You may have noticed a few online articles doing the rounds about the European Union’s General Data Protection Regulation (GDPR).
You’d be forgiven for thinking that we don’t have to worry about GDPR compliance here in Australia, but this is not the case.
If you run a business with a website or are a key decision maker when it comes to an online presence, then you need to be in the loop as to what these changes mean in terms of privacy policies and personal data collection.
The GDPR comes into effect worldwide as of May 25 2018. This couldn’t be more timely in the context of the recent Facebook–Cambridge Analytica data scandal.
People are becoming more and more concerned about whether their personal data is being misused and want to see something done about the issue.
Everyone is a bit confused about what GDPR compliance means and what they have to do about it. But it’s really not as scary as you may think.
So let’s take a look at everything in a bit more detail.What is the GDPR anyway?
The GDPR outlines new data protection requirements which will standardise data protection laws across the EU.
The new laws are aimed at preventing businesses from potentially misusing their customers’ data and giving people more power over how their personal data is handled.
The GDPR applies to any business, of any size, anywhere in the world, which collects personal data relating to individuals in the EU.But how does this impact us here in Australia?
Well, let’s say a citizen from the EU moves to Australia or is travelling here. Or they are viewing an Australian website, such as an online store, while still in the EU.
Under the GDPR, any EU citizen who visits an Australia website has right to be able to request the following from the owner of the website:
- Ask for a copy/summary of all personal data collected by the website
- Ask for any errors in their personal data be corrected (e.g. misspelling of their name, change of address)
- Ask for their personal data to be completely deleted
- Ask to have their data moved (e.g. switching service providers)
Hmmm…you might say. How does this work? What exactly is “personal data”? What do I have to do to ensure GDPR compliance within my business? What happens if I just ignore a personal data request?
So many questions!First, let’s take a look at what is actually classified as personal data:
Examples of personal data include:
- Name and surname
- Home address
- Email address which includes a name
- Identification card number
- Location data
- IP address
- Cookie ID
- Advertising identifier on a phone
- Data held by a hospital or doctor
Think about how much personal data you yourself knowingly or unknowingly hand over to a company whenever you visit their website.
If you’ve entered your email address into a newsletter signup, at the very least your name and email address is being stored somewhere on a database list.
But a website also tracks your IP address and location data every time you visit without you entering anything.
Under the GDPR, an EU citizen can request that all this data be deleted by the owner of a website, whether they knowingly entered the data into a form or just by virtue of having visited the site.
Consider the Implications
Think about all the ways you collect the data of visitors to your website and the many different ways you actually use that data.
If you run an online shop and ship goods to the EU, you’re probably keeping historical records of customers’ shipping details.
Are you using your customers’ email addresses in email marketing platforms like MailChimp? Do you feed these email addresses into Facebook for targeted advertising? What about direct mail campaigns?
Do you currently know how you would go about deleting all of a customers’ data if they asked you to? Would you know how to easily extract copies of ALL their data from various databases?In terms of GDPR compliance, you have the responsibility to:
- Reply to the request within a month.
- Provide their personal data in a “commonly used electronic format” (e.g. email or Excel spreadsheet)
- Respond to requests free of charge
- Refuse or charge a fee if a request isn’t reasonable
In light of this, Australian businesses are encouraged to ensure that they have procedures in place to deal with these requests in a timely manner.Is this really going to affect me though?
Under the GDPR, fines of up to €20 million or 4% of annual worldwide turnover can be issued to non-complying organisations.
In all likelihood, the legislation is going to mostly affect larger corporations who have a physical presence in the EU e.g. Google and Apple.
These types of companies are probably going to be targeted by governing bodies due to the high volume of personal data they collect from people all over the world.
In all probability, smaller companies and businesses without a physical presence in the EU are less likely to face huge fines.
However, don’t let this thinking stop you from making the necessary changes to how you collect and use your customers’ personal data. There are still steps that all Australian businesses need to take under the GDPR.
5 steps for dealing with this legislation
While we certainly don’t claim to be experts in GDPR compliance, here’s 5 best practices we recommend you consider enacting for your business or discussing with your employer.
1. Formalise a process
Creating a formal process for dealing with personal data requests and reviewing how you are currently storing personal data is really going to be your first step.
Consider this: if someone from the EU sends you a request by email to delete all of their personal data– how would you process this request within 30 days? Is there someone within your organisation who would easily be able to do so? Or would multiple people across different departments need to be involved? What checks could you run to make sure all of the data has been deleted?
2. Include an opt-in on all your data collection forms
Ensure your customers are being given a clear option to opt-in as well as an opportunity to opt-out of ongoing communications. Be sure to also include a disclaimer about why you are collecting their data and how you will be using it.
4. Implement a cookie notice for people located in Europe
If you’re currently running re-marketing ads, then adding a cookie notice to your site is an easy way to notify people in the EU that you are collecting their data for advertising. The notice gives people the option to consent to their data being collected, which is a key element of the GDPR legislation.5. Adjust your Google Analytics settings
You can enable IP Anonymization in Google Analytics. This removes part of a customers’ IP address to ensure their anonymity. This setting still allows you to collect valuable location data, it will just be a bit less accurate.
Another setting you can adjust in Google Analytics is how long your user-based data is stored. The generally recommended length to keep data for is 26 – 38 months, so just check your settings and adjust if neededTurning a negative into a positive
The GDPR is really about building trust with the people who you engage with through your website. So rather than perceiving GDPR as an inconvenience to your business, think about the legislation as an opportunity to improve your relationship with your customers.
Instead of “just trying to meet the legal requirements”, you could promote your business as taking a proactive approach in respecting personal data and privacy.
By auditing your data collection processes, you might even identify opportunities to improve user experience or simplify processes when it comes to data recovery.A Final Thought…
At the end of the day, any measures you take to engage with your customers in a way which speaks to what they want to know and how they want to be communicated with will be beneficial to your business in the long run.