Over the past few weeks, you may have heard some buzz about the General Data Protection Regulation (GDPR) but with its implementation fast approaching, now is the time to get acquainted with the European Union regulation.
Slated for May 25, 2018 the legislation piece could have an enormous impact on some of the biggest technology firms and corporations worldwide, such as Facebook and Google. With regulations more strict than ever, we’ve put together this comprehensive guide for Australian marketers to navigate the changes, determine whether or not their company will be affected and how best to prepare.
WHAT IS THE GDPR?
Originally approved in April 2016, the GDPR is an European Union sanctioned piece of legislation that regulates the collection of personal consumer data as retrieved by companies online. While its primary focus was on the EU itself, organisations outside of this region will still be affected if they offer goods and services to, or monitor the behaviour of those within it.
The legislation is the latest in a series of EU measures put in place to curb the growing concerns over data privacy and consumer protection. Amidst the wake of the Facebook data security breach, consumers have been quick to point out the need for stricter legislation and the timely arrival of the GDPR further supports this.
Ideally, the purpose of these changes is to return data control to the consumer rather than place responsibility in the hands of businesses, which may have big implications for our multi-nationals.
GDPR VS AUSTRALIAN PRIVACY ACT 1988
While the legislation has introduced new parameters overseas, the GDPR shares many common requirements with the Australian Privacy Act 1988. Both regulatory acts require a privacy-by-design approach to compliance, a need for transparency within information handling practises and a demonstrated compliance with privacy principles and obligations.
One significant difference under the GDPR however, is the introduction of a data protection officer within each organisation. Currently, Australian law does not require the appointment of a dedicated data protection officer, however the EU’s decision to make this a requirement ensures that one individual is solely tasked with that responsibility.
Consumer consent remains the most important factor of the legislation however, with an emphasis on erasure. Article 17 of the GDPR is titled ‘The Right to Erasure” and details the right for an individual to be “forgotten” by an organisation that holds their data.
According the the GDPR, "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay".
In addition to this, an individual can now correct any misinformation held on them.
This is a vast difference to current Australian law, which presently allows for the collection of non-sensitive data without specific consent. Organisations that currently collect data through automation, such as Centrelink and the Department of Human Services will no longer be able to use these tools when dealing with EU consumers and patrons.
Furthermore, the Australian Privacy Act 1988 also includes a small business exemption regarding personal information collection. Businesses that have a revenue below $3 million do not need to comply with the data collection requirements, however the GDPR has no such exemption. All businesses regardless of revenue must comply with the personal data collection regulations.
With a central focus on more clearly defining consumer consent, the implementation of the GDPR will lead to more transparency and accountability. Global corporations such as Google that have revenue streams originating from within the EU will now have greater responsibilities and regulations placed upon their data processes and collection.
WHAT THIS MEANS FOR AUSTRALIAN MARKETERS
There’s no doubt the future of marketing is data-driven, so the changes stemming from the implementation of the GDPR may lead to a strategy reshuffle, even for our local brands.
Marketers have become data collection fiends of late, with the evolution of targeted campaigns leading to more highly segmented markets and more clearly defined channels. The exploitation of this data collection however has caused a paradigm shift in the current marketing industry.
Marketers should remember that they do not own the data they collect, that it is shared by consumers in goodwill and trust. The impending implementation of the GDPR highlights this, forcing us to better think about the data we collect, where it comes from and what its purpose is.
The first step for Australian marketers to consider leading up to May 25 is to educate themselves on the GDPR. Take the time to further develop your understanding of data retention and collection and reassess your business’ approach to user-consent.
- Who your data controller is
- Contact information for the data controller (or data protection officer)
- Whether you use data to make automated decisions
- User’s 8 rights under the GDPR
- Whether providing data is mandatory
- Whether you transfer data internationally
- What you legal basis for processing data is
- A consent form
With an ever-growing list of consumer touchpoints now on offer, as a marketer and business operator, you should ensure that consent is established through each of these points and on each platform and channel. It is important to be certain that the consumer has given permission for their data to be collected and analysed.
Once this has been established, marketers should take into account where their data has been collected from and where it is stored. In the future, your marketing campaigns may have a very different user experience.
You may now be required to implement consent forms throughout the user journey and introduce a process that accounts for data collection permissions, making sure to abide by both the Australian Privacy Act 1988 and the EU’s GDPR.
THE FINAL WORD
The homework for marketers in Australia is primarily concerned with tweaking their current processes to ensure that data collection from consumers is consent-focused and permission-granted. While it may seem like an attack on data collection, the GDPR is a move towards consumer-centric marketing and a return to worldwide personal protection.
If you currently deal with a European market or monitor data from this region, it is imperative that you review your current data collection processes and align them with both the GDPR and the Australian Privacy Act 1988.
What changes will your business make leading up to the GDPR implementation? How could you be affected?