GDPR: What it means for Australian businesses.

If you’re an agency, business owner, marketer, or just dabble in digital—you may have heard of the GDPR. While there is heaps of information out there, some pieces are heavy reads, while others are jam-packed full of legal jargon.

We’re here to simplify it for you.

We’re aware that the GDPR will apply to August and what we do. It’s also likely to apply to some of our clients. So, we thought it would be beneficial to share our learnings for anyone working in the space of tech, digital or marketing in Australia.

Before we get stuck into it, we’d like to be clear that this article should not be read as professional legal advice. We have written it for information purposes only. If you have specific questions about your organisation and policies, we suggest you have a chat with your corporate or external legal counsel so they can give you a hand.

So, what is the ‘GDPR’?

GDPR stands for General Data Protection Regulation. It’s the European Union’s new data protection law and comes into effect on 25 May 2018. That’s just around the corner!

I’m an Australian business, why should I care?

The GDPR doesn’t just apply to EU businesses.

It applies to any business, anywhere in the world, that processes personal data relating to an individual in the European Union.

So even if you’re an Aussie business, there’s a strong chance the GDPR applies to you, your clients, and the work you undertake online.

Let’s define some terms.

We want to make sure that if we’re using jargon in this article, we’ve explained what it means and why it’s important. So, let’s define some of the key terms you’re likely to come across:

‘Processing’

Refers to the use of personal data. For example, collecting, recording, organising, storing, or performing any operations on personal data. Think of it as a catch-all word.

‘Personal data’

Data that is ‘personal’ is any data that can be used to identify a living person directly or indirectly. For example:

• Name
• Address
• Email address
• Location data
• IP address

A note on ‘indirect’ identification

The ‘indirectly’ part is important. Here’s an example: if you’re an ecommerce store, you may decide to pass a transaction ID through to your analytics software. You can’t directly identify an individual within your analytics software from that transaction ID.

However, if you cross-referenced the ID with your ecommerce store data, you could indirectly identify that individual.

The GDPR states that personal data that has been pseudonymised (e.g. key-coded, like our transaction ID) can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

In our transaction ID example, it would likely be quite easy. That’s why you also see things like IP address and location data in the list above.

A note on ‘sensitive’ personal data

Sensitive personal data is a special class of personal data that should be handled with additional care. It includes attributes such as:

• Race
• Health status
• Sexual orientation
• Religious beliefs
• Political beliefs
• Genetics
• Biometrics

There are also special rules in regards to processing personal data about children but we won’t be discussing them in this article.

‘Controllers’ and ‘Processors’

The GDPR applies to ‘controllers’ and ‘processors’ of data.

• A controller determines the purposes and means of processing personal data.
• A processor is responsible for processing personal data on behalf of a controller.

Because that’s a little difficult to follow, let’s put that in layman’s terms:

You, as a business, are the controller. You decide what personal data needs to be collected and for what reason, and you provide means for collecting and using that data.

A processor is normally a third party you have entered into a contract with who will perform operations on the personal data you collect. They will perform these actions on your behalf.

A good example of a data controller and data processor is sending email marketing to a subscriber list. You are the data controller who decides what information you capture and the purpose you are capturing it for. The email marketing provider, such as Campaign Monitor or MailChimp, is the data processor. Another way to think about this is that a data controller can be a customer of a data processor.

When you use an email marketing platform, you enter into a contract with that provider. The provider’s service processes the data that you collect. In other words, when you send email marketing to your subscriber list, the data you’ve captured is processed.

One key point to note here is that an organisation can be both a controller and a processor of the same data. This doesn’t necessarily mean that different employees play a ‘controller’ role versus a ‘processor’ role, simply that the organisation as a whole has control over certain data and can process that data without the use of a third party.

‘Subjects’

Subjects refer to any individual within the EU whose personal data is processed. This could be a client, a newsletter subscriber, or member of the public that has visited your website.

GDPR principles, simplified.

Are you still with us? Good. We know this kind of stuff can be confusing. It took us a while to get our heads around it too.

So, to help you out, here’s a simplified version of the seven main GDPR principles, as outlined on the ICO website. Our version pulls out the parts we think are most relevant to Australian businesses.

GDPR Principle #1

Data shall be processed lawfully, fairly and in a transparent manner in relation to individuals;

Our simplified version: 

Ensure you have a lawful basis for processing someone’s personal data, and tell them about it.

GDPR Principle #2

Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

Our simplified version: 

Have legitimate, lawful reasons for needing someone’s personal data, and only use their data for these reasons. Don’t assume that just because you have collected their data, you can use it for a purpose you haven’t told them about. You can’t.

