But what the heck is the GDPR all about anyway, and how does it affect your business? We shed some light on the new privacy laws.
The General Data Protection Regulation (GDPR) came into effect in the European Union (EU) at the end of May 2018 with the aim to regulate data privacy globally.
The regulation has big implications on compliance requirements for organisations that store or processing personal information about anyone who lives within the EU. Great, but we’re not in the EU, you say? It turns out that may not matter…
The GDPR applies to EU organisations, and organisations around the world (including New Zealand) that offer goods or services to people in the EU (including free services like news articles and enewsletters). GDPR also applies to companies monitoring the behaviour of people if said behaviour takes place within the EU.
This means GDPR compliance is essential for any organisation that:
Starts to sound a bit closer to home right? If your company only targets New Zealand or other non-EU countries, then (in our non-legal-advice-opinion) the GDPR does not apply to you. Phew! However, if you do, welcome to this wonderful web of double opt-ins and explicit consent.
What types of organisations in New Zealand will the GDPR affect?
How does my business comply?
The GDPR sets out a lot of detailed and broad reaching compliance requirements. The most applicable ones are:
We’re used to thinking of personal data as a name and surname , home address, email address that contains a name, ID card number, and date of birth.
However, the GDPR has expanded this definition to include all information relating to an identified person, including:
The GDPR requires organisations to get both informed AND explicit consent when collecting personal data online – whereas previously, organisations only needed to get informed consent.
Organisations need to ensure they are presenting information about data processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.
When someone joins your mailing list, you must provide :
Organisations need to be able to prove explicit consent was granted. Double opt-in for email lists is a good way to prove this.
Mailchimp has launched clever GDPR-friendly opt-in forms that have multiple checkboxes for your different lists. They also record a copy of the exact form the user submitted, so it can be used to prove consent if needed.
Now you’re thinking, no problem, I’ll pop a double opt-in form and a checkbox on the subscribe page and that will be that. There’s one more thing – you need to prove explicit consent for EU residents who joined your email list even before the GDPR came into force.
If you previously used double opt-in for your email newsletters, that will be enough to prove consent. But if not, you’ll need to regain consent from your EU subscribers to meet the new higher standard of consent.
GDPR requires that users have the “right to be forgotten” – which means that if they request it, all personal data about them should be deleted (unless you have a legal reason this shouldn’t happen).
Most bulk email providers and CRM providers have an option to now permanently delete a contact. You will need to do this if someone from the EU requests it.
Data Processing Agreement
The GDPR also introduces compliance that must be followed if you are transferring or processing data outside of the EU. If your email or CRM provider is hosted outside of the EU, then this applies to you. You’ll need to tell your users where the data will be transferred to and processed, and you also need to sign a Data Processing Agreement with your email or CRM provider or CRM. See MailChimp’s smooth online process.
The GDPR is the most comprehensive and complex data privacy regulation in the world – and it has teeth. Failure to comply could cost up to €20 million, or four percent of a company’s total worldwide annual turnover – whichever is higher.
There is a lot more to GDPR than we have covered here. Other requirements include:
…and much, much more.
But there’s good news – help is available! HGB is teaming up with DuoPlus to make sure companies are set up for the new regulations. In most cases, it’s as simple as making a few changes to your website.
We can help you through the process, so just give HGB a shout.
Guide to the General Data Protection Regulation (GDPR) https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
GDPR – the biggest changes: https://www.eugdpr.org/the-regulation.html
Free eGuide – A Marketer’s Guide to GDPR: https://www.vividfish.co.uk/is-your-marketing-gdpr-compliant
Read the GDPR itself: https://gdpr-info.eu/