The EU’s General Data Protection Regulation comes in to effect this Friday 25th May. The new law – “the most important change in data privacy regulation in 20 years” – has been designed to protect the privacy and personal data of Europe’s 500 million citizens.*

The regulation sets out new rules as to how you collect, create and use the personal data of European customers. Even if you’re not directly selling to or targeting the EU, your business may still need to comply – basically, if you’re based in the EU or you “offer goods or services to, or monitor the behaviour of, EU data subjects”, the GDPR applies.**

The fine for non-compliance is huge – 4% of annual turnover, or 20 million euros (whichever is higher). However, these severe fines will be a last resort in the early days, as a reasonable amount of sanctions (warnings, reprimands, corrective orders) will be put in place first to give businesses time to comply.****

What data could be subject to the GDPR?

• Data contained in CRM’s and your general mailing list

• Your website

• Facebook custom audiences

• Etc.

Your CRM and mailing list

Your CRM can contain a considerable volume of data about prospects and customers. If any on your list are from the EU, and you can’t guarantee they were obtained through legitimate means, you may need to obtain their repermission. The same rules apply to your general mailing list.*****

Your website

You may have users from the EU – and it’s important to note here that if your non-EU customers/prospects/users visit the EU, the GDPR will apply to them.

To get closer to compliance, ensure your website displays an easy-to-understand GDPR-compliant privacy policy, cookie policy, and terms of use document. Consider a popup cookie notice also which advises users on arrival that they may be tracked on your website, and gives them the option to accept or not.

The contact and subscribe forms on your website should also be updated to make sure “they clearly communicate how you will be processing subscribers’ personal data”.**

Facebook custom audiences

As per Facebook, anyone using a Facebook Pixel “will have obligations under the GDPR.”**

If you do have a Facebook pixel installed on your website a popup cookie notice will aid in the acquiring of consent you need to obtain from website visitors.

If you upload your mailing list to Facebook to create a custom audience, you need to make sure the list you’re using is GDPR-compliant before uploading. Lookalike audiences are exempt, and not affected by GDPR.***

Some good news here: as Facebook owns Instagram, whatever you do for Facebook covers you on Insta.

In summary

The GDPR rules are all about consent – explicit consent. You need to make sure that at any touch point with EU users, you’re obtaining explicit consent to continue communicating with them. Remember, ‘blanket consent’ no longer applies – the reason they signed up needs to be the reason you communicate with them in the future.

If you’d like more information, here are a few great articles:

Different business scenario examples of when the GDPR might apply: https://mumbrella.com.au/worried-about-the-gdpr-heres-almost-everything-you-need-to-know-511713

6 myths about the GDPR: https://blog.aweber.com/email-marketing/6-myths-gdpr-email-marketing-debunked.htm

For Facebook advertisers: https://www.wordstream.com/blog/ws/2018/04/04/facebook-ads-gdpr

How GDPR affects Facebook advertising: https://www.andreavahl.com/facebook/how-gdpr-affects-facebook-advertising.php

Note: this blog is by no means meant to be an exhaustive summary of the rules of the GDPR. We advise that you seek advice from a lawyer, and do your own research, to ensure your business is GDPR-compliant.

References

*https://www.eugdpr.org/

**https://www.wordstream.com/blog/ws/2018/04/04/facebook-ads-gdpr

***https://www.andreavahl.com/facebook/how-gdpr-affects-facebook-advertising.php

****https://www.computerworld.com.au/article/641361/gdpr-impact-crm-data-australia

*****https://blog.aweber.com/email-marketing/6-myths-gdpr-email-marketing-debunked.htmL