The GDPR is an EU based legislation which can impact organisations here in Australia. So in order to talk about this topic, we have brought on board Mary Anne Waldren from the Master Advisor Program and our very own Elizabeth Lee from Aspect Legal, and together we’ll discuss the GDPR and its impact on businesses here in Australia.
- Who this applies to in Australia
- No one seems to know what to do
- Responding to the need for education
- GDPR and the Australian Privacy Laws
- The right to be forgotten
- Systems element to GDPR compliance
- What businesses need to understand
- A free webinar about what’s involved
- Quick recap
Who this applies to in Australia
Joanna: Well Mary Anne and Liz thank you so much for joining us today on Talking Law. Liz, how about we start off with you. From a legal perspective, why don’t you give us a little bit of a rundown of what the GDPR means for businesses here in Australia because I think there’s a lot of concern that I’ve seen in the marketplace about who this applies to in Australia, what businesses it applies to and what it actually all means.
Liz: Yeah. So the General Data Protection Regulation was put in place. It came into effect on the 25th of May 2018. But of course, it’s been in the works for a good couple of years in the EU.
I think that for many Australian businesses, it sort of come around pretty quickly and hit them quite suddenly. We have this influx of concern. It’s been bubbling along.
This affects businesses that collect, store, handle, and transfer personal information particularly where it relates to an EU citizen or a person located in the EU. I think that, for the most part, Australian businesses haven’t seen themselves as being in that position. But I think increasingly, they have come to realize they actually could be exposed.
No one seems to know what to do
Joanna: Yeah absolutely. This all reminds me a bit of the Privacy Act commencement here in Australia actually I must say. In fact, not just that, but any of the legislation that we’ve had come in over the last couple of years, the Personal Property Securities Act legislation, anything that is I guess a major change. We see businesses not really taking any action until the eve of the commencement of the legislation and then suddenly everyone’s all in an uproar about it trying to work out what it actually means for them. I guess that’s where we are at the moment.
Mary Anne, maybe this is where I might point over to you. Is this part of the reason why you’ve put together the events and the kits that you’re working on to help bring businesses into an understanding of what’s going on in this GDPR legislation?
Mary Anne: Yeah, look Joanna, thank you so much and thank you for inviting me on your podcast. Absolutely. I was very concerned about it. I helped produce some programs for ABC Radio National.
I was looking at GDPR and I thought “Gosh, this date’s coming up.” Then I did a little bit of research and I realized no one knows what to do. And when I spoke to various accountants and lawyers and small businesses, no one really knew. Some of the big law firms were like “Oh yeah, we’ve got people in the UK and in Europe who we’ll call in to help.”
But I don’t think anyone in Australia, unless you’re a multinational with a lot of Europeans on your database, really did a lot about making sure they are GDPR compliant. Then all of a sudden, just as the 25th arrived, we all got inundated with thousands and thousands of notes or emails in our inboxes from everyone saying they are GDPR compliant.
Joanna: It was a bit hard to miss, wasn’t it?
Responding to the need for education
Mary Anne: Anyway, I ended up ringing the ABC saying “I think we need to do an event on this” and they agreed. So I did some research and put a panel together.
Then I did some more exploring and I found some people in the UK who were selling kits. I rang them up and I said “Could you make this available in Australia please?”
I then found you Joanna and I thought we need a privacy lawyer as well as we need a compliance organization, like we found from MojoU in the UK.
Reverend Mark James has actually been operating for quite a few years but he’s been looking at GDPR for the last couple of years and he’s put in place an amazing online training program where he helps take people through what you need to do.
I’ve been doing the online training as I believe lots of other people in Europe have done, and it’s absolutely phenomenal information. There’s so much more to the GDPR privacy than I ever thought.
There is a bit of a jump from our Australian Privacy Laws to be GDPR compliant. So that’s why I said let’s get the kit. Let’s make it available to all Australians. We’ll give 20 minutes with a legal privacy lawyer and then 20 minutes with him.
