Who needs to comply with the new EU General Data Protection Regulation (GDPR)

What is the GDPR?

The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.

If you are wondering exactly how it applies to your business and website, please read on.

The GDPR is a new set of rules governing the privacy and security of personal data set out by the European Commission. It is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

It includes a bundle of changes to data protection, requirements for data breach notification and security, the right to ‘be forgotten’ or have your personal data deleted, plus, very importantly, the way you need to get consent from your customers when they sign up to your email list.

Who needs to comply?

You must comply if your business processes personal information AND are processing it as part of an enterprise. It applies to all companies processing the personal data of people residing in the European Union, regardless of the company’s location.

If you offer products or services to people in the EU or follow their behaviour in any way as part of your business, it is likely that your business is caught by the laws.

The GDPR also goes much further than many existing national privacy laws around the world. For example, Australia’s privacy laws apply only to businesses with an annual turnover of more than AU$3 million. In contrast, the GDPR applies to businesses (including online businesses) of any size who deal with European Union citizens as their customers.

But you are not in Europe – does the new law affect your business?

The answer is YES. Even if you’re based overseas but hold data belonging to anyone living in Europe, the GDPR applies to you.

Australian (or non-EU) businesses of any size will need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

The problem of ‘consent’

One of the major areas of change and affectation is email marketing.

How to collect and store consent?

The bar has been raised to a much higher standard of consent for subscribers based in the European Union, meaning that the way your business has collected consent from EU subscribers in the past might not be compliant anymore.

The new law requires that businesses collect affirmative consent that is “freely given, specific, informed and unambiguous” in order to be compliant.

Consent basically requires a clear form and distinguishable from other matters, provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

Hence, do not use pre-ticked boxes or any other method of default consent. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation.

The new law applies to all people who subscribe after 25^th May AND to all existing EU subscribers on your email list.

Consequences for non-compliance

The potential penalties for non-compliance are severe. Fines can amount to up to 4% of your global turnover or €20 million (Euros), whichever is the greater.

A company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.

What you need to do

Email marketers and business owners need to ensure that their programs, consents, unsubscribe options, privacy policies, personal data handling practices and websites are compliant.

Steps you can take to ensure you are GDPR compliant:

1. Review and update your Privacy Policy to make sure it is GDPR-compliant (or have it reviewed by a lawyer);
2. Make sure all of your web forms have a consent tick box and a link to the Privacy Policy;
3. Insert a statement just below your opt-in or sign up box saying words to the following effect: ‘We collect and use your data according to our Privacy Policy’;
4. Ensure that your Users are able to change, correct, download their profile;
5. If you use Cookies on your website, you must show a cookie bar;
6. For existing subscribers to your list, send out a ‘re-engagement campaign’, ie, send out an email asking them to consent to, or recommit, to being signed up to your list; and
7. For new subscribers to your list, make sure your opt-ins are clear and compliant so people know what they are signing up for and consent to receive emails from you (not just the free resource or opt-in magnet).

The above is not an exhaustive list.

Other Resources

The UK Information Commissioner has recommended that companies review privacy notices and ensure there is a plan in place to be in compliance with the new law.

The Australian Office of the Australian Information Commissioner has also released a guide with an explanation of how GDPR works and including guidance for business owners, you can find it HERE.

We can assist in updating all of your policies. If you need specific legal advice, or you’re unsure about anything, please contact info@tt.legal for assistance.

We also offer an easy ‘off-the-shelf’ solution to update your Privacy Policy to be GDPR Compliant.

Important Note

This is not legal advice and is not an exhaustive list about the GDPR privacy and data law changes. Please seek professional legal counsel advice to suit your specific situation.