GDPR stands for “General Data Protection Regulation” and is legislation introduced in the EU which came into force on May 25, 2018. It is the most comprehensive and complex data privacy regulation in the world.
Most importantly, this legislation has teeth – the penalties for failing to comply can be up to €20 million, or four percent of a company’s total worldwide annual turnover, whichever is higher.
The other big catch is that the legislation doesn’t just apply to businesses in the EU. It applies to EU organisations, as well as organisations in other countries (including NZ) that offer goods or services to people in the Union (irrespective of whether a payment is required).
This is very broad – it includes free services, such as news articles, email newsletters, as well as all products that can be sold to EU residents.
GDPR massively increases the compliance requirements associated with storing or processing Personal Information about people who reside in the European Union.
This means GDPR compliance is very important for any organisations:
• That have a presence in the EU
• That offer free or paid goods or services to people in EU (including if you have an enewsletter that has people from EU on the list).
If your company only targets NZ or other non-EU countries, then (in my non-legal-advice-opinion) GDPR does not apply to your organisation.
But many NZ and Hamilton businesses do have customers in the EU. Some of the types of NZ businesses that GDPR will affect include:
• eCommerce websites – that ship to EU or sell digital products
• Offline sales – that ship to EU
• Software companies
• Tourism industry, who are likely to have EU people on your customer or prospects list
• Any business running advertising (online or offline) in EU
• Anyone with an international audience that will have people from EU on your email list or database
So what is required to comply?
Unfortunately, a lot.
The GDPR sets out a lot of detailed and broad-reaching compliance requirements. It takes many hours of reading (and confusion) to wade through the details.
As a digital marketer (not a lawyer), the following is a brief summary of my own learnings about what GDPR requires.
New expanded definition for “Personal data”
Under GDPR “Personal data is any information that relates to an identified or identifiable living individual”.
Examples of personal data include a name and surname; a home address; an email address such as email@example.com; an identification card number; a date of birth.
But it also includes all information that relates to an identified person, including location data (for example the location data function on a mobile phone); an Internet Protocol (IP) address; a browser cookie ID; the advertising identifier of your phone.
This is just one of the things that makes navigating GDPR so complex.
Consent under the GDPR needs to be both informed and explicit, and able to be proven.
Practical application of this includes that there should be an explicit checkbox when someone joins your email list that states what they’re joining and that they’ve agreed to the terms. This box is not allowed to be pre-ticked.
One way to prove that explicit consent was granted is to use double opt-in for email lists.
If you use MailChimp they have launched a clever new “GDPR-friendly opt-in forms” which have multiple checkboxes for your different lists and also record a copy of the exact form the user submitted, so it can be used to prove consent if needed.
Existing subscribers still need explicit consent
If you’ve had people form the EU on your mailing list for a number of years, unfortunately, that doesn’t qualify as explicit consent.
Organisations need to be able to prove explicit consent for each EU resident on their email list, including for existing subscribers who joined before the GDPR came into force.
If you previously used double opt-in for your email newsletters, then that will be enough to prove consent. But if not, then you need to regain consent from your EU subscribers to meet the new higher standard of consent.
If your email list is with MailChimp they have created an easy process to send a consent email.
Updated and understandable privacy policies
Organisations have an obligation to present information about processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.
It needs to include a number of important new criteria, such as stating who the data controller is (generally your company), contact information for the data controller, a clear statement if you are processing data outside of the EU, and more.
Right to be forgotten
GDPR requires that users have the “right to be forgotten” – which means that if they request it, all personal data about them should be deleted (unless you have a legal reason this shouldn’t happen).
Most bulk email providers and CRM providers have an option to now permanently delete a contact. You will need to do this if someone from EU requests it.
Data Processing Agreement
The GDPR also introduces compliance that must be followed if you are transferring or processing data outside of the EU.
If your email provider is hosted outside of the EU, then this applies to you.
In order to be compliant you need to tell your users where the data will be transferred to and processed, and you also need to sign a Data Processing Agreement with your email provider or CRM provider.
Most bulk email providers host in the US instead of the UK, so it is important that you follow their process of signing their data processing agreement.
Unfortunately, this is just the tip of the iceberg
There is a lot more to GDPR than I have covered here. There are many other new requirements such as users’ right of access, right to data portability, the right to object, breach notification requirements, privacy-by-design requirements, and much, much more.
For NZ businesses who are targeting residents in the EU, it is important that you understand your requirements under this new legislation.
This article outlines my own personal learnings about GDPR and in no way is legal advice.
You’ll need to dig into the details yourself and seek legal advice to ensure you are compliant. After all, nobody wants a €20 million fine.