What is GDPR and how does it affect Australian marketers?

9 min read

A quick guide to the GDPR

As marketers, we love data. We’re obsessed with it. It’s the bee’s knees. It’s our bread and butter. So any drastic changes to the ways we collect and process it are naturally met with cries of, “For the love of God, don’t take away our precious data!”

don't do this gif

I’m talking about the GDPR, and, like most acronyms we don’t fully understand, it’s confusing and a bit scary.

You probably have lots of questions. But I bet there’s one that’s particularly pressing: “Does the GDPR actually affect me, a b2b marketer in Australia?”

The short answer is yes.

The long answer is… well, I’ll get to that.

But before I do, let me just reassure you: it’s not as scary as you think.

everything is fine gif

What is the GDPR?

The GDPR, or General Data Protection Regulation, are new data protection laws legislated by the European Union with the aim of better protecting the personal data of EU citizens and residents, while also increasing the obligations on organisations that collect or process that data.

The GDPR builds on existing data protection laws to give consumers a whole new swathe of rights over their personal information, including the right to be forgotten and the right to data access and portability.

It also seeks to embed a “privacy by design and by default” approach within organisations, meaning businesses must adopt stringent security practices throughout the entire lifecycle, monitor compliance carefully, and apply the strictest privacy settings automatically for each new customer.

When is the GDPR coming into effect?

These new laws will come into effect on 25 May 2018 (so pretty darn soon), and they come with some pretty hefty fines for non-compliance: up to A$30 million, or 4% of global annual turnover, whichever is higher. (OK, OK, I’ll admit, the impending deadline and whopping fines are pretty scary.)

How will the GDPR affect Australian companies?

Australian businesses will likely need to comply with the GDPR if they:

  • Have a presence within the EU
  • Offer goods or services to individuals in the EU
  • Monitor the behaviour of individuals in the EU 

But what makes the GDPR so far-reaching is that fact that every EU citizen – including those that currently reside in Australia – is protected by it!

The GDPR also has significant overlaps with the recent Notifiable Data Breaches (NDB) legislation released by the Australian Government in February. We’d recommend aiming for GDPR compliance in the first instance, as it effectively guarantees compliance with the NDB too.

What’s behind the GDPR?

In order to fully understand how to comply with the GDPR, it’s helpful to understand the intentions behind it. And, unfortunately, marketers are a big part of the problem that the GDPR is trying to solve.

You see, marketers don’t own customers’ data – it is generously loaned to us, under the proviso that that data will be used to improve products and services, and provide personalised and relevant content.

Sadly, however, this trust has been broken by companies who have exploited this data by doing unscrupulous things like selling email lists, opting customers in for unwanted communications, and not providing clear ways for customers to opt out or have their data removed.

You get it. We’ve all been on the receiving end of emails from brands we never communicated with directly nor have any interest in hearing from, and it’s pretty annoying. And the recent Cambridge Analytica scandal serves as a stark reminder of the dubious ends to which our data can be put if we’re not careful.

Not that you’re doing any such thing with your customers’ data, of course. Still, I’m sure you’d agree, as a consumer, that anything that aims to prevent personal data from being exploited or misused in this way, and puts more power in the hands of those who actually own that data, is not a bad thing.

What aspects of the GDPR do I need to worry about?

The GDPR states that you must have a valid lawful basis in order to collect, process and store personal data. It provides six lawful bases, but the two that are likely going to concern you, as a b2b marketer, are legitimate interest and consent.

Lawful basis: Legitimate interest

Under this basis, an organisation is allowed to collect, process and store personal data on the grounds that it is working towards the legitimate interests of the individual – and, yes, this includes commercial interests.

So, for example, if you’re a SaaS company whose product is an HR platform, and you typically collect and process data from HR managers, you could fairly safely argue that those individuals have a legitimate interest in your product based on their roles.

