The GDPR (General Data Protection Regulation) comes into effect today, May 25th, 2018. Whilst there has been a lot of hype about the updated regulations, the core essence of the policy is to protect the data of people collected by businesses.
LET US EXPLAIN….
General privacy policies are related to information attached to an individual and these can be broken down into:
- email address
- first and last names
- date and place of birth
- city, town and country
- shipping and/or billing addresses
Anonymous data, which is data that is not specifically personal but can be classified as ‘ personally identifiable information‘ when used in connection with other types of data that can lead to the identification of an individual.
Any business or website that collects data (as outlined above) is subject to this law and are applicable to the following platforms:
- WordPress blogs (or other platforms)
- E-commerce stores
- Mobile apps – across all phone platforms (iOS, Android, Windows)
- Facebook apps, desktop apps, Saas apps
- Digital products or digital services
The GDPR is applicable to any individual or business that offers products or services to citizens of the EU and / or collects information from EU citizens. Regardless of where your business is located. This means that Australian based businesses that collect data, whether emails or data related to e-commerce transactions are required to comply with the GDPR
Part of the new regulation outlined in Article 12 of the GDPR stipulates how your business communicates with customers about the way personal data is processed, and it must be:
- Intelligible and concise, in clear plain language that is easily understood
- Easily accessible
- Free of charge
- What personal information you collect
- How and why you collect it
- How you use it
- How you secure it
- Any third parties with access to it
- How users can control any aspects of this data
Dense legal jargon must be avoided, the purpose of the legislation is to allow individuals to easily understand what your privacy and data protection policies are.
Privacy Notices are also a new mandatory requirement, and these are a short, concise note to let the user know why you are collecting their data (see image for an example)
HOW TO GET STARTED
Enabling GDPR fields in your sign up forms will not make your business compliant. It’s a multi-step process
1. Set up a GDPR friendly sign up which has the following:
- Marketing permission text – advise sign-ups that you’re collecting their information and how you’ll use it.
- Opt-in checkboxes for all of your channels – Customers can choose how and where they hear from you. Including the most common marketing channels you use e.g. email, direct mail, customised online advertising (Facebook, Instagram, Google ads)
2. Send a re-permission email to your existing email list. Most email marketing providers, like, MailChimp, have templates you can use to get contact permissions that are GDPR compliant. Once re-consent has been received this will be stored with your emails and collected user data.
3. Stay compliant with data management and security. This means enabling 2 Factor Authentication (known as 2FA) and allow users to modify their contact information through a link to their profile. This includes deleting all personal data.
4. Provide information about how an individual can contact the DPO (Data Protection Officer) in your business (in the case of small businesses this is the business owner / sole trader who responsible for data management and compliance)
Creating these Privacy Policies and GDPR compliant guidelines can be daunting. There is an option to have a Policy created that is compliant with both Australian law and the updated GDPR. They are:
- Terms Feed – create legally binding agreements for users, they create Privacy Policies, T&Cs, EULA, Returns and Refunds, and Cookies policy. Prices start at USD$14.00 and increase according to the complexity of your website, services and products. This is considered to be the best option to cover all regulations – specifically GDPR, CalOPPA and Australian data protection laws)
Please note, the above information is not legal advice. Please seek professional guidance should you have any doubts or queries as to how to protect and make your business compliant with the new Data Protection regulations both within Australia and internationally.