You may have noticed lots of emails about new terms of service, new privacy policies and other changes that are coming into effect on May 25 inline with the European Union’s new General Data Protection Regulation (or GDPR). We’ve had lots of time to get ready for it, but the fact is, most of us outside of the EU don’t realise it even applies. With hefty fines starting at 20 million Euros and going up to 4% of annual global turnover if that is a higher figure, it’s important to make sure your business is ready.
How do I know if it applies to my business?
Three criteria are used to check if GDPR applies to a business outside of the EU. If you’ve seen these criteria before, then you might have dismissed them as not applying. I’m going to rehash them, but keep reading because I can guarantee it applies no matter what your business is.
- Have an establishment in the EU; or,
- Offer goods and services to individuals (including individuals acting on behalf of a business) in the EU; or,
- Monitor the behaviour of individuals in the EU.
As Australian small businesses, most of us can quickly determine whether 1 or 2 applies. The question mark for me has always been number 3.
After spending months trying to get a clearer picture of how behaviour monitoring applies to Australian businesses, I finally have some clarity that I can share with you. Before I do though, I need to preface this with: I’m not a lawyer, and this is not legal advice. You should seek advice from your legal counsel to ensure your business complies.
Don’t stress, but if you have a website that is accessible from any EU member country, then you are almost guaranteed to be acting as a data controller and processor as defined in the GDPR and this means it applies to you.
Logging the individual IP address of anyone in the EU at any time, including if they are not an EU citizen means that you have data on that individual. You know with reasonable accuracy what city a visitor is in, and what country. You are storing this data whether you realise it or not. That means you need their consent and they need to have given it.
Google Analytics is a popular data collection tool for websites, and they have been working hard on ensuring GDPR compliance from their end as a data processor, but you are still responsible as a data controller.
Google has provided some tools to assist you in becoming compliant, but that’s only part of the journey. Your web server logs incoming users as well. Anti-malware and website protection tools, including our Web Shield service also record incoming traffic for a period as they learn what is normal behaviour on your website, and what isn’t. These logs include IP addresses.
The point is, if in any way, you collect data about an EU person, then GDPR applies to you. Whether it’s an email database, a website, data analytics, sales, or potentially any other kind of individual user data, then this applies to you. If you share any of that data in some way (such as allowing your web designer to work on your website where they can see customer data), then you are also responsible for ensuring that they are compliant.
Are there exceptions?
What’s the point?
The idea behind the GDPR is to give control of privacy back to individuals and make businesses more transparent by operating in a privacy-centric mindset. From a business perspective, this means a rethink of processes regarding data gathering and storage. Does everyone in your company need to be able to access user data or only certain individuals? Do you need to know what times a user browses your website or logs onto Facebook? The more data you have on individuals, the more accurately you can promote your products and services, but at the same time, what do you really need and how long do you need it? If you gather a users birthday information so you can send them birthday vouchers, do you need it for any other reason? If so, you need their permission, and if you don’t do that then don’t use it for other purposes.
It’s a bit of a pain, but it can be beneficial too. By not storing data you don’t need, you are reducing your data costs, and ensuring that you are using the data the way your customers expect. Build more positive relationships and more creative sales strategies by leveraging the channels this opens for communication and transparency. GDPR is not the end of targeted digital advertising by any means, but it does mean your users will expect it rather than being followed around by you like a creepy stalker in a trenchcoat.
What do you need to do?
For most Australian businesses, it’s unlikely that the EU will pursue enforcement of minor things like IP logging, but it is a good opportunity to get your business operating in a more privacy focused fashion. If you regularly target EU residents then you may have extra responsibilities such as appointing a representative in an EU country.
How can you get the most out of this change?
Take advantage of the opportunity to wow your customers here. Even if you aren’t targetting European customers, your Australian ones will be amazed. It seems like every week there is a new scandal. A bank has hidden a significant data loss, or an app developer has sold data that it gathered from Facebook users. Maybe it’s something else entirely, but we all hate it when a business has tried to hide something from us, especially when that something is about us. By being transparent about your users and their journey with your business, you have the opportunity to bring them in as a loyal customer that loves the fact that they know you will be open and honest with them, even if it’s terrible news.
Think of it like this:
Users give up their data for a benefit, usually convenience. Offer them something so convenient that they want to give you the data you need.
Communicate clearly and transparently with your customers, and don’t overstep your bounds. They will love you for it, and more importantly, trust you. I’m confident that GDPR can help your business in the long run by helping you to find creative ways to use customer data so they actually want to give it to you.
Can you help?