It’s unusual for me to start with a disclaimer, but on this subject I must. I am not a lawyer. I have compiled this information myself with the aim of providing my clients with the kind of practical, down-to-earth and tailored advice they have come to expect from me. If you need further clarity you may want to contact a lawyer (I have a very good one in Adelaide I can refer you to).
New data protection rules take effect from 25 May 2018, called the General Data Protection Regulation (GDPR). The purpose is to consolidate privacy regulations across the European Union (EU). The GDPR bears many similarities to the current Australian Privacy Act 1988, but some fundamental differences will impact Australian businesses. In a nutshell, the GDPR is all about getting the right level of consent from anyone who’s data resides in or passes through the EU when any of their personal data is collected, stored or managed by a business. If you don’t comply, there are potentially huge financial penalties.
There’s lots being written about GDPR at the moment, but I don’t want to regurgitate all the nuts and bolts here. I’ve just picked out a few scenarios that I think some Australian businesses will face, and what they need to do as a result.
Who is affected?
Don’t think that because your business isn’t established in the EU, or you’re not actively marketing to EU residents, that you don’t need to comply with the GDPR. There are some subtle things that many Australian businesses are doing that trigger the need to comply with the GDPR. I’ve tried to pick out the most relevant ones below, under ‘triggers’.
Even if your business is not affected by the GDPR right now, this is a good opportunity for all businesses to review their data capture and management.
What do you need to do?
After reading pages and pages of content on this issue, attending webinars and speaking to website administrators and digital marketing people in my network, here is my bite-size and easy-to-digest summary on what affected business need to do to comply with the GDPR, and what kind of scenarios might mean you are affected by the changes.
|Collecting any kind of personal information on your website from people within the EU eg. through sign-up forms or contact forms
Be aware you can only use their data for the purpose intended by the person providing the data.
|Using cookies on your website that are considered optional to the user’s experience eg. Google AdWords remarketing tag and Facebook advertising pixel||Unless you’re actively targeting people in the EU, make sure you ring-fence your remarketing activities to block remarketing to anyone in the EU.
|Tracking website visitors using Google Analytics||You or your website administrator may notice a message from Google next time you log in to Google Analytics (GA). This is about how long your GA account retains certain information about your website visitors (asking for data to be ‘forgotten’ is an important part of the GDPR). Google has set their default to 26 months, but you may want to change this to 14 months if you can’t justify holding this data for longer. Use the link that Google provides you when you log into GA to do this. Here’s a link to GA’s Data Retention controls: https://support.google.com/analytics/answer/7667196|
|Using Google Analytics to track certain location information related to IP addresses||If you have this set up, you should enable IP Anonymity in GA (which uses the ISP address instead of the IP address). Speak to your website administrator to arrange.|
|Using other online marketing tools (eg. CRM, various plug-ins etc) which collect and use IP addresses, especially when combined with browsing history and website actions (such as button clicks)||Stop using these tools if they aren’t essential to your business. If they are, check what they are doing to comply with the GDPR.|
|You are already storing an email address of someone within the EU. This could happen if:
||Go through your email list and look for European email addresses. You can do this by looking for appropriate suffixes eg. co.uk or by using your email software (like MailChimp) which can identify location via an IP address when the recipient opens the email. Once identified, if their consent to be on your email list is not already recorded, then you need to email them and ask them to opt-in to continue receiving your updates. If they don’t opt-in, you need to remove them from your email list.|
|You are adding email addresses (or any other details) to your email list if someone purchases from you, enters a competition, registers for a webinar, etc.||You should add a visible tick-box underneath these forms (not pre-checked) asking for consent to add them to your email list eg. to receive newsletters.|
|You are collecting email addresses and adding them to your email list||Even though these email addresses may not be for people within the EU, you should still follow best practices. This will serve you well in your marketing and get you ready in case there are changes to Australia’s data protection rules in the future. Please note these are not compulsory, only best practice tips:
For anyone using MailChimp, you might find this useful: https://blog.mailchimp.com/gdpr-forms-and-more-tools/
|Copying any information out of your social media sites about people eg. the names of people who have liked a post, attended a Facebook event, or the names of people you are connected to on LinkedIn etc.||Like Google, MailChimp and other online solutions that deal with personal data, all the social media channels will also need to comply with the GDPR, which in turn cover their users. BUT, if you take any of this data outside the social media platform, you in effect become responsible for that data, which is a trigger for complying with the GDPR. Consider if you really need to copy information outside of these channels – it’s a lot simpler if you don’t.|
*There are more triggers than these (eg. if you translate any of your website content into an EU language other than English), but I have tried to focus on the main ones that affect my clients.
Don’t panic. There are a few checks and balances you may now need to put in place. If you get things wrong but can show you’re attempting to do the right thing, then the penalties are more educative than punitive. But take this opportunity to have a better understanding of what you’re doing with people’s data (irrespective of whether they are within the EU), why you’re doing it and have a clear plan on how you’re going to handle personal information moving forward. It’s only a matter of time before consumers in Australia will expect higher privacy protection and we too may have to comply with stricter rules in the future.