He’s giving a month’s online support with the basic level templates kit and then a month of online training, which is all part of the kit price. So anyone who goes to the event in Melbourne on the 20th of June, which is going to be a phenomenal event. We’ve got the Victorian information commissioner speaking, someone from Dolby talking about audio, and then someone from Kanika which is a CMS big European company that have made their whole system GDPR compliant so it’s easy for some of the big set websites in the world to work through them, and then also a lawyer from Swinburne Uni. So it’s going to be a really interesting discussion and my thing that I came up with the first time was like what about me?
I know a lot of Europeans. I’ve got seen Europeans on my database. I don’t want to be in trouble so that’s why I was concerned. I run some entrepreneur programs and I rang up some of the entrepreneurs who got over a million dollars in revenue and said do you know about GDPR And some of them didn’t.
Then one of them sent me a note saying that she is GDPR compliant. I rang her up and I said who did it for you? She said we couldn’t work out how to do it. We asked my lawyer and he didn’t know. So my board member did it for us and I’m like okay and I’m thinking wow, does she actually know all the implications of this?
It’s bigger than just. It’s something about training a whole new culture, about data processing and who controls the process, who controls the data and where the data is going. For example, if I as a small business had a virtual assistant in the Philippines I have to make sure that my virtual assistant was working for a company that was GDPR compliant otherwise if they’ve got access to my data, that could be a breach. Everything you do, all your processes need to be looked at.
GDPR and the Australian Privacy Laws
Joanna: And that might be a good point for us to talk a little bit more about the legal elements Liz as well. So a couple of things that you’re talking about there Mary Anne I think are worth drilling into a little bit further.
Firstly, looking at the Privacy Act here in Australia. The Privacy Act generally speaking isn’t applicable to small business, so that’s businesses who have a turnover of less than 3 million.
There are some exceptions to that, for businesses that process health related information and some other exceptions. But generally speaking, businesses who have a turnover under 3 million aren’t captured by the Australian Privacy Law. But the GDPR seems to be capturing even these small businesses.
Liz: Yes, that’s right. So right up until now, the small businesses as you described didn’t have to comply with the Privacy Act but all of a sudden, they find themselves having to comply with this European law.
Joanna: Which potentially is far more stringent than the Australian Privacy Law.
Liz: Yes, which has far more heavy penalties for not complying.
Joanna: Well that’s the big thing, isn’t it? Penalties here we’re talking about of up to. What is it? Up to four percent of…
Mary Anne: Of global income. It’s not just your European income. It’s your global income or 20 million Euros.
People like Facebook were regularly getting fined two million dollars a day for breaches in Europe and they didn’t care. But now it’s several billion dollars a day so they do care. They have really hyped up the fines to make everyone accountable.
The right to be forgotten
Mary Anne: One of the key things that is happening in Europe that is not happening in Australia yet, but it will because of the Senate legislation or the motion that we’re going to go towards GDPR is the right to be private. People can actually, as citizens, say I do not want to be marketed to and I want to know exactly what’s on your database and where my information is going and who’s looking at it.
Liz: Yes, that’s right Mary Anne. Under the GDPR, they have a right to be forgotten completely.
Joanna: Right to be forgotten. I like that term. Don’t you love their terminology?
Liz: Yes, that’s new to the Australian privacy framework, to have the ability by companies to be able to completely erase all information about a particular customer.
Systems element to GDPR compliance
Joanna: This is where we come back to a systems approach because really this legislation has both a legal element. But in one sense I don’t think the legal element is perhaps even as large as the systems element and the technology.
Liz: Yes, that’s right. There’s a real process behind this that has come into play in order to comply with the GDPR.
Mary Anne: And one of the things that I’ve realised is that by going on this journey it actually makes us so much better, much more accountable for what we do.
For example, I’m a small business and a lot of these small business breaches are through human error. And so for me, if I’m leaving my office or going away I have a lockable safe. I have a lockable door to my office. And what Mark James has been talking about is that sometimes small businesses leave forms with credit cards on the front desk and their people go to lunch.
