The GDPR stands for the General Data Protection Regulation and is a new data protection law coming into effect 25 May 2018 in Europe. The GDPR aims to protect EU citizens from privacy and data breaches and will change the way a business communicates with clients and how data will be handled.
Whilst this new law appears to only affect Europeans, given the global world we now live in, it will actually impact organisations globally if they have any visitation on any online channel by Europeans. And with most of us now having websites, social media pages and other online channels which Europeans already do, or potentially could visit, the GDPR is definitely something Australian companies need
It will especially affect you if you have an establishment in Europe, offer goods and services in Europe or if you monitor behaviour of individuals in Europe (which if you are using any kind of online services such as Google Analytics, Google Webmaster Tools, Facebook pixels and more, you are).
How has the GDPR come about?
As the level of online activity has continued to increase over time, privacy has become a major issue for many people.
Customers are continuously providing their data via web forms, online stores and on their social channels trusting that the companies receiving it will only use it to provide them with personalised and relevant content. The growing issue is that brands have been exploiting their customers data.
It is hoped the GDPR will lower the risk of a person’s data being exploited, by limiting how much data a company can collect, the way the data can be used, and how long a company can store the data on file.
How will the GDPR impact Australian businesses and marketers?
Even though the change is coming into effect in Europe, many companies globally are rolling out changes to their data policy to make sure all bases are covered.
The way data will be collected will change. At the moment marketing counts on a pre-checked box to collect consent for marketing communication. Once the GDPR comes into effect on 25 May 2018, this will not be an acceptable way to collect data under the GDPR. Now marketers must be more deliberate in how they get customers to opt-in.
Under GDPR regulations, marketers will have to make clear what personal data will be processed, how, when and who will process it, and for what purpose they are collecting the data. Consent must be freely given, specific and informed.
The GDPR applies not only to new, but existing data too. Users will be required to prove they have consent to use personal data if requested. This means having to provide a list of current, lapsed, new, inactive, and active customers.
Marketers will also need to provide a list of email subscribers. When collecting consent and data, marketers must make sure that they received and appropriately file the date and time of consent, method of consent, and a copy of the sign-up form for reference purposes.
So what should you do to make sure your business is compliant?
1. Educate and inform your team
Ensure that all members in your company are aware of the GDPR and those that deal with the data know what GDPR is and the impact it will have. Workshop what you have to do as a company to remain compliant, subject to how much business you do with Europe, or how many European visitors you have on your online assets such as website, database and social channels.
2. Audit your existing database/files
Have a look at the personal data your business currently holds and understand where it came from and how it has been used. Consider if you need to email segments of the list to gain an additional opt in.
3. Ensure you have a data policy, and review whatever you do have in place
Update your privacy policies to ensure they fit in with the new GDPR regulatory requirements.
Have processes put in place that will meet individual rights including the ability to delete a person’s data if requested.
4. Procedurise access to data
Ensure you have procedures in place for when a person asks to access their personal data & for providing this data to them. Make sure you have a legal reason for personal data processing and review your processes for seeking consent. Also ensure you have a way to check a person’s age and/or seek parental consent to use the data. If your company does not have a system for handling and reporting a personal data breach, you must create one. Companies will have to assess whether they need to appoint a representative established in the EU and a Data Protection Officer. A Data Protection Officer is needed if your business collects and processes large amount of personal data.
If you do not comply under the GDPR regulations, your organisation will face fines of over $30 million AUD, or 4% of annual global revenue.
5. Broadcast any changes
You may have already received an email notification from a company you have subscribed to or who already has your data on file such as Google, Etsy, Mailchimp, crowdfunding websites and anywhere else you tend to ‘hang out’ online. Just like them, your company should be looking to inform its database of any updates to policy.
6. Inform your website visitors constantly
Consider implementing a prominent notification on your website as to what data you collect and how you may collect it. Below is an example.
Learn more about the GDPR at one of our upcoming webinars and have the ability to ask questions and more.