What you need to know about the GDPR
What is GDPR?
How the GDPR affects Australian businesses
In the news, we have been hearing about data and privacy breaches, with personal information being collected and stored by businesses without an individual’s explicit consent. The General Data Protection Regulation (GDPR) was developed in response to these recent findings and is set to change the data privacy approach worldwide.
What is GDPR?
The General Data Protection Regulations (GDPR) takes effect on the 25th May 2018. It is a European Union law that provides greater control and knowledge to individuals over their personal data. The GDPR governs the way that business’ can collect, process, store and use this personal information.
What is required under GDPR
The goal of the GDPR is to protect consumer and their personal information from being poorly handled and misused. Businesses will be held to a higher standard and expected to act within the bounds of the GDPR when collecting, storing and using this personal information.
Businesses will be required to adhere to the following pillars:
Explicit Consent – When collecting an individual’s personal information, explicit consent that is specific and unambiguous must be given. In other words, you can no longer send unsolicited information to people who have not specifically opted in to receive it.
To be considered explicit consent, specific, clear wording must be used and opting in must be separate from other terms and conditions. This provides the individual control over future communications with your business.
Rights to Data – under the GDPR, individuals must be informed where, why and how their data is processed, stored and used. An individual can request to have their information deleted from your database, similar to when an individual unsubscribes, their information should be deleted from your database immediately.
Breach Notification – reporting all data breaches that pose a risk to private and personal information to the relevant authorities with 72 hours, and also informing the individuals affected is now required under the GDPR.
Data Protection Officers – for public companies or organisations that process large quantities of personal information, a Data Protection officer must be appointed to oversee the collection, storage and use of personal information. This is to ensure companies are appropriately handling and using an individual’s information for the purpose that it was given.
You must obtain explicit consent from individuals to collect, store and use personal information for marketing purposes.
How does the GDPR affect my Australian business?
If you collect information from individuals in the EU, you are affected, even if it is only one individual. The fines are not limited to those in the EU and they do affect Australia businesses. It is best to be cautious and make these changes to ensure you are covered.
Your website is your main data collecting hub. WordPress (wordpress.org) is GDPR compliant and has made enhancements to further ensure they are adhering to the new regulations. However, the dynamic nature of websites means no single platform or plugin can offer 100% GDPR compliance.
Areas on your website that will be impacted by the GDPR:
Contact Forms – You must obtain explicit consent from individuals to collect, store and use personal information for marketing purposes. Disable your cookies and IP tracking forms and have a data processing agreement with your form providers. You must comply with all requests from individuals to have their personal information removed a database.
Email Marketing opt-in Forms – Add a checkbox that the individual will have to click before opting in. Add double opt in options for different types of correspondence. Before you ask, having a pre-checked box selecting to opt in is considered in breach of the GDPR.
WooCommerce/Ecommerce – Check the comprehensive guide provided by WordPress to ensure GDPR Compliance.
Cookies – If your cookies can identify an individual by their device and collect their data, it is in breach of the GDPR. Implied consent and simply stating ‘by using this site, you accept cookies’ is no longer accepted as giving consent. A business must ask for explicit consent prior to tracking and provide an opt-out option so an individual is easily able to withdraw their consent.
Facebook Pixel – Similar to cookies Facebook pixel collects data about the consumer’s journey, purchase history for the purpose of ad targeting and re-targeting. You will need to gain explicit consent from individuals, and need to inform them on your website, how and why you track their data prior to using it for marketing purposes.
What happens if you are Non-Compliant with the GDPR?
If you choose to ignore the GDPR you could be at risk of large fines of up to 4% of a company’s global revenue or $20 million (whichever is greater).
Overall, the GDPR protects consumers and their personal information from being mishandled and misused. Businesses will now be required to gain explicit consent from individuals any time they will be collecting and storing data and ensure the individual is fully aware and understands, how and why their data will be used. This is a step forward in data privacy in a technologically advancing society.