The GDPR came into effect in 10 weeks ago. We sent intrepid local startup founder Ankur Sharda out to see if it was having any effect on business, and what WA startups need to look out for…
No doubt you’ve heard a bit about the GDPR. But if you’re like me, you may be a bit unsure what all the fuss is about.
The European Union (EU) enacted the General Data Protection Regulation (GDPR) on May 25 this year with the intention of helping to protect their citizens against various online abuses.
The word ‘European’ in European Union might imply it’s a little pointless to be particularly interested in this all the way over here in Western Australia. To some degree you’d be right, however, the onus is on you to ensure you comply with the regulation, and the wide reach of the EU can find you guilty and even punish you if you’re found in breach.
Recently I’ve been paying more attention to this, just in case it affects my own bricks-and-mortar retail search engine Tuggl.
In particular I wanted to know:
- Why are they doing this?
- What does the regulation actually do?
- What does it mean for Perth startups?
Why is the EU doing this?
The goal of the regulation is first to protect EU citizens’ privacy, and second, to ensure the rules for privacy protection were common across the EU.
In theory this should (1) make digital operations cheaper and simpler for businesses within the EU by avoiding a spaghetti bowl of differing regulations for different areas, and importantly (2) increase the confidence of EU residents to engage online.
What does the regulation cover?
GDPR mainly looks at information collected that can directly or indirectly identify an individual, such as:
- ID number
- Reference number
- IP address
There is a further category for sensitive data which covers information regarding health, sexuality, race, origin, ethnicity, religion and political beliefs.
The GDPR also specifically protects children living in the EU.
What does it mean for Perth Startups?
The current iteration of my startup Tuggl doesn’t store user data from the EU. Our retailers are only in Australia and the USA. Although EU residents do visit the site as shoppers, we aren’t storing any of their data so for the time being we aren’t at risk of breaching GDPR.
Penalties for breaching GDPR
While I might be in the clear, that’s not the case for the largest tech companies and possibly you.
If a business falls afoul of the GDPR’s record-keeping, security, breach notification and privacy regulations the maximum fine is the larger of €20 million or 4% of its entire global gross revenue. How much is 4% of, say, Apple’s 2017 GGR? Well, as they have recently gone past the US$1 trillion valuation, it’s a breezy €7.9 billion.
Even if the guilty organisation has no operations within the EU, the matter can be pursued through international law.
How do I get ‘GDPR clear’?
With such a big legal stick and long reach, it’s no surprise that companies around the world have rapidly falling into step just because they might serve an EU resident and store their personal data. The responsibility of these companies to be ‘GDPR clear’ can be summed up as implementing (technical and organisational) measures in line with:
- Security best practice
- Their own cost bases
- Purposes for gathering data
These measures are informed also by the ‘likelihood and severity’ to which user freedoms and rights may be affected. All this must be ‘appropriate to the risk’. Suggestions of what form these measures might take include:
- Encryption of personal data
- Assuring confidentiality, safety and availability of the data
- Internal programs for regularly testing compliance with GDPR
But I don’t even operate in the EU!
It does not matter. Any organisation that trades in, operates in, ships to or tracks data emanating from the EU can be targeted by GDPR enforcement.
How enforcement will happen is still unclear. Chapter 5 Article 50 of the regulations state that the EU will ‘develop, promote and support international cooperation and enforcement’. The EU represents a major market for many online businesses and those businesses have a strong interest in being on the right side of international law.
It is a good bet Australia will largely cooperate with GDPR enforcement, especially as the government already notes how similar the GDPR’s approach is to our own laws, notably the Privacy Act 1988.
How enforcement of the GDPR in Australia happens is yet to be tested, but the EU’s digital cops’ prime candidates targets are likely to be:
- Businesses that require email registration
- E-commerce providers
- Mobile apps
- Web hosts
- Online gaming
The Times They Are a Changin’
Many commentators and legislators are calling the passage of GDPR a step-change in the history of the digital world.
How it affects Perth’s startup industry will be interesting. Yes, it is another layer of compliance to (probably) worry about above Australia’s own laws.
It may be a bit of a drag on innovation. However, it may also have the effect of preventing unethical operators getting off the ground or being shut down, and in so doing improve confidence in online marketplaces. That’s a good thing.
We’ll have to wait and see the results of GDPR for local businesses. What will be the costs? How will the EU pursue enforcement? Will Australian authorities cooperate and to what degree? No one can be sure yet. But what we do know, is that the EU for better or worse, has made its own little ‘dent in our universe’.
Whether it’s worth it? Time will tell.
Feature Image: Surveillance Cameras – Scott Web, unsplash.com