You’ve likely heard something of the GDPR (General Data Protection Regulation) that is coming into affect in the European Union (EU) on 25 May 2018, but what IS it, and what implications are there for Australian-based businesses who don’t actively operate in the EU!?
Simply having a website on the World Wide Web, and using social media and email marketing for your business, may impact your collection and use of data.
Online law specialist Paul Gordon from NDA Law joined Erica Stacey from Scout Digital Marketing and Training on the Scout Facebook Page to discuss GDPR in plain language, and share the points you need to know and understand to prepare for the deadline.
Our session was intended for Australian based freelancers to medium-sized businesses, who are NOT actively doing business in the EU, but may be affected by GDPR simply due to their use of global online platforms.
The recording of the session is available below, along with a written summary of key points and recommendations further below.
Disclaimer: Everything we cover in the video below is very general advice about GDPR, not tailored to any particular person or specific situation. You should not rely upon it or act upon it without getting your own independent legal advice.
What is the General Data Protection Regulation aka GDPR?
GDPR is a new regulation governing the collection and use of data residents within the European Union (EU).
GDPR has come about due to a growing concern about the amount of data being provided by individuals and how it is being used. While this regulation has been initiated by the EU, it is an important consideration globally as we should all be aware of the data we are sharing, and how it is being used.
The main components of GDPR relate to:
- Monitoring of the activity of EU residents and visitors
- Collection of personal information and sensitive data of EU residents and visitors
- Management and deletion of data
While the regulation relates to residents of and visitors to the EU, and absolutely applies to organisations within the EU, it also affects the rest of the world, where organisations may be monitoring activity or collecting data from EU residents. This may occur through:
- Website use, and analytics tracking
- Collecting data through forms and other subscription methods
- Social media marketing
- Online advertising
What are the penalties for non-compliance?
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
Personal data versus sensitive information
What constitutes personal data?
Personal data is anything that could be used to identify an individual, including (but not limited to):
- Email address
- Telephone number
- IP address
What constitutes sensitive information?
Sensitive information refers to (but is not limited to):
- Health records
- Financial information
- Criminal records
Understanding the roles and responsibilities of Data Processors and Data Controllers
There are two other components to consider with GDPR:
- Data processors
- Data controllers
Data processors are organisations that facilitate the collection and processing of data, and include organisations such as Google, Facebook, MailChimp etc.
Data controllers are those organisations who access and use the data that is collected, such as individuals or businesses who use data processors, or who collect data directly.
There are different requirements for both data processors and data controllers under GDPR, and you may have received notifications from data processors you use regarding recent updates to their privacy policies or platform related to GDPR.
Factors to consider for GDPR compliance
Organisations who are based in the EU or who are actively doing business in the EU (or offering products or services globally) absolutely need to review and update their systems to comply. However for those of us who aren’t actively doing business in the EU, we still need to consider the following aspects of our online presence which can be accessed from anywhere in the world:
Data retention settings
Review your data retention settings You should select a date after which user data is removed from you Google Analytics account. By default Google Analytics will set this to 26 months. Your other options are:
Location tracking by IP address
Location tracking in Google Analytics uses both IP and ISP addresses to estimate users’ locations. You can opt to turn off location tracking by IP address, and use ISP alone.
Review any custom User ID information
This is not a default option in Google Analytics, but your property may be configured to track custom User ID information such as name, location, email address etc (e.g. for ecommerce websites). This personally identifiable information should be removed from Google Analytics reports. Languages
As Paul outlines further in the recording, if your website provides content in languages other than that of your target region of business, it may be inferred that you are seeking to do business in those regions, and so may come under more stringent requirements.
Many Australian organisations provide website content in multiple languages for ease of Australian residents who may be more comfortable reading in their native language (e.g. council, local government, non profit, charity websites). These websites should include a notice making it clear that information is being provided in other languages for the convenience of local visitors.
Use of online forms
All forms should be reviewed for data that is being collected, and consent sought from EU residents, especially if data is later used for targeted advertising or follow up marketing activities.
This also relates to online stores or membership sites, where visitors should be able to perform website activities independently of expressly consenting to tracking and marketing.
Explicit consent should be sought for the collection of any personal data of EU residents used for email marketing purposes.
Social media marketing
On the plus side, general use of social media platforms by individuals and organisations within the platform is okay. The issues begin to arise when data is taken out (e.g. screenshots of posts that may include personally identifiable data used in presentations or reports, Facebook Event data being exported, LinkedIn contacts being exported), or data is introduced, e.g. importing a list of email addresses to Facebook to use for targeted advertising. Online advertising
As mentioned above, consideration needs to be taken for:
- Remarketing advertising using cookies, including the Facebook Pixel
- Targeted advertising using email addresses
- In both cased, explicit consent should be sought for EU residents.
What should businesses do to prepare?
Again, you must consider your specific situation, and seek dedicated legal advice where required.
In general, organisations should:
Conduct a data audit
- What tools/plugins are you using?
- Review the privacy policies and settings for each
- Some tools may require data processing agreements (DPAs) to use
- Some tools may require code or setting updates
- Do you need to keep using all tools/plugins?
- Are there any tools that can be removed from use or consolidated?
- What data are you collecting?
- Focus on collecting only data that is absolutely necessary
- How are you storing data?
- Is it safe and secure?
- What is the process for deleting data, either individually upon request, or over time (as data cannot be stored “forever”)
Actions you may need to take
- Review privacy policies and settings for all tools/plugins being used
- Update code/settings if necessary
- Review and update all online forms
- Add explicit consent for marketing (separate from any other conditions of use), consent must be opt in (rather than opt out) and double opt in is recommended for email marketing
- Develop a process for managing data and update/deletion requests
This is by no means an exhaustive look at GDPR and its implications for Australian organisations, but should give you an introduction to how you should be approaching it.
We have provided some further resources below, and will share more information as it becomes available to us.
As Paul and I discussed as we wrapped up the session, while the chances of the GDPR being enforced on small businesses are slim, there ARE still chances, and what is looked for most is that reasonable steps are being taken to comply.
This is a great opportunity for us all to consider and review what information we are providing online, and how we are storing, managing and using it.
With great data, comes great responsibility!
Further GDPR resources: