What the EU’s GDPR means for Australian SMEs

The local and international rules around data protection were tightened up in the first half of 2018. As businesses are discovering, it’s now a whole new ball game  

Though few appreciated it at the time, businesses enjoyed a long era of light-touch regulation around how they stored customers’ and employees’ data and what they did with it. In recent months, that era has drawn to a close. More stringent local privacy laws came into force on February 22. The European Union’s General Data Protection Regulation (GDPR) came into effect on May 25.

Hard-core data protection

The GDPR requires organisations who collect, receive, use, disclose and/or store personal information of residents residing in a European Union Member State– including private businesses – to be much more careful about how they obtain, use, share and store data. Organisations are required to get explicit consent (or have another lawful purpose) to collect personal data, only collect it when they have a good reason for doing so, collect the minimum amount of data that’s necessary, make sure the data remains accurate and use it strictly for the purposes it was volunteered for. Organisations must also delete data once they no longer need it, or if the individual who supplied it requests this. The GDPR requirements may extend to personal information of residents of other jurisdictions which is disclosed in a European Union Member State.

What does this mean in practice?

Take the example of a business that adds a new customer to their email marketing list following a transaction. This has long been standard operating procedure for many SMEs, but this may be classified as an infringement of the GDPR. Fines for businesses in breach of the GDPR range from up to €10 million (A$15.5 million) for ‘lower level’ offences to €20 million (A$31 million) for more serious ones.

The cost of compliance

There’s good news and less-good news about GDPR for Australian SMEs. The good news is that it doesn’t apply to them if they don’t have dealings with European consumers or businesses and don’t have analytic software on their website. The really good news is that, even if they do have commercial relationships with European consumers or businesses, it’s unlikely they’ll be copping whopping fines anytime soon (in fact, it’s yet to be established how the authorities administering the GDPR will enforce jurisdiction over Australian organisations).

The more sobering news is that the GDPR is well on its way to becoming the de facto global standard for data protection. Businesses that don’t get with the GDPR program are going to find it increasingly difficult to stay in business.

Mike Pym has spent three decades working in IT law and is the CEO of Gordian Lawyers. Like a host of other law firms, Gordian Lawyers has teamed up with IT specialists to assist businesses become GDPR compliant.

Here’s his description of what that involves: “To be compliant a business will need to change all its customer, employee and supplier agreements. It will have to revisit all its internal policies and write new data-retention, IT security, back-up and clean-desk policies. It will need to review everything to do with the management and security of personal information, whether it comes from customers or staff. And it will need to update its website and marketing practices.”

If you’re thinking that sounds like a big job, you’re right. “It’s transformational change,” Pym says. “Even SMEs with a fairly simple privacy environment need to be prepared for it to take 3-6 months of work and cost $100,000 – $200,000.”

In a globalised economy, all businesses are European

Pym points out that the short-term issue for Australian businesses unwilling to invest in becoming GDPR compliant is that consumers and other businesses won’t want to deal with them.

“There will be a ramp-up period. It will be some time until smaller businesses, especially those based outside the EU, have to worry about the possibility of being fined unless there are significant breaches,” he says.

But consumers are now worried about what’s done with their data. They may stop patronising businesses that aren’t GDPR compliant. A more pressing concern for business owners is that most SMEs are part of large, interconnected supply chains and use cloud applications. What will happen – what some of my clients are already reporting happening – is that businesses are getting emails saying, ‘Are you compliant with GDPR? If not, we can’t transfer data to you, which means we can’t continue to do business with you’.”


Pym is at pains to point out Australian SME owners don’t need to panic. Nonetheless, he urges them to have a written and actioned plan to become GDPR complaint within the next 6-12 months. “There’s lots of assistance out there,” he says. “Specialist law firms such as mine, as well as the Big Four [DeloittePwCEY and KPMG], mid-tier consultancies such as Grant Thornton and BDO and small privacy consultancies are all offering various services. Ones that help Australian businesses become GDPR compliant and train their staff to follow the correct procedures. The DIY approach is not something I’d recommend. But if a business doesn’t have the money to pay professionals, it’s possible to go online and buy GDPR-compliance templates for around $1,000 – $3,000.”

The new data-protection laws make a cyber insurance policy an even better investment for Australian businesses. If you’d like more information about such a policy, a Steadfast insurance broker will be happy to speak with you.