The General Data Protection Regulation (GDPR) comes into effect in Europe on May 25.
Despite it being launched overseas, according to the Office of the Australian Information Commissioner (OAIC), Australian businesses of any size may need to comply if “they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU”.
While the GDPR and the Australian Privacy Act 1988 share many common requirements, there are also some notable differences, including certain rights of individuals (such as the “right to be
forgotten”) which do not have an equivalent right under the Privacy Act.
For this reason Australian businesses should determine whether they need to comply with the GDPR and if so, take the required steps to ensure their personal data handling practices comply with the GDPR.
Business Insider spoke to Sage, an accounting and business management software company, to find out how everyday workplace activities will change under the GDPR.
Here are 10 activities Australia business will need to reconsider under the GDPR.
1. Celebrating a colleague’s birthday
An individual’s date of birth is their own personal data. Under the GDPR, it cannot be shared without express consent by the individual. So it is worth checking that you have everyone’s permission to host a shared calendar of birthdays in the office.
2. Sending office Christmas cards
If you were planning to send Christmas cards to your customers, stop right there. If that were to include someone’s home address then that is personal data so once again not permissible under the GDPR, unless you have consent of the individuals in advance. If you do not have express consent to contact each customer, a different legitimate basis must be established for each business communication you send. So, it may be for the courts to decide the business legitimacy of wishing Christmas greetings.
3. Sharing a colleague’s baby photos
Think twice before sharing baby photos with international colleagues. All those adorable new arrivals may have to remain unseen by colleagues far away. Personal data can only be transferred internationally if the country has been designated by the EU as providing an adequate level of data protection or by complying with an approved certification mechanism such as the EU-US Privacy Shield. Of course, if the sharing of a baby photo is deemed purely personal activity, then it can be argued to fall outside of the scope of the GDPR.
4. Catering for allergies at work events
Do you have colleagues with nut allergies? Or perhaps they have kosher or halal dietary requirements? Afraid these are all classed as personal data. So, before you pick up the phone to a restaurant or caterer, make sure you have your colleague’s permission to share that information with others.
5. Forwarding on a candidate’s CV for a second opinion
Not sure about a potential candidate for a role in your organisation? Tough luck – once again that will be personal data. Of course, you could argue that it would be reasonable to share a CV of an applicant with others in the company on a need to know basis. However, an easy way to get a second view of a CV is to anonymise it, removing name, address, phone number and any other identifiable information. This is also becoming a growing trend among businesses as a part of an approach to remove gender and race bias in recruitment.
6. Ticking the box to join a mailing list
Does your website registration form have a pre-ticked box for customers to receive marketing information from third parties? You might want to rethink that come May 26. Under the GDPR, silence, pre-ticked boxes and inactivity will no longer suffice as consent. You may also want to read through your privacy terms online, as a request by a business for consent to use personal information must be intelligible and in clear, plain language.
7. Talking politics in the office
Political opinions are part of a special category of personal information – sensitive personal data – and organisations cannot record or process data about this type of information. So, if you were planning a company webcast about a forthcoming election, it may be best practice for a speaker to preface any comments with the phrase “I expressly consent to share this information about my political opinions”.
8. Calling in sick
Health information is also part of that special category of personal information. So, if you have to call in sick one morning to discuss a particular medical condition, you can’t then return to your sickbed and hope that the message will be passed on unless you have consented for that information to be shared with every person who needs to be told. Alternatively, an individual can personally share that information themselves, which means that sore throat may get a lot worse with all those calls to make to ensure everyone knows your whereabouts.
9. Data auditing
Under the GDPR, an organisation needs to have a designated person responsible for data protection matters and in some cases, a company may need to formally appoint a Data Protection Officer before carrying out any large-scale processing personal data. An individual appointed would be responsible for raising awareness of data protection regulations in an organisation, training staff and managing audits of data processes.
10. Managing a data breach
If your business suffers a data hack, you’ve got to think quickly about telling people about it. Under the GDPR, if personal data is accidentally or unlawfully lost, destroyed, altered or damaged, it needs to be reported to the supervisory authority within 3 days. And it’s not just the relevant authority that needs to be notified, all individuals impacted need to be informed too if it is likely to result in a high risk leading to financial loss, identity theft or fraud.
More information on the changes can be found here.
Business Insider Emails & Alerts
Site highlights each day to your inbox.