Spectators of this year’s Eurovision Song Contest would be forgiven for wondering where exactly Europe begins and ends. Entries from Australia, Israel and many other non-European countries provides no geographical boundary for the competition.
And whilst most Australian’s would have heard of the Eurovision Song Contest, we may not be so familiar with the acronym GDPR or the General Data Protection Regulation to give it its full name, which is an EU regulation that comes into effect on 25 May. Just like Eurovision, GDPR stretches far beyond EU borders and has implications that could see Australian businesses fined up to AU$30million or 4% of their annual global revenue if they break the rules.
So, what is GDPR?
GDPR is a European Union privacy law that aims to bolster the rights and protection of EU citizens, specifically regarding how their personal data is collected, stored and used by any organisation globally. Essentially, the new privacy law aims to put the consumers back in control of their own data, which is of course, in the best interest of all of us.
If your business operates in the EU, offers goods or services in the EU, or if it monitors the behaviour of individuals in the EU, GDPR applies to your business. In short, if your online or offline customers, mailing list subscribers or website visitors consist of an EU citizen, this applies to you.
If Facebook’s recent Cambridge Analytica scandal demonstrates anything, it is that personal data is a very sought-after commodity for marketing, and there are many organisations out there mishandling the data they have been entrusted with by the users or customers.
What do you need to do?
The GDPR shares many similarities with our own Privacy Act 1988, but there are some noticeable differences and let’s face it, marketing, technology and the interconnectivity of people has evolved dramatically in the last two decades. So now is a good time to brush up on your data protection requirements with your legal team, to ensure you comply.
Generally, businesses collecting and using data of EU citizens, and anyone else for that matter, should consider the following best practice advice.
When it comes to storing and using personal data, you need to ensure you have consent to do so. This not only relates to the personal data you collect from 25 May onwards, but to data that sits in your mailing lists or databases. The GDPR law states that businesses must obtain specific consent from your contacts and clearly explain how that data is going to be used. A simple solution is to ensure you have an opt-in function on any data capture forms. However, what may be more problematic is collecting evidence on those already in your database, so deciphering where that personal data has come from and whether you have permission to use it. This is something you need to gain clarity on. You may have to reach out to these contacts to obtain more explicit consent for future marketing purposes.
The ‘right to be forgotten’ is an interesting deviation to our own Privacy Act 1988; you need to provide clear details on how they can contact your business to access, correct, update and delete the information you store. It is important therefore, to identify exactly how you store data. Sounds simple, but it’s not uncommon for established businesses to have numerous databases and spreadsheets containing this information, dotted around their filing system.
Newsletters and direct mail are very effective marketing methods, but only if your contacts are engaged with your organisation and value the information you provide. If for whatever reason they wish to stop receiving your communications, you need to provide them with a simple, easy method to unsubscribe. It’s worth noting that unsubscribing to communications is totally different to requesting to delete their data, so it is even more reason to ensure you provide clear details on how a contact’s data is going to be used, to avoid confusion.
If you need to discuss your current situation and how to evolve your data management practices, please get in touch.