR privacy policy.  

What does a GDPR Privacy Policy Cover 

According to the GDPR an organisation’s privacy policy must be transparent and concise and its main purpose is to make information accessible to consumers. Therefore, the GDPR makes note of the fact that your policy should avoid using terms like “may” “might” or “often”. As a result your privacy policy will be more accessible and understood by your clients.  

According the the GDPR guidelines a privacy policy will include some things like: 

  • The identity and contact details of the organisation, its representative and its data protection officer 
  • The legitimate interests of the organisation or third party (where applicable) 
  • A clear action where customers can give consent to giving over the handling of their personal information
  • Ensures your users or consumers have access to their data processing records 
  • An outline of hosting and international data transfers and how businesses will store sensitive data 
  • The right to lodge a complaint with a supervisory authority
  • The existence of an automated decision-making system, including profiling, and information about how this system has been set up
  • The retention period or criteria used to determine the how long a business will retain your data 

Overall the implementation of GDPR compliant privacy policy will offer your customers more control over their data. It is particularly vital if you are operating an international online business that you adhere to its regulations.

If you need any advice when drafting your GDPR complaint privacy policy, do not hesitate to call us on 1300 337 997 or talk to one of our privacy lawyers.

To Sum Up

  • As a global online retailer you need to ensure your privacy policy is GDPR compliant if you have customers in the EU
  • This is because if you are caught operating without a GDPR privacy policy fines will apply
  • Your GDPR policy needs to be easy to follow and drafted clearly in accordance with the GDPR

About Phillip Salakas

Phillip is completing his law degree at the University of Technology (Sydney). He worked previously with Lawpath, and Justice Action. His interests are with construction and technology law.