Even if you haven’t heard of GDPR (General Data Protection Regulation) or are not sure how it affects Australian businesses it is important to review your exposure to these new regulations in the European Union (EU) in effect on the 25th of May 2018. During the process of managing our client’s transition and compliance to we have collected some important resources, insights and practical steps you can take as a website owner, operator or marketer. Even if you don’t think you are affected, it is worth reviewing this article to avoid the pitfalls almost all digital marketers in Australia are being exposed to.
Here is a quick introduction followed by a guide on practical steps to reducing or removing risk for website owners.
This guide aims to help you understand and take the first steps towards assessment and compliance with GDPR for website owners. (It’s recommended that you seek your own professional legal advice).
The European Union has enacted regulation call the European Union General Data Protection Regulation (the GDPR). This contains new worldwide data protection requirements that will apply from 25 May 2018. This law seeks to standardise the management of EU citizens data collected by companies both within the EU and worldwide by providing guidelines, assigning rights to individuals and managing enforcement.
STEPS TO PREPARE FOR GDPR
Take the following steps to understand and prepare your web and marketing teams and systems for the GDPR.
DETERMINE IF THE GDPR APPLIES TO YOU
The official advice is that the GDPR applies to the data processing activities of processors and controllers outside the EU, regardless of size, where the processing activities are related to:
- offering goods or services to individuals in the EU (irrespective of whether a payment is required)[6]
- monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU (Article 3).[7]
Essentially if you host a website that collects any information, including Google Analytics, from people in the EU then the GDPR regulations apply to you.
Australian business owners should also consider advice concerning the GDPR published on the Office of the Australian Information Commissioner website. Or you can visit the official portal for the GDPR and the document itself kindly arranged in an easy to format.
Chances that EU regulators will seek to enforce the GDPR for website operators that do not target or transact with European Union citizens (including Australia) are very low. But, the GDPR does establish some good standards that all website owners should consider implementing. After all, some of the GDPR standards are already Australian law.
“GDPR MAY ALREADY BE EFFECTING YOUR WEBSITE AND ONLINE MARKETING SYSTEMS”
It’s important to know that the GDPR may actually already be affecting your business. In many cases, it is likely that digital marketing systems that you use have already made changes (on your behalf) to help protect themselves and their customers. For example, if you use Google Analytics your settings have already been changed. It’s highly recommended that you review your data retention settings to ensure they are optimal for your business, and that goes for any other system you use. Google’s GDPR advice is available here.
The Hydra Digital team regularly monitor online requirements for digital marketing systems and update them to be optimal for our clients. Which is how the GDPR came to be on our radar.
“IF YOU OUTSOURCE YOUR DIGITAL MARKETING, ASK YOUR SUPPLIERS WHAT SYSTEMS YOU ARE USING AND IF GDPR EFFECTS THEM.”
If you outsource your digital marketing, ask your suppliers what systems you are using and if GDPR affects them. The more sophisticated your marketing systems, automation and tracking the higher the likelihood that action will be required.
This includes but is not limited to:
- Customer Relationship Management (CRM) systems
- Advertising platforms
- Marketing automation systems
- Data Management Platforms
- Email marketing systems
- Tracking software
- Analytics products
- Accounting software
- Payment gateways
- Messaging technology
STEPS TO TAKE – FOR YOUR WEBSITE
Take the steps below to prepare your website for GDPR. Even if you do not operate in the EU some of these steps are already Australian law.
- Audit the systems that you use to collect and process customer data and review any changes that may have been made by the providers – you need to review for relevance and accuracy. With many systems hosted overseas, this is an important step.
- Update your privacy policy on your website and include reference to data collected on your own website. For example, email addresses and phone numbers; as well as data collected by tracking systems or pixels you use for marketing (such as Facebook, Linkedin and Google).
- Have a clear opt-in all areas of your website where you intend to use the data for future marketing. For example, if you are capturing leads, have an opt-in checkbox and a short description how you will use someone’s email address.
- Have a clear unsubscribe function from all channels function. This is already Australian law, so make sure you have a clear and easy way to unsubscribe from electronic communications.
- Notify website visitors that you use cookies for collecting data. To you comply with the GDPR, you can use a popup that can be accepted by users that visit from the EU to ensure this message is seen.
- Have a process for dealing with data breaches and how you will notify people if they are impacted. A great local example is how GoGet (an Australian car sharing company) dealt with a hacker. You can read more about their case here.
STEPS TO TAKE – FOR SOCIAL MEDIA
The following advice and resources are aimed at marketers using social media platforms and the changes that have been put in place for GDPR.
