0405123696 petra@web-data-analytics.com

 1,785 total views,  9 views today

This article is not intended to provide or replace legal advice. Please seek your own independent legal advisor if you need or want to achieve compliance to GDPR.

What is GDPR?

The GDPR (General Data Protection Regulation) is a new privacy law originating from Europe. It applies to all organisations storing data about, or providing goods and services to EU and UK citizens. GDPR will be active from 25th May.

GDPR is generating a lot of attention because the fines for a breach are hefty, up to 4% of annual global turnover, or 20 million Euros (whichever is greater). The scale of the fine does imply it is primarily aimed at larger businesses, but this is not explicitly stated.

Who needs to comply?

While Australian businesses may assume they are exempt from this law, they are actually covered because the law applies to the citizen and not the business. If a European citizen can find and access your webpage on the internet then the law applies to your business.

For Australian businesses there are a few obvious places where data about European citizens may be kept

  • Google Analytics
  • Any other analytics tool
  • CRM
  • Email automation
  • Any other marketing “lists”

Unless an Australian business is specifically targeting a European business (including UK) by selling goods and services in Pounds or Euros or specifically seeking to advertise to European citizens, then the EU are likely to turn a relatively blind eye to compliance of GDPR. There is a clause in the regulation that protects business that are not targeting European citizens. That said, as an Australian business grows, they may be more likely to reach European consumers and should be aware that their risk of non-compliance increases as the volume of European traffic to their website increases.

Keep in mind that if you are an Australian drop-shipping retailer and you have a European or British hostname for a mirror ecommerce site (eg a .co.uk version of your website) then you will be deemed to be targeting European citizens and so you should apply GDPR rules and regulations to your entire website.

Is my business at risk of compliance issues?

The types of information that EU are trying to crack down on are particularly information that relates to Personally Identifiable Information (PII), including but not limited to:

  • name(s)
  • photos
  • email addresses
  • bank details
  • social media posts
  • medical information
  • IP addresses
  • Any other data that could identify a person

They are also more concerned about issues relating to the privacy of children, criminal convictions and offenses, anything medically related, and businesses who process large volumes of data. The most serious infringements are involve sharing or accidental breach of private data. Think Facebook-style breaches.

Note: in Australia we already have laws around sharing or breaching PII, especially data involving tax file numbers and/or medical information. Any business working in the financial or health space needs to already have practices in place to protect the privacy of Australian citizens.

Google Analytics already forbids PII as part of its Terms of Service, however it does store client cookie data in an anonymous client ID and also has a unique User ID option as well. Theoretically, if you knew an individual’s client ID or User ID then you could trace Google Analytics data to a specific individual. This is not necessarily a problem if you are not doing anything malicious with that data, but it becomes a grey area if you are targeting European citizens.
in Australia we have laws around PII

What are the rules?

For marketing campaigns that are specifically targeting Europeans, forms capturing any kind of PII (including email address) needs to state unambiguously that the email address will be stored, and how it will be used. This can be a simple statement such as “your email address will be used to subscribe you to our newsletter”. Cloud-based email subscription software are all releasing GDPR-approved forms that you can use for this purpose.

Explicit consent (eg an unticked checkbox that needs to be manually ticked to give consent) is required for processing sensitive personal data, but the majority of Australian businesses are not going to need to comply with that regulation. Merely providing information about your goods and services through an email campaign is unlikely to be highly sensitive.

As part of the GDPR, EU citizens may request to be removed from any or all of your data storage locations, including CRM, email software and Google Analytics, or to receive a copy of their data in an electronic format. While it is unlikely that an Australian small business would receive such a request from a EU citizen, the new law states that the business must comply with the request of the individual. To enable this, data analytics tools such as Google Analytics have recently introduced new features that support the ability to delete and/or export specific records from the analytics database.

Another area of privacy that is being targeted as part of the GDPR is that businesses may not ask for information in excess of what is needed in order to complete the purpose of the data capture. So if the purpose is to share a free ebook and subscribe a person to a newsletter, the person must not be asked to enter private information such as tax file numbers. Enforcing this kind of law is common sense and will not impact businesses that are already doing the right thing.

Do keep in mind that any kind of personalisation, segmentation, A/B testing or targeting campaigns all require some level of data to provide the segmentation (often stored in cookies), and so if you want to err on the side of caution, an Australian business might consider checking for European IP addresses before adding a person to any segmentation or remarketing list if this data usage is not described on the website.

GDPR does allow the use of data for legitimate interest, i.e. if someone has subscribed to your blog you can still send them relevant offers and retarget. That said, you are not allowed to sell European email contacts to other business without the individuals’ consent.
set up GDPR Google Analytics filter

Is there a way to be proactive without having to change my website?

If you are an Australian business and you only serve Australians and you don’t send unsolicited emails but you still want to make sure you are definitely compliant with the GDPR, you can apply a filter to your Google Analytics and/or Google Tag Manager configuration that excludes all visitors from EU or UK from your Google Analytics data. This will reduce your total visitor count and sessions in Google Analytics, but will ensure that you never need to worry about removing an individual from your analytics.

I can help you to set up a GDPR analytics filter, audit your data for PII or help you to exclude data if you feel that this is a good option for your business. For more information about my services, visit my agency website http://www.web-data-analytics.com.

For more information about GDPR, check out Hubspot’s informative article.

charles marois olsa tools

Working with Petra was a great experience, communication was easy and she is very organized. She also provided detailed reports of the work she had done and the results generated. We would definitely recommend her services.

Charles Marois CEO, Olsa Tools Ecommerce Google Ads April 23, 2020

Kiley Hay Baby Carriers Australia

I have been working with Petra for over a year now after changing from a much larger digital marketing provider and I could not be more pleased with the service and results my business is achieving.

With my previous providers I felt disconnected with limited communication. Petra on the other hand provides me with knowledge and information in a language I can understand that helps me make informed decisions not just about digital marketing but also my e-commerce business as a whole.

Petra has helped me navigate seasonal drops in trade creating a strategy that helped us grow and establish a healthy position in the market. It is an absolute joy to work with someone who loves what they do. I have complete confidence in recommending Petra to anyone considering e-commerce digital marketing, she is efficient, trusted and a true professional.

Kiley Hay CEO of Baby Carriers Australia Ecommerce Google Ads April 23, 2020

leesa dawson

I am so grateful to have met you, as I think your insights are the BEST I have ever come across.

Leesa Dawson CEO, The Uniform Stylist Ecommerce Google Ads April 23, 2020

Sophie Abnett

Here at 1834 Hotels we centralise the marketing for many different hotels. It can be an enormous undertaking to monitor and track the performance of each one, especially when they are all on separate webpages.

Petra helped to resolve this difficulty by creating a central hub in Google Tag Manager and Google Analytics with Cross-domain tracking and Ecommerce as well. She created many valuable analytics dashboards and reports that draw from the centralized source. Now that we have all the analytics tracking working it has improved the accuracy of our reporting and the insights have helped develop better marketing strategies.

Petra’s skills and wealth of knowledge is fantastic. I would recommend Petra without hesitation.

Sophie Abnett Digital Marketing Project Manager at 1834 Hotels Ecommerce / Hotel Google Analytics, Google Tag Manager & Google Data Studio Integration April 23, 2020

brett leggett

Hi Petra, Hope you are well, I checked out the Google Analytics and all I can say is AWESOME. You have essentially doubled her revenue in a month and the Google Ads seem to be popping off!

Brett Leggett Brett Leggett ✪ eCommerce Growth Specialist Ecommerce Google Ads April 23, 2020