GDPR is officially here. If you’re anything like us, you find yourself handing out your email address a little too liberally online. A lot of the time it’s not even a choice – it’s simply the price of entry to access a website or download a resource.
Chances are you’ve noticed an uptick in the number of email updates you’ve received recently from websites, businesses and brands you’ve long-since forgotten interacting with (why does Havaianas’s have my email address? Is Blockbuster still a thing?).
There’s an excellent reason why: GDPR. What is this foreboding sounding acronym? Why should you care if you’re an Australian small business owner or website operator?
Why should Australians care?
First of all, many Australian businesses have EU citizens on their email mailing lists or as customers. If that’s the case, then they are subject to these rules.
Secondly, Australia has a strong history of adopting laws enacted in the UK or Europe (sometimes with a few minor tweaks). That means that some local version of the GDPR could be on its way soon.
So let us explain what the GDPR is.
It’s not often that changes in European laws affect anything that happens over here, but this is an exception. GDPR is short for the General Data Protection Regulation. The goal of the GDPR is to change how people interact with their data online and protect consumers.
There’s a pretty simple idea that’s evolved online in the last few years: if you’re not paying for it, then you are not the customer, you are the product. Facebook, Instagram, Whatsapp, Pinterest and Google are all examples of this idea. Users pay nothing to use these portals. So how do their owners make billions of dollars each year? In short, from you.
Your data (along with billions of other peoples) is harvested, packaged and then sold by these companies (and many more) to advertisers. That’s how ads got so creepy and specific these last few years.
What does GDPR do?
GDPR aims to hold the companies that have this data, known as personally identifying information, to a higher standard. Personally identifying information about a user includes things like their name, email address, IP address, income, location or buying history.
The most significant points to note are these. If you’re collecting data form someone who resides in the EU, then you now need explicit consent to send them emails, not just a checkbox. That’s why you’ve been getting all those emails – businesses want to keep sending you their emails but can’t do so unless you explicitly agree. And if you’re Spotify, Microsoft or Google, it’s simpler to email everyone just in case, rather than sort through millions of customer records manually.
If you collect someone’s data, you have to be ready to tell them how it’s being stored. You also give them the right to download the data that you hold on them if they ask.
If someone requests it, a business also has to delete all of the data they hold on a person. This is referred to as the “right to be forgotten”.
Finally, if a business experiences a data breach, then they must notify authorities within 72 hours. If the breach is high risk, any individuals affected also have a right to be told under the GDPR.
How to get GDPR complaint
If you have customers or individuals on your mailing list that are in the EU, then feel free to get in touch with us here at Brugel to see what you might to do to be GDPR compliant. Let us help get your website and processes in line with the best practice regarding data collection and privacy.