As marketers, we love data. We’re obsessed with it. It’s the bee’s knees. It’s our bread and butter. So any drastic changes to the ways we collect and process it are naturally met with cries of, “For the love of God, don’t take away our precious data!”
I’m talking about the GDPR, and, like most acronyms we don’t fully understand, it’s confusing and a bit scary.
You probably have lots of questions. But I bet there’s one that’s particularly pressing: “Does the GDPR actually affect me, a b2b marketer in Australia?”
The short answer is yes.
The long answer is… well, I’ll get to that.
But before I do, let me just reassure you: it’s not as scary as you think.
What is the GDPR?
The GDPR, or General Data Protection Regulation, are new data protection laws legislated by the European Union with the aim of better protecting the personal data of EU citizens and residents, while also increasing the obligations on organisations that collect or process that data.
The GDPR builds on existing data protection laws to give consumers a whole new swathe of rights over their personal information, including the right to be forgotten and the right to data access and portability.
It also seeks to embed a “privacy by design and by default” approach within organisations, meaning businesses must adopt stringent security practices throughout the entire lifecycle, monitor compliance carefully, and apply the strictest privacy settings automatically for each new customer.
When is the GDPR coming into effect?
These new laws will come into effect on 25 May 2018 (so pretty darn soon), and they come with some pretty hefty fines for non-compliance: up to A$30 million, or 4% of global annual turnover, whichever is higher. (OK, OK, I’ll admit, the impending deadline and whopping fines are pretty scary.)
How will the GDPR affect Australian companies?
Australian businesses will likely need to comply with the GDPR if they:
But what makes the GDPR so far-reaching is that fact that every EU citizen – including those that currently reside in Australia – is protected by it!
The GDPR also has significant overlaps with the recent Notifiable Data Breaches (NDB) legislation released by the Australian Government in February. We’d recommend aiming for GDPR compliance in the first instance, as it effectively guarantees compliance with the NDB too.
What’s behind the GDPR?
In order to fully understand how to comply with the GDPR, it’s helpful to understand the intentions behind it. And, unfortunately, marketers are a big part of the problem that the GDPR is trying to solve.
You see, marketers don’t own customers’ data – it is generously loaned to us, under the proviso that that data will be used to improve products and services, and provide personalised and relevant content.
Sadly, however, this trust has been broken by companies who have exploited this data by doing unscrupulous things like selling email lists, opting customers in for unwanted communications, and not providing clear ways for customers to opt out or have their data removed.
You get it. We’ve all been on the receiving end of emails from brands we never communicated with directly nor have any interest in hearing from, and it’s pretty annoying. And the recent Cambridge Analytica scandal serves as a stark reminder of the dubious ends to which our data can be put if we’re not careful.
Not that you’re doing any such thing with your customers’ data, of course. Still, I’m sure you’d agree, as a consumer, that anything that aims to prevent personal data from being exploited or misused in this way, and puts more power in the hands of those who actually own that data, is not a bad thing.
What aspects of the GDPR do I need to worry about?
The GDPR states that you must have a valid lawful basis in order to collect, process and store personal data. It provides six lawful bases, but the two that are likely going to concern you, as a b2b marketer, are legitimate interest and consent.
Lawful basis: Legitimate interest
Under this basis, an organisation is allowed to collect, process and store personal data on the grounds that it is working towards the legitimate interests of the individual – and, yes, this includes commercial interests.
So, for example, if you’re a SaaS company whose product is an HR platform, and you typically collect and process data from HR managers, you could fairly safely argue that those individuals have a legitimate interest in your product based on their roles.
If, however, you were to purchase an email list of random addresses, it would be much harder to argue that your communications were in any way relevant to the individuals on that list, and you would be in breach of the GDPR.
If you decide to go down the “legitimate interest” route, you must be able to demonstrate that you have conducted due diligence in terms of being able to prove that the individuals in question do, in fact, have a legitimate interest in your organisation.
Lawful basis: Consent
Under this basis, organisations are able to collect, process and store personal data provided the individual in question has given express consent to do so. While this is similar to existing provisions under the Australian Privacy Act, the GDPR has strict definitions and rules as to what constitutes consent.
According to the GDPR, consent must be:
If you decide to go down the “consent” route, then you’ll need to consider whether the ways in which you currently get consent comply with the definitions provided by the GDPR.
Rights of the individual under the GDPR
As mentioned, the GDPR provides individuals with a whole new swathe of rights over their personal information. These include:
Complying with these rights may involve updating your data collection, processing and storage systems accordingly.
What should I do in the next few weeks?
First, take a deep breath. If you’re already complying to existing data protection laws, such as the Australian Privacy Act and the recent NDB, then you’re likely already halfway there – huzzah!
Yes, there’s still a lot of left to do, and a lot to consider, but the key is to be systematic in your approach.
Here are a few fundamental things to do in the next several weeks:
These are great places to start, but do note this is not an exhaustive list. For more information, check out HubSpot’s detailed GDPR checklist.
See? It’s not so scary, right?
While there’s been a lot of scaremongering about it, in reality the GDPR helps to put all of us back in control of our data, which I think we can all agree is a positive.
And, let’s face it, it’s good for marketers too: marketers will need to be more creative and conscientious about how they reach customers and process their data, which is likely to instil more trust in their customers; plus complying with the GDPR will lead to much cleaner data, which means better insights for marketers too. Win win!
Just while we’ve got you …
May 01, 2018