I mean to grab those. You’ve got to be so diligent with everything you are doing with any one start up. And a breach you have to look at the various information commissioners in Europe know within 72 hours if it’s a major breach like credit cards or someone stole all your credit card data and also you have an obligation I imagine (I don’t know. I’d check with you Elizabeth). You have to tell your own bank, wouldn’t you? And you’d also have to alert the Australian authorities and also maybe the customers involved.
What businesses need to understand
Joanna: It’s a really good point you raise here Mary Anne because we’ve got this interplay of the two different legislation once again. I think it’s really important that we reiterate that this legislation is not legislation at the moment in Australia.
It’s only relevant to Australian businesses in that the EU has passed this legislation in respect of organisations that deal with EU citizens. So where you have clients that are based in the EU or you have people on your database, you’re collecting information from people who are based in the EU then that is the type of business who’ll be caught by this EU legislation. But just to be clear, it’s not legislation here in Australia right now. So the exposure that you have is that an EU regulator might take action against you here in Australia. Just so that everyone knows because it’s very confusing.
Mary Anne: It is! If people want to know more about it, they can go to the Master Advisor Program website and they can find out about what’s in the kit and also what the events about in Melbourne.
The good thing about that event Joanna is that it will be pre-recorded and broadcast later. So we can actually make that available to your customers. I mean your podcast customers might want to see that link later.
Joanna: Great. That sounds fabulous. One of the other things that I wanted to point out here is I think one of the strategies that people are using (and you even touch on this Mary Anne) is that people are saying okay well I don’t know what to do so I’m going to go and check out the privacy notice that I’ve seen. One of these millions that I’ve seen emailed to me and I’ll just take a copy of that.
But I think the important thing is that GDP compliance is not just replicating documents or someone else’s notice. It’s about understanding that notice and its application to you. It’s about living what you say in that notice. But it’s also about being very careful about the interplay between what that notice might say and your rights and obligations or non obligations under Australian Privacy Law.
You have to be very careful as a business, if you’re based here in Australia, not to suddenly make yourself liable for non-compliance with particular elements that you might set out in your privacy notice if you didn’t actually have an obligation under Australian Privacy Law to meet those elements. There’s a law here for businesses to understand that might on the face of it perhaps look more simple than it is.
I think Mary and this is where the event that you’re putting together, together with the kit with information about how people apply some of these principles in their own business environment are so important.
The way marketing has been done in artificial intelligence on selling to people. There are some really big changes happening so I think that’s why it’s really really important to do some training, get the kit by all means but the training is important, the e-mail support and of course the Australian law and what it means for you because there could be some citizens I think that only have a couple of people on their database who are EU citizens and maybe they can actually handle that separately.
I think you and I talked about that before Joanna. But if you have quite a few, if you’re online business and you sell quite a bit of merchandise to the EU, you really need to be very very careful because is that data being processed through China, is it through India, is it through GDPR compliant companies. They are things that you’ve really got to look at. Who’s looking at your data?
Joanna: Yeah, absolutely. Just as a quick summary here and we’ll put a link through in our show notes, through to details of the event and details of the kit so you can find out more.
A free webinar about what’s involved
Mary Anne: Also we’ve got a webinar that people might want to go on, and that’s free. That’s next Monday, the 18th and if you could put a link to that too Joanna because that’s a one hour webinar at 4:00 p.m. and Mark James who’s done live 1100 companies, 4500 churches, I think it was 11 universities, accounting firms, legal firms. He’s actually trained a lot of organizations to become GDPR compliant. So anyone who wants to go on that webinar would probably really benefit from understanding what’s involved and he’s going to go through some of the templates, and this talk for an hour about what’s involved. And I think that’s, especially those customers who have EU clients, be really good for them to listen to that.
Joanna: That sounds fantastic. Well we’ll link to that in our show notes. A lot of people listen to these podcasts well into the future of when we make them live. So if the events that we’re talking about here and the webinar that we’re talking about here are past the date that you’re listening to this podcast then we probably will have some recordings available. What we’ll do is we’ll just make sure in the show notes that we also link to any recordings that have existed if you happen to be listening to this podcast after the dates that we’re talking about here.
