The GDPR (General Data Protection Regulation) comes into effect today, May 25th, 2018. Whilst there has been a lot of hype about the updated regulations, the core essence of the policy is to protect the data of people collected by businesses.
LET US EXPLAIN….
General privacy policies are related to information attached to an individual and these can be broken down into:
email address
first and last names
date and place of birth
city, town and country
shipping and/or billing addresses
e-commerce information – banking or card details (there are additional Privacy Policy requirements for e-commerce sites)
Anonymous data, which is data that is not specifically personal but can be classified as ‘ personally identifiable information‘ when used in connection with other types of data that can lead to the identification of an individual.
Any business or website that collects data (as outlined above) is subject to this law and are applicable to the following platforms:
Websites
WordPress blogs (or other platforms)
E-commerce stores
Mobile apps – across all phone platforms (iOS, Android, Windows)
Facebook apps, desktop apps, Saas apps
Digital products or digital services
The GDPR is applicable to any individual or business that offers products or services to citizens of the EU and / or collects information from EU citizens. Regardless of where your business is located. This means that Australian based businesses that collect data, whether emails or data related to e-commerce transactions are required to comply with the GDPR
Part of the new regulation outlined in Article 12 of the GDPR stipulates how your business communicates with customers about the way personal data is processed, and it must be:
Intelligible and concise, in clear plain language that is easily understood
Easily accessible
Free of charge
In addition to the new GDPR regulation, more information is required in your business Privacy Policy, which like the GDPR needs to outline the following points –
A sample email marketing permission consent form
What personal information you collect
How and why you collect it
How you use it
How you secure it
Any third parties with access to it
If you use cookies
How users can control any aspects of this data
Dense legal jargon must be avoided, the purpose of the legislation is to allow individuals to easily understand what your privacy and data protection policies are.
Privacy Notices are also a new mandatory requirement, and these are a short, concise note to let the user know why you are collecting their data (see image for an example)
HOW TO GET STARTED
Enabling GDPR fields in your sign up forms will not make your business compliant. It’s a multi-step process
1. Set up a GDPR friendly sign up which has the following:
Sample information about how an individual can contact the DPO (Data Protection Officer)
Marketing permission text – advise sign-ups that you’re collecting their information and how you’ll use it.
Opt-in checkboxes for all of your channels – Customers can choose how and where they hear from you. Including the most common marketing channels you use e.g. email, direct mail, customised online advertising (Facebook, Instagram, Google ads)
Your company privacy policy and terms –Advise people where they can find your privacy policy and how they can contact you
Data storage policy – Let people know how you will store their data, if you plan to keep all data within a marketing platform. For example, MailChimp, provide links to their Privacy Policy and Terms of Use, to ensure both you and your email marketing provider are GDPR compliant.
2. Send a re-permission email to your existing email list. Most email marketing providers, like, MailChimp, have templates you can use to get contact permissions that are GDPR compliant. Once re-consent has been received this will be stored with your emails and collected user data.
3. Stay compliant with data management and security. This means enabling 2 Factor Authentication (known as 2FA) and allow users to modify their contact information through a link to their profile. This includes deleting all personal data.
GDPR data protection compliance
4. Provide information about how an individual can contact the DPO (Data Protection Officer) in your business (in the case of small businesses this is the business owner / sole trader who responsible for data management and compliance)
Creating these Privacy Policies and GDPR compliant guidelines can be daunting. There is an option to have a Policy created that is compliant with both Australian law and the updated GDPR. They are:
Privacy Policies – free for personal use and a fee for business, after inputting your information a Privacy Policy is created (please note that this is a generic privacy policy and may not cover all the legal requirements of your business and/or the updated regulations of the GDPR – if in doubt, please seek legal counsel) USD $29.99 per policy
Terms Feed – create legally binding agreements for users, they create Privacy Policies, T&Cs, EULA, Returns and Refunds, and Cookies policy. Prices start at USD$14.00 and increase according to the complexity of your website, services and products. This is considered to be the best option to cover all regulations – specifically GDPR, CalOPPA and Australian data protection laws)
WordPress offers a free plugin that generates a privacy policy for your WordPress site. Download the free Auto Terms of Service and Privacy Policy WordPress plugin from the WordPress plugin directory.
Please note, the above information is not legal advice. Please seek professional guidance should you have any doubts or queries as to how to protect and make your business compliant with the new Data Protection regulations both within Australia and internationally.
See our Privacy Policy here