If, however, you were to purchase an email list of random addresses, it would be much harder to argue that your communications were in any way relevant to the individuals on that list, and you would be in breach of the GDPR.

If you decide to go down the “legitimate interest” route, you must be able to demonstrate that you have conducted due diligence in terms of being able to prove that the individuals in question do, in fact, have a legitimate interest in your organisation.

Lawful basis: Consent

Under this basis, organisations are able to collect, process and store personal data provided the individual in question has given express consent to do so. While this is similar to existing provisions under the Australian Privacy Act, the GDPR has strict definitions and rules as to what constitutes consent.

According to the GDPR, consent must be:

  • Freely given
  • Specific
  • Informed
  • An unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing

That means:

  • No pre-ticked “opt-in” boxes
  • No vague, generic statements like “We may process your personal data to improve our services” – customers need to know exactly how, when and why their data will be processed
  • No sneaky catch-all opt-ins – customers need to know exactly what they’re signing up for
  • It must be just as easy to withdraw consent as it is to give it

If you decide to go down the “consent” route, then you’ll need to consider whether the ways in which you currently get consent comply with the definitions provided by the GDPR.

Rights of the individual under the GDPR

As mentioned, the GDPR provides individuals with a whole new swathe of rights over their personal information. These include:

  • The right to object: Individuals have the right to object to their data being processed at any time
  • The right to erasure: Individuals have the right to request that their personal information be deleted, and they also have the right to expect data controllers to delete their data in certain circumstances, including (but not limited to) where the information is no longer necessary for the purpose for which it was collected, or where the individual withdraws their consent
  • The right to data portability: Individuals have the right to receive the data they have provided in a “structured, commonly used, machine-readable format”, and to transmit that data to another organisation

Complying with these rights may involve updating your data collection, processing and storage systems accordingly.

What should I do in the next few weeks?

First, take a deep breath. If you’re already complying to existing data protection laws, such as the Australian Privacy Act and the recent NDB, then you’re likely already halfway there – huzzah!

Yes, there’s still a lot of left to do, and a lot to consider, but the key is to be systematic in your approach.

Here are a few fundamental things to do in the next several weeks:

  • Perform an information audit: What data are you holding, where has it come from, and with whom is it shared? Was that data obtained with consent? Were individuals clear on the reasons why you collected their data? Are you holding that data longer than is necessary? Is the data stored safely? Identify where there are gaps between your current processes and the GDPR requirements.
  • Update privacy notices and policies: Ensure they are compliant with the transparency requirements and the rights of the individuals under the GDPR.
  • Update internal procedures: Ensure you’re prepared for the practical implications of the GDPR and the rights it provides to individuals. For example, is there a procedure for erasing an individual’s data from your systems and third-party systems, if they should request that?
  • Communicate with staff at all levels: Ensure you have buy-in from the executive team to give you the resources you need for GDPR compliance, and ensure staff are properly trained on the GDPR and its implications.

These are great places to start, but do note this is not an exhaustive list. For more information, check out HubSpot’s detailed GDPR checklist.

See? It’s not so scary, right?

While there’s been a lot of scaremongering about it, in reality the GDPR helps to put all of us back in control of our data, which I think we can all agree is a positive.

And, let’s face it, it’s good for marketers too: marketers will need to be more creative and conscientious about how they reach customers and process their data, which is likely to instil more trust in their customers; plus complying with the GDPR will lead to much cleaner data, which means better insights for marketers too. Win win!

Just while we’ve got you …

How’s your inbound marketing going? If you’re not sure, you can get a definitive answer in just five minutes with our inbound marketing self-assessment tool. Why not try it out now?

How effective is your marketing strategy? Take the inbound marketing strategy quiz today!

Brand chemistry creates inbound marketing strategies and tactics to attract, engage and delight prospects, creating traffic, generating leads and, ultimately, converting more customers.


Get The Alchemist in your inbox weekly

Get your guide today!

Recent Posts

Latest Tweets