So let’s wrap this up with a little bit of a summary. I guess just as the first pointer, GDPR legislation is here. It’s here right now. It’s commenced so it’s on foot.
I think the second point is it’s not Australian legislation however it it might impact businesses in Australia.
The sorts of things businesses need to think about are probably firstly the extent to which you have any of your clients or your databases based in the EU and then you need to have a bit of a think about whether or not you need to be looking at the legal policies and your agreements and potentially your systems if to the extent that you have clients or people on your database that are based in the EU.
Now Liz or Mary Anne do you have any other quick things to throw out there? Anything else that our businesses who are listening in should be considering in relation to this new legislation?
Mary Anne:No, but I’m really interested to hear how long it’s going to be before the Senate motion becomes law. I mean I don’t know how you can predict that, but all the information commissioners in Australia, privacy information commissioners in Australia talk to the national information commissioner and I’m sure that they’re putting in place something at the moment because if it’s gone through the Senate it can’t be that far away. Is that your thinking?
Joanna: Well look I don’t know. I haven’t heard much buzz around this.
Liz: No, me neither.
Joanna: Certainly from our perspective, we haven’t heard much buzz around it being mirrored in Australian legislation. The legislative process here in Australia can take quite a while. Well anywhere really, but it would be really interesting to watch this page.
And look, I think whether or not it becomes law anytime soon here in Australia or impacts our current laws as they are at the moment in the privacy act. Of course if your business, even if you don’t have European clients right now, it might be that as your business expands you do so it’s certainly something for businesses to keep front of mind as they’re expanding and growing.
Mary Anne: Absolutely. We seem to be a pretty digital savvy country and we’ve got a lot of online entrepreneurs doing some amazing businesses all over the world. We’ve got to make sure that these people know about it. I mean you don’t want to be the person who was made the example of doing the wrong thing do you.
Joanna: Yeah, absolutely. Well look thank you so much Mary Anne and Liz for joining us today. It was great. We should do more discussions in the future. I like this panel of three.
Mary Anne: It’s great, isn’t it? Yeah. I mean I’m sure that we will further down the track once we’ve sold some more kits.
Liz: Well you see it in practice.
Joanna: Absolutely. It’s very interesting to see how this all evolves. Absolutely.
Mary Anne: And perhaps we’ve got to get Mark on here as well.
Mary Anne: Mark from MojoU because I think he would be a terrific one for your listeners to hear from. He’s the one who’s running the webinar.
Joanna: And I think you’re absolutely right because here we are, all three of us are here sitting in Australia talking about legislation that hasn’t come out of Australia. I think in the future maybe we will look to have particularly as we see the evolution of this legislation now starting to be applied. I would really loved to hear a European perspective. How are businesses dealing with it overseas?
Mary Anne: I agree with you. I mean what he said to me the other day when I was chatting to him. It took one company who had done all their GDPR compliance and it took them 18 months to put it together. There are a chiropractor firm of 50 people. They have 50 customers, regular customers. One of their customers said we want to know where our data is and so they went online and they were able to tell their customer everything within eight minutes.
Mary Anne: And that’s because of the processes that were put in place by Mark and all the templates. It’s a fantastic opportunity for anyone who wants to actually learn this stuff and put better processes in place in their own organizations.
Joanna: Great! Thank you again Mary Anne and Liz! We’ll leave it there but we’ll probably be back to you at some stage in the future to give you an update on this new and developing area.
But until then check out the show notes and go and have a look if you are lucky enough to be listening to this before the 18th for the webinar, and the 20th for the event in Melbourne, then check out the show notes to see how you can go along as well. But have no fear if you listening to this after that date, there’s still loads you can do. So check out the show notes. We’ll leave you lots of information about how you can access the kit and get in contact with all of the people on this call as well as Mark. Thanks guys!
Disclaimer: The material contained on this website is provided for general information purposes only and does not constitute legal advice. You should not depend upon any information appearing on this website without seeking legal advice. We do not guarantee that the contents of this website will be accurate, complete or up-to-date. Liability limited by a scheme approved under Professional Standards Legislation.