GDPR Principle #3

Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

Our simplified version: 

Only collect what you need, and no more. There are no prizes for collecting data you don’t need.

GDPR Principle #4

Data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

Our simplified version: 

Keep personal data up-to-date and free from errors.

GDPR Principle #5

Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.

Our simplified version: 

Once you’re finished with the personal data, delete it. You can, however, keep hold of personal data only for archival purposes in the public interest, scientific or historical research purposes or statistical purposes.

GDPR Principle #6

Data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Our simplified version: 

Do everything in your power to keep personal data safe. Be a good digital citizen.

GDPR Principle #7

The controller shall be responsible for, and be able to demonstrate, compliance with the principles.

Our simplified version: 

Show that you understand the laws and are compliant with them. Have a privacy policy that talks about the data you are collecting and what you’re doing with it. Be transparent, make it easy to understand, and respond to any requests from people enquiring about their data. Be nice about it.

Lawful bases for processing

GDPR Principle #1 states that ‘data shall be processed lawfully’. What does that actually mean?

The GDPR outlines six lawful bases for processing personal data, and states that at least one of these must apply whenever you process a subject’s personal data:

• Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
• Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
• Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
• Vital interests: the processing is necessary to protect someone’s life.
• Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
• Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party—unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This does not apply if you are a public authority processing data to perform your official tasks.)

Of the six lawful bases, the last one is the most open to interpretation, and most relevant to marketing teams. ‘Legitimate interests’ refers to the lawful basis of using data for a purpose that the individual would reasonably expect it to be used for. Remember though, that the purpose must be real and not too vague. Be human about this—it’s not rocket science. Be honest and don’t try and deceive people.

Using our email marketing example again, if you have a newsletter subscriber capture area on your website that asks for a name and email, then it is entirely reasonable for someone to expect that they will receive email newsletters from you if they provide this data. They shouldn’t, however, be asked for out-of-the-blue sales referrals, as they couldn’t reasonably expect this. The more information you can provide at the capture point, the easier it is for everyone to understand why you want to collect their data. For example, by stating something like ‘Fill in your name and email and we’ll be in touch with you about regular news and offers’, you provide a clear purpose for the capture of data.

Users’ rights under the GDPR.

In addition to the obligations placed on data collection relating to EU citizens, the GDPR also sets out the rights of individuals. Most of them are straightforward and unsurprising. But there are a couple of them that you should be mindful of.

Keep in mind that wherever you need to respond to a request under one of these rights, you have one month to respond and take action. That’s one month from receipt of the request.

• Right to be informed; individuals have a right under the GDPR to be informed that you’re collecting their data for a particular purpose. You need to let people know why you’re collecting their data, for how long you’ll be keeping their data, and whom it will be shared with.
• Right of access; a person is entitled to access their personal data as a way to request rectification or erasure of their personal information (see the next two points). They are also entitled to lodge a complaint under this right and be informed about the safeguards put in place if their data is transferred to a third country or international organisation.
  And no, you can’t charge someone a fee when they ask for access to and information about their data. But you can charge a reasonable fee when their request is manifestly unfounded or excessive (think overly repetitious).
• Right to rectification; a person has a right under the GDPR to have their data corrected if it is inaccurate. This right is closely linked with one of the principles of the GDPR that deals with maintaining accurate data. This right is fairly straightforward; if someone realises their data is wrong and they ask you to correct the error, then you need to comply with their request.
• Right to erasure; a person can make a request to you have their data erased. However, this is not an absolute right and only applies in certain circumstances. If the purpose for which you collected the data is no longer necessary or required, then a person can request to have their data erased. Keep in mind that if you are relying on a legitimate interest as the basis for processing someone’s data, a person can make a valid request to have their data erased if there is no legitimate interest in continuing to process their data. For example, where a newsletter subscriber doesn’t want to receive your company updates anymore. You must also erase a person’s data where you need to comply with a legal obligation.
• Right to restrict processing; this right is where someone asks you to restrict the processing or use of their data. Similar to the right of erasure, it is not absolute and only applies in certain circumstances. One of these circumstances is if the data has been unlawfully processed. Restriction of data might mean that you store the person’s information but do not process it. A simple example: if someone asks you to stop sending them promotional emails, then you need to stop sending them emails; the data still exists; you just can’t use it for that purpose anymore, at least until the person provides consent again.
• Right to data portability; you will need to be mindful of this right depending on the type of organisation you are and the data you collect. A person has a right under the GDPR to obtain and use their personal data for their own purposes across different services. The way you comply with this right is by making sure the data is available in commonly used forms (such as CSV files) and that the data can be specifically extracted if required. You may also be required to transfer the data directly to another organisation—so data needs to be stored in a way that makes this possible.
• Right to object; an individual has a right to object to their data being processed. This includes direct marketing (including profiling) and processing based on a legitimate interest. An individual must have grounds to object based on their own situation. However, where someone objects to their data being processed for direct marketing, you must stop processing their data as soon as you receive the notice. There are no exceptions to this part of the right.
• Rights related to automated decision making including profiling; there are a few GDPR rights in relation to automated decision making. An individual has a right to object to an assessment being made about them by a machine where the outcome of that assessment may have a legal impact on them. A person is legally entitled to bypass any automated systems and be assessed by a human, rather than a machine. An example might be an automated decision on a loan. Another might be an online aptitude test used in a recruitment process. This is interesting, given the continued rise of automation over the past few years.

