This article is not intended to provide or replace legal advice. Please seek your own independent legal advisor if you need or want to achieve compliance to GDPR.
What is GDPR?
The GDPR (General Data Protection Regulation) is a new privacy law originating from Europe. It applies to all organisations storing data about, or providing goods and services to EU and UK citizens. GDPR will be active from 25th May.
GDPR is generating a lot of attention because the fines for a breach are hefty, up to 4% of annual global turnover, or 20 million Euros (whichever is greater). The scale of the fine does imply it is primarily aimed at larger businesses, but this is not explicitly stated.
Who needs to comply?
While Australian businesses may assume they are exempt from this law, they are actually covered because the law applies to the citizen and not the business. If a European citizen can find and access your webpage on the internet then the law applies to your business.
For Australian businesses there are a few obvious places where data about European citizens may be kept
- Google Analytics
- Any other analytics tool
- Email automation
- Any other marketing “lists”
Unless an Australian business is specifically targeting a European business (including UK) by selling goods and services in Pounds or Euros or specifically seeking to advertise to European citizens, then the EU are likely to turn a relatively blind eye to compliance of GDPR. There is a clause in the regulation that protects business that are not targeting European citizens. That said, as an Australian business grows, they may be more likely to reach European consumers and should be aware that their risk of non-compliance increases as the volume of European traffic to their website increases.
Keep in mind that if you are an Australian drop-shipping retailer and you have a European or British hostname for a mirror ecommerce site (eg a .co.uk version of your website) then you will be deemed to be targeting European citizens and so you should apply GDPR rules and regulations to your entire website.
Is my business at risk of compliance issues?
The types of information that EU are trying to crack down on are particularly information that relates to Personally Identifiable Information (PII), including but not limited to:
- email addresses
- bank details
- social media posts
- medical information
- IP addresses
- Any other data that could identify a person
They are also more concerned about issues relating to the privacy of children, criminal convictions and offenses, anything medically related, and businesses who process large volumes of data. The most serious infringements are involve sharing or accidental breach of private data. Think Facebook-style breaches.
Note: in Australia we already have laws around sharing or breaching PII, especially data involving tax file numbers and/or medical information. Any business working in the financial or health space needs to already have practices in place to protect the privacy of Australian citizens.
Google Analytics already forbids PII as part of its Terms of Service, however it does store client cookie data in an anonymous client ID and also has a unique User ID option as well. Theoretically, if you knew an individual’s client ID or User ID then you could trace Google Analytics data to a specific individual. This is not necessarily a problem if you are not doing anything malicious with that data, but it becomes a grey area if you are targeting European citizens.
What are the rules?
For marketing campaigns that are specifically targeting Europeans, forms capturing any kind of PII (including email address) needs to state unambiguously that the email address will be stored, and how it will be used. This can be a simple statement such as “your email address will be used to subscribe you to our newsletter”. Cloud-based email subscription software are all releasing GDPR-approved forms that you can use for this purpose.
Explicit consent (eg an unticked checkbox that needs to be manually ticked to give consent) is required for processing sensitive personal data, but the majority of Australian businesses are not going to need to comply with that regulation. Merely providing information about your goods and services through an email campaign is unlikely to be highly sensitive.
As part of the GDPR, EU citizens may request to be removed from any or all of your data storage locations, including CRM, email software and Google Analytics, or to receive a copy of their data in an electronic format. While it is unlikely that an Australian small business would receive such a request from a EU citizen, the new law states that the business must comply with the request of the individual. To enable this, data analytics tools such as Google Analytics have recently introduced new features that support the ability to delete and/or export specific records from the analytics database.
Another area of privacy that is being targeted as part of the GDPR is that businesses may not ask for information in excess of what is needed in order to complete the purpose of the data capture. So if the purpose is to share a free ebook and subscribe a person to a newsletter, the person must not be asked to enter private information such as tax file numbers. Enforcing this kind of law is common sense and will not impact businesses that are already doing the right thing.
Do keep in mind that any kind of personalisation, segmentation, A/B testing or targeting campaigns all require some level of data to provide the segmentation (often stored in cookies), and so if you want to err on the side of caution, an Australian business might consider checking for European IP addresses before adding a person to any segmentation or remarketing list if this data usage is not described on the website.
GDPR does allow the use of data for legitimate interest, i.e. if someone has subscribed to your blog you can still send them relevant offers and retarget. That said, you are not allowed to sell European email contacts to other business without the individuals’ consent.
Is there a way to be proactive without having to change my website?
If you are an Australian business and you only serve Australians and you don’t send unsolicited emails but you still want to make sure you are definitely compliant with the GDPR, you can apply a filter to your Google Analytics and/or Google Tag Manager configuration that excludes all visitors from EU or UK from your Google Analytics data. This will reduce your total visitor count and sessions in Google Analytics, but will ensure that you never need to worry about removing an individual from your analytics.
I can help you to set up a GDPR analytics filter, audit your data for PII or help you to exclude data if you feel that this is a good option for your business. For more information about my services, visit my agency website http://www.web-data-analytics.com.
For more information about GDPR, check out Hubspot’s informative article.