The GDPR refers to the European Union (EU) General Data Protection Regulation, which was passed in April 2016. European countries have had the last two years to prepare for the changes, and become compliant with the regulations that will come into force on May 25th 2018. It replaces the Data Protection Directive from 1995, which was drafted long before the internet became such an integral part of our lives.
That’s all good and well – but what does it do?
With the rising concern over privacy and exchange of personal data, the GDPR aims to protect individuals' rights to privacy and enhance data protection. There has been an increasing distrust by consumers around the use and security of their personal data. The GDPR hopes to re-instate this trust by giving consumers complete control over their data, and thereby better the economy.
It does this in several notable ways. These include giving European citizens the ‘right to be forgotten’, also known as Data Erasure. They also have the right to ask what data a company holds on them, make changes, or transfer it to another company (referred to as ‘portability’). Any data that is collected in the first place will need to be deemed necessary and proportional to legitimate interests related to the services or products provided. So asking for relationship status, or age (an extreme example), for a whitepaper download will be unlawful.
There are also strengthened regulations around consent on the use of the data. Under the GDPR “consent must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes which by a statement or by a clear affirmative action, signifies agreement to processing”. You also cannot give or sell it to other companies, or partners, unless they’ve explicitly said that’s ok too (but we already knew that, didn’t we?)
What kind of data does the GDPR protect
GDPR protects any information that can be used to identify an individual. That includes data tied to a person’s name, address or ID numbers. But it can also be a lot broader than that, including web data such as location, IP address, cookie data and RFID tags.
Certain special categories of data are then singled out for a higher level of protection, including:
Health and genetic data
Trade union membership
Racial or ethnic data
Information about a person’s sex life or sexual orientation
What does it mean for New Zealand?
As the GDPR aims to protect EU citizens from data and privacy breaches that could affect them, this means that the GDPR rules apply very broadly. This is designed to address the problem that you can operate a website in the United States or New Zealand that affects EU citizens as much as a brick and mortar business located in France or Germany. GDPR therefore applies to anyone who has an established business in the EU. But also anyone who sells goods or services (including free services such as a website) to EU citizens or storing and using data of EU citizens – even if they’re not in the EU. If you fit into one of these categories, you will need to be aware of these regulations and should take steps to comply.
This can mean that if you have data relating to an EU citizen in your database, you may be subject to the GDPR regulations. You will probably want to weigh up how much of that data you hold, how sensitive it is and how strategic to your business, to help you decide what steps you take to comply.
What about New Zealand privacy laws?
The New Zealand privacy laws have been found ‘adequate’ by the EU, though they are currently being reformed to become even more robust.
Following New Zealand privacy laws, as well as following marketing best practices is a good start and will certainly help your GDPR compliance. However, any opportunity you can take to improve your general privacy baseline will be really beneficial. It’s a good idea to review and update your current processes for complying with NZ law, followed by any extra steps needed to address areas of material GDPR risk. Even where the legal obligations are the same as under NZ law, the consequences under GDPR could be more significant. Breaches of the new European regulations will come with a hefty fine – as high as €20m or 4% of your annual global turnover (whichever is higher).
What it means for marketers
At Qrious and Ubiquity our aim has always been to follow and champion marketing best practice. This has included practices around lead generation and marketing opt-in, data security, and actioning marketing opt-out, and data erasure requests promptly.
If you’ve been following our recommendations, you should be a in a good place to be compliant. However, we recommend an audit of your data and lead gen practices in any case. This could include:
What data are you requesting in your lead gen forms – is it ‘necessary and proportionate’ to the purpose you’re trying to achieve? e.g. do you really need their location to allow them to download the whitepaper?
Is your opt-in clear and require direct action by the consumer? It is always a better position to be in to have a strong opt in consent.
Does each type of marketing communication have its own opt-in? i.e. if you’re asking for both a mobile phone and email address to send marketing communications, they will both need individual opt ins – i.e. ‘Yes, I would like to receive TXT notifications’, and ‘Yes, I would like to receive email updates’.
Is your unsubscribe and preference center up-to-date and working efficiently. Ideally opt-out should be automatic and immediate.
What should I do right now?
The best thing to do is take practical steps to improve your privacy processes. A good place to start is an audit of what data you collect and what you do with it. You can then use that information to improve your data security and lead generation practices and begin thinking about how you can incorporate thinking about privacy into the development of new products or key decisions about disclosure or use of personal information.
Under the GDPR, providers who only process information on behalf of their customers (and in accordance with their customer's instructions) as classified as a 'Data processor'. Ubiquity's marketing automation platform lets you control the means and purposes for which you process information, and thereby fits into the 'Data processor' classification. We’re auditing our platform and practices to see how we can improve our handling of personal information to be ready for the GDPR.
Our platform enables our customers to control how they use personal information. That means that if GDPR applies to you, you will need to ensure you comply with GDPR in the way you use our platform (for example, in terms of the type of marketing you carry out on the platform and the consents you have from people to do that).
You can also check out the webinar we ranin which Nathalie Morris discusses the details of the regulation, and how it applies to New Zealand marketers and organisations.
While it may feel scary to be subject to laws and regulations based in nations on the other side of the world, the GDPR provides us all with an opportunity to re-establish trust with the consumer and become better marketers. Increased transparency and understanding of why we collect, and how we use data, will ultimately work in our favour by building more trusting and meaningful relationships with consumers.
Disclaimer: This post is for information purposes only and should not be used as a guide, or legal advice, pertaining to the GDPR and becoming compliant. Rather it provides background information on what the GDPR is and how it may affect you. Please seek legal advice if needed.