Note that some of these rights do not apply to some of the lawful bases for processing mentioned above. For example, ‘right to erasure’ does not apply if you have a legal obligation (lawful basis ‘C’) to hold onto that person’s personal data.

How does GDPR compare to the Australian privacy legislation?

If you’re an Australian organisation that is simply aware and compliant with Australian Privacy law (including the Australian Privacy Principles), here’s why you should take notice.

While the GDPR and the Privacy Act 1988 (Cth) share some similarities—such as transparent data handling practices and being able to demonstrate compliance—there are differences between the two laws which you should be aware of.

We could spend an entire article writing about the differences between the two types of legislation. But instead, we’re going to name the top three that we think you should keep top of mind. We highly recommend seeking legal advice in this area if you are concerned or require more information.

Who does it apply to: The GDPR applies to any business that is processing data relating to EU citizens. Australian regulations are constrained to local obligations applying to:

• Government agencies
• Private sector
• Nonprofit organisations with a turnover of more than $3 million
• Private health service providers.
• Some small businesses

What does it apply to: The GDPR applies to any information relating to an identified or identifiable natural person. Under Australian law, personal information is confined to information that identifies an individual or can reasonably identify the individual. The key distinction between the two types of legislation are the following words: ‘relating to’ and ‘information that identifies’.

Thinking about what these words naturally mean, information ‘relating to’ an individual is far broader than ‘information that identifies’ an individual. Additionally, information that relates to a person, may not necessarily identify them but it is connected to them. For example, an IP address does not necessarily identify a person but it is certainly related to them.

Consent: Under the GDPR, consent must be given freely and the person’s consent must be an unambiguous indication that he or she agrees to their data being processed for its intended purpose. This also implies that the person knows why their data is collected. Under Australian privacy legislation, it’s worded a little differently. The person must be adequately informed before they have given consent. So like the GDPR, they must know and understand why and for what purpose you are planning to collect their data. The person must also have the capacity to give consent and their consent must be given voluntarily.

If an Australian business is found to be in breach of the GDPR, does the EU actually have the power to litigate against an Australian business?

Potentially, yes.

We’re not going to go into too much detail here because, quite frankly, we’re not sure. It will always come down to the specific circumstances of the situation. But due to its scope, we can’t deny that the GDPR will have both its obligations and impact felt on a global scale.

What are the penalties for non-compliance?

There has been quite a bit written about maximum penalties under the GDPR.

Yes, you should take these seriously, but you shouldn’t be wracked with an all-consuming fear.

An important point to note about penalties is that they are split into two severity categories:

• Lower severity obligations; €10,000,000 or 2% of the business’ worldwide annual turnover for the preceding financial year—whichever is greater. This is the maximum penalty for this type of severity.
• Higher severity obligations; €20,000,000 or 4% of the business’ worldwide annual turnover for the preceding financial year—whichever is greater. This is the maximum penalty for the higher severity obligations.

So, the burning question: as an Australian business, do you need to do anything?

The answer to that question really boils down to this:

Are you processing any personal data about EU citizens?

If the answer is yes, then GDPR applies to you, and you should do something about it.

8 steps you should take now.

1. Share this information with key people in your organisation. Ignorance is not an excuse.
2. Audit the personal information you currently hold, where it came from and who you share it with.
3. Delete any personal data that you don’t need, or that you didn’t obtain lawfully (as per the GDPR).
4. Document procedures to account for users’ rights under the GDPR, e.g. their right to erasure.
5. Update your privacy policy. It should include what data you collect, the reason for it, which ‘lawful basis for processing’ that data applies to, along with your procedures to account for users’ rights as mentioned above.
6. Review how you are collecting data now.
7. Ensure you have safeguards in place to protect personal data.
8. Review any third-party providers and how they are prepared for the GDPR.

GDPR and digital marketing.

We love a good table. We especially love a good table full of handy information. Below we have pulled together some common digital marketing activities and listed the considerations relevant to the GDPR we think are important. We hope you find them useful.