- If you use Facebook Pixel tracking, under Facebook’s new Terms of Service, you are required to ?? notify visitors to your website ?? include on your website?? that you are collecting data through their pixel, and the purpose of why you are collecting it. Facebook’s advice can be found here.
- If you use LinkedIn for marketing purposes or want to understand the changes that have been put in place for users, their controls and impacts on different types of users, check here on LinkedIn
- If you use Twitter for marketing purposes or want
to understand how Twitter has responded to GDPR you can find their information here on Twitter
ADDITIONAL STEPS IF YOU OFFERS PRODUCTS OR SERVICES IN THE EU
If you offer services or products to the EU you should complete all steps recommended in the above section “If you don’t offer services or products to the EU” and prepare for the extra requirements outlined below.
CONSENT FOR COLLECTION OF DATA AND RIGHTS
GDPR requires explicit permission before collecting or storing user data, at the same time allowing the user to request access to that data and ask for their data to be deleted. GDPR-compliant. To be compliant you need to.
DATA RETENTION
Under the GDRP retention of or customer data is required to be for a purpose which is disclosed to the individual. This means you need to have a reason and ability to explain this reason for retaining individual data and when these reasons no longer apply dispose of the data. Attempts to EU citizen retain data indefinitely without a valid ongoing reason are likely to fall under more intense scrutiny.
Implement a data retention policy, period and expiry date for EU data to stay on the right side of the GDPR.
DISCLOSURE OF BREACHES
According to GDPR, you need to inform your users about any kind of data breach you have experienced within 72 hours of finding out about the incident. Your responsibility as a website owner is to monitor web traffic and server logs and have processes in place to prevent data breaches.
In Australia, the federal government has passed its data breach notification laws that people of their data being inappropriately accessed as of February 2018 under the Privacy Amendment (Notifiable Data Breaches) Act.
The legislation is restricted to incidents involving personal information, credit card information, credit eligibility, and tax file number information that would put individuals at “real risk of serious harm”. The notification laws apply to companies covered by the Privacy and excludes intelligence agencies, political parties and small businesses with a turnover of less than AU$3 million annually, and political parties exempt from disclosing breaches.
Organisations have 30 days to declare the breach; less than the GDPR, where organisations have 72 hours to notify authorities after having become aware of it unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
RIGHT TO BE FORGOTTEN
Article 17 of the regulation titled the Right to Erasure — the right for an individual to be “forgotten” by an organisation that holds their data states that people must be able to request their data is deleted.
The article states “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay,”
Essentially, you need to provide the option for a person’s data to be erased permanently on request.
RIGHT TO CORRECT INFORMATION HELD THAT IS INCORRECT
The GDPR also states that EU users have the right to request that any information that is held by an organisation must be updated on request if it is incorrect.
Acting on these requests is not optional for companies working with people within the EU.
PROTECTION AGAINST AUTOMATED DETERMINATIONS
Under the GDPR, individuals are protected against being subject to determinations based on automated systems without human intervention. If you’re wondering how this might apply to your customers, you want to avoid systems similar to what the Australian Department of Human Services had adopted with its Centrelink automated debt recovery project.
These types of systems while not illegal in Australia (yet), EU citizens are protected against.
If you are offering services to the EU we highly recommend that you seek professional help to transition your company and put in place processes for GDPR compliance.
CONCLUSION
While GDPR enacts data regulation that might not apply to your business directly, it likely affects some of the digital marketing and social media systems you use already. The GDPR also gives Australian businesses a look into EU ideas of best practices and consumer rights with respect to the collection of data that can provide guidance for internal efforts and insight into what future Australian policy and law may hold.
Australia’s Privacy Act has more similarities than differences with GDPR and it is worth reviewing if you are unfamiliar with how it impacts your business.
Finally, Investing now and staying ahead of the curve with data protection and consumer rights could pay off in the long term for you, plus taking responsibility and care of your customer’s data is good business.
If you have any questions about how GDPR may affect your website or digital marketing, feel free to contact me directly.
Sources
General Data Protection Regulation (GDPR) – Final text neatly arranged – https://gdpr-info.eu/
Data protection | European Commission – https://ec.europa.eu/info/law/law-topic/data-protection_en
EU GDPR Information Portal – https://www.eugdpr.org/
General Data Protection Regulation guidance for Australian businesses – https://www.oaic.gov.au/media-and-speeches/news/general-data-protection-regulation-guidance-for-australian-businesses
Notifiable Data Breaches scheme – https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme