As of the 25th of May, 2018, Europe’s new General Data Protection Regulation, or GDPR for short, comes into effect. If you use the internet, or turn on free-to-air TV, you will have heard that changes are coming, and have probably made some attempts at learning if GDPR applies to your organisation. The short answer is probably “yes” - so, we found the details and resources you need to secure GDPR compliance for your Australian software business.
Firstly, what is GDPR?
It’s essentially an example of the EU setting the gold star standard of data protection for its citizens, again. This regulation forces businesses to clean up their collection and retention of information and ask it’s consumers to opt in to collecting their information. If you are looking for a more ‘legal’ answer, proceed.
This new collection of laws - states that:
- Visitors must give permission before being tracked by ‘non-critical’ cookies and other tracking technologies.
- Data that isn’t required for or related to the permissions sought cannot be collected.
- Data cannot be held for longer than is reasonably required for the purpose of which permission was granted.
- Data which contains Personally Identifiable Information (PII) must be processed and stored in a specific manner.
- Any person or business external to yours which sights, access, processes, uses or stores personal data collected by your business must also be GDPR compliant.
…that was wordy, right? Primarily, the change is aimed at protecting the privacy of the average European netizen.
Hang on… Europe? I thought the You & Co team were Australian?!
We are, very much so (Vegemite, budgie smugglers etc). Here’s the thing though - GDPR is not about where your company is based, it’s about who your company markets and sells to. In fact, you don’t even have to be selling or marketing to folks in the EU for GDPR to apply to you!
So, does the GDPR apply to my business?
That depends, but in all likelihood, the answer is yes. The GDPR applies to any business that does one or more of the following:
- sells products or offers services to individuals residing in the EU.
- sells a product or offers services which can be used by individuals residing in the EU.
- bears the possibility of collecting and / or processing the data of any individual residing within the EU, either on purpose or by accident.
Yep, this applies to any person in the EU, even those who aren’t EU citizens or residents, and it doesn’t matter if you’re actively marketing or selling to people. This affects your business even if you accidentally collect any data that could identify an individual who is in the EU at the time of collection (think cookie value, IP address, and so on).
If that seems mighty broad, it’s because it is intended to be. The wording of the regulation uses the term ‘fairly’ a lot, and the general consensus seems to be to ‘Use Good Judgement’ (thanks HubSpot culture deck!) when asking for, collecting, transmitting, processing and storing the personal data of individuals.
Unless you want to control by exclusion those who you want to purchase your product, service, subscription or even subscribe to your newsletter from the EU, you’re simply better off being a good business and putting on your GDPR pants ASAP.
Why should I comply with GDPR?
You could cross yours arms and say something like “Right, we’re gonna geo-block all traffic from Europe, we never sell anything to them anyway”, but we would strongly recommend against doing this. You're likely to spend as much time developing a bulletproof way to avoid EU data collection as you would just complying with GDPR.. And you’d be missing the point.
- First, especially if you’re in SaaS, you’re potentially missing out on a huge revenue stream. As of the start of 2017, Europe had a population of 512 million people! That’s a whole lotta leads...
- Secondly, why not be a forward thinking company and address this now? Then, if you ever do begin selling your tech solution into Europe, you won’t need to worry about data compliance as you’ll have sorted it out already. Compliance isn't as complicated as you may think.
- Thirdly, as shown by the recent Cambridge Analytica scandal, people really care about privacy. Being GDPR compliant will increase consumer confidence, and demonstrate that you care about the privacy of the people your business deals with. It’s worth promoting you’re all for respecting your consumers.
Also, did I mention the fines that can be imposed if you’re caught out? Wait for it… Either €20 million or 4% of your worldwide turnover for the previous 12 months. This means if you’re Google (2017 turnover of ~$109.65 billion USD) and you get found out, it’s going to cost you $4.386 billion US dollars!
Okay, you might not be Google, but still… That’s gotta hurt. In short, it’s worth doing this now.
How do I comply with the GDPR?
Now we’re getting to the good stuff! The thing is though, because every business is different, GDPR compliance will be different.
GDPR compliance centres around eight pillars of data protection:
- If you’re going to collect personal data, obtain and process it ‘fairly’.
- Keep personal data stored only for the specified and lawful purposes stated when it was collected.
- Only process personal data in ways compatible with the purposes for which it was initially given to you. In other words, don’t do stuff with it which wasn’t mentioned when it was collected.
- Keep the data safe and secure.
- Keep the data accurate and up-to-date.
- Ensure data is adequate, relevant and not excessive. Don’t collect data you don’t need.
- Do not retain data longer than is necessary for the specified purpose(s).
- If requested by any individual of which you hold personal data, provide a copy of it which conforms to the above accuracy requirements.
Below is a basic checklist (by no means exhaustive) of questions you should pose to your organisation to get started:
- What personal data do we collect and / or store?
- Was it obtained ‘fairly’?
- Did we inform people when we collected their data of what we’ll be doing with it and why we need it, and did they give their consent?
- Are we safeguarding it and storing it securely? Think encryption, or anonymisation if possible.
- Do people who don’t require access to the personal data we hold have the means to access it?
- Do we collect any personal data that is particularly sensitive? If so, do we meet the applicable standards that exist which govern the collection of that sensitive data?
- Are we keeping data for longer than necessary, and keeping it up-to-date for its lifetime?
- Do we share personal data that we have collected with any third parties, and if so, are they GDPR compliant? This includes suppliers and the like.
Answering these will give you a good start in understanding the scope of what needs to change within your business in order to be compliant.
Develop your GDPR Plan
The nexts steps thereafter are to develop a plan to address any holes in your compliance. Things to pay attention to here are:
- Review what you’re collecting when people browse your site / submit forms / use your products & services
- Do you need to collect everything you’re currently collecting? Can you reasonably justify the need to collect it?
- Ensure that opt-in for tracking & collecting personal data is sought
- You’ll need to ensure that you’re very transparent about what you’re using the data for when seeking consent, and to highlight that users can opt out at any time
- Ensure that individuals can access a copy of any collected personal data
- Review security measures, and check that your organisation uses industry standard data protection mechanisms (SSL/TLS for data in transit, encrypting data at rest, restricting access to physical locations where data is held, backing data up in multiple locations
- Audit any existing data held
- Purge data where necessary if you no longer have a legitimate reason to hold it,
- Update data to keep it current where necessary
- Review whether any collected personal data is shared with any third parties, and if so, review whether it’s necessary to share it. Consider anonymising the data if possible, or requesting GDPR compliance proof from the third party / ies.
Bear in mind that this list is in no way exhaustive. As mentioned earlier, this process will be different for every business.
If you’re a HubSpot user, I have some good news for you. They’ve been busily examining GDPR, and have already rolled out a bunch of features which will make life a whole lot easier, especially if HubSpot is the main mechanism you use to collect lead data.
The EU is asking for transparency and elective use of tracking and identifying information, thus being on the consumers side, in line with the shift we see in marketing and sales. Aren’t we simply using those little digital feelers to make an experience better for our consumer anyway? Well, the good news is, you can still use them - you just have to be a little more upfront about it.