Tactic / activity	Lawful basis	Considerations
Newsletter subscriptions	Consent	Don’t surreptitiously add people to your email database. If you added anyone without them providing consent, find a way to obtain explicit consent, or remove them. If someone signed up for a newsletter, don’t use their email for any other purpose other than that newsletter.
Website contact enquiries	Consent	Ensure your form contains a link to your privacy policy.
Ecommerce transactions	Contract	You need to collect people’s information so you can fulfil their order. Don’t add them to an email marketing database just because they placed an order (so many businesses do this; not only is it infuriating as a user, it is also in breach of GDPR).
Website analytics*	Legitimate interests?	Ensure you are not collecting personally identifiable information via things like URL parameters, page titles or custom dimensions (regardless of GDPR, you shouldn’t be collecting this information anyway; it’s against Google’s terms of service, and has been for years). Consider anonymizing IP addresses. Turn off features like User-ID reporting and advertising features. If you want to use those, obtain explicit consent first. Tell people you are using website analytics (right to be informed) and give them a means to opt out (right to object).

 

*A note about website analytics

A topic that has been blogged about a great deal is whether the use of web analytics (e.g. Google Analytics, social media analytics etc.) is considered a ‘legitimate interest’, or whether businesses need to obtain explicit consent to track users online once GDPR comes into play.

As far as we can see, it’s the former, so long as you’re not sending personally identifiable information to Google Analytics (which is against Google’s terms of use anyway). However, if you’re using certain non-standard features of Google Analytics, like User-ID or remarketing lists, you may need to obtain consent.

We would also argue that the use of web analytics is largely in the interests of the individual, not just the business (e.g. one of the primary reasons businesses use web analytics is so that they can improve user experience). We’re fairly sure that it’s not the EU regulators’ goal to render the web unusable, and requiring explicit consent through a deluge of pop-ups, banners and consent walls is probably not in the best interests of users. The Data Protection Network seem to agree; in their “Guidance on the use of Legitimate Interests under the EU General Data Protection Regulation”, they provide the following as an example of a legitimate interest:

Example 17: WEB ANALYTICS

A social media platform uses diagnostic analytics to assess the number of visitors, posts, page views, reviews and followers in order to optimise future marketing campaigns.

Wrapping up…

Regardless of the marketing activity being used, if your Australian business falls under the scope of the GDPR—which many will—we recommend that you take as many steps as possible to ensure you are compliant.

Keep the principles in mind at all times:

• Be transparent about the personal data you are processing and collect that data lawfully.
• Be specific about your intended use for that data, and only use it for these purposes.
• Only collect what you need, and no more.
• Keep personal data up-to-date and free from errors.
• Don’t keep data for longer than necessary.
• Keep personal data safe.
• Show that you understand these principles and are compliant with them.

Finally, what is August doing about it?

As we kept studying the GDPR, we knew there would be actions for us to take. We listed these out and realised that it would probably be helpful to share these actions in case other agencies, our clients, or anyone looking for a quick to-do list might find the tasks helpful.

So, with that in mind, this is what we’ve been working on to make sure we are GDPR ready.

1. Read read read; we’ve looked to the Office of the Australian Information Commissioner for resources on the GDPR and Australian businesses. There are some good concise articles on their site that you should check out. We’ve added a few below. We’ve also looked up the GDPR directly, as well as read a stack of blog articles on the topic.
2. Segment our email database; we’ve segmented by geographic region so that we can communicate with our subscribers in the European Union directly.
3. Check in with our EU subscribers; if you receive our monthly updates or Super8 and you’re based in the EU, it’s likely that you’re about to hear from us (or already have). We’re contacting everyone on our database in the EU to make sure they still want to receive our communication. If not, we’re making it easy to unsubscribe as well.
4. Check that the third party organisations we use as part of our daily operation and service offering are compliant with the GDPR; three of our key tools—Slack, Campaign Monitor, and FullStory have all blogged about their updates to procedures and policies they’ve made in the lead up to the GDPR coming into effect.
5. Transparency with our clients; we’re aware that we have clients who may have a presence in the EU or may collect data from EU citizens. Because of this, we’re talking to them about the GDPR and that they may need to review their privacy policy.
6. August’s privacy policy; speaking of… we’re currently in the process of making some amendments to our policy and these will be reflected on our website.

Further reading.

Just in case you feel like more…

But in all seriousness below are some handy links for GDPR resources and guides as you continue your marketing activities:

• The ICO guide to the GDPR
• The OAIC guide to Australian businesses and the GDPR 
• The DPA guide to legitimate interests
• How Google have been getting ready for GDPR
• Google’s ‘Privacy’ site