Worried about the GDPR? Here’s (almost) everything you need to know
With fines of up to €20m or four percent of global turnover, breaching the new GDPR guidelines could cause your business to topple over. As the regulations come into view, Alpha Digital's Sam Wood provides a comprehensive guide for Australian retailers and marketers.
On May 25 2018, the new privacy regulations the General Data Protection Regulations (GDPR) will come into force in the European Union. Whilst it’s immediately obvious that this will have a massive impact within the EU, Australian businesses are also being put on high alert.
The GDPR aims to give control of personal data back to the individual (the Data Subject). It does this by enacting strict regulations around the collection, retention, and use of the data on the part of the companies collecting the data, and on the companies processing the data.
But why should Australian businesses care about new privacy regulations in the EU? Well these regulations are very broad in scope, and aim to apply to businesses based not only within the EU, but across the rest of the world too. It does this by referring to businesses that are either established within the EU, or businesses who offer goods and services or monitor the behaviour of people within the EU.
Basically, if you sell goods or services to customers within the EU – the EU wants you to comply. If you don’t, the fines are huge.
Before we get into it, a note. I am not a lawyer. If you think you may (or may not) be caught by these regulations, speak to a lawyer. This article is merely our opinion based on our readings and is not legal advice.
The key elements
Article 3 of the GDPR is key to understand, as it largely drives the rest of the regulations (at least as they apply here).
The key elements (bolded for emphasis and defined below) of Article 3(1) are:
The dealing with personal data; by a
Controller or processor; who is
Established in the EU.
Alternately, the key elements (bolded for emphasis and defined below) of Article 3(2) are:
The dealing of personal data; by a
Controller or processor who is
Outside of the EU; where they
Offer goods or services to people in the EU; or they
Monitor behaviour of people in the EU.
In essence, where a company is not established in the EU, Article 3(1) does not apply, and you must look to Article 3(2). If you’re dealing with personal data of people within the EU, and you’re actively selling to and/or monitoring people in the UK, the GDPR may apply to you.
Some examples
Retailer A
Retailer A is a small business. They’re not targeting the EU, but they get the occasional sale in the EU. They know that’s the case, but they don’t really keep track of their customers in any meaningful way.
Would they be affected?
We don’t believe Retailer A would be caught by the GDPR. They’re not actively targeting people in the EU, even though they’ve sold a small amount of product into the EU. They’re also not controlling any personal information for anyone in the EU, which is an essential element under Article 3(2) (that they be a controller or processor).
Retailer B
Similar to Retailer A, Retailer B sells a small amount of stock into the EU. The difference is that Retailer B is a bit more advanced in their marketing. They collect and store customer information and email subscriptions in a CRM, and they use a 3rd party tool (like Mailchimp) to segment and market towards these segments.
Would Retailer B be affected?
Because they’re collecting and storing personal data for people within the EU, they are likely to be considered a controller under the regulations. They’re also deciding how this information should be dealt with and use a 3rd party tool to process the data.
It’s unclear at this stage exactly how much a business needs to be selling into the EU, but our best guess is that if they are selling goods into the EU and actively marketing to people within the EU (through Retailer B’s email marketing), they are showing a clear intention to sell goods to people within the EU. Because of this, it seems likely they would be caught by 2(a).
In addition, because Retailer B uses a CRM to collect and monitor their customers within the EU, it may be that they are caught regardless by 2(b). In either instance, they will need to ensure that all past and future personal data collected has come with the proper consent.
Since Retailer B is selling goods and services into the EU (and actively marketing to people within the EU through their email marketing), and they are likely considered a controller under the regulations, it seems likely that they are required to comply with the GDPR or risk facing a fine.
Retailer C
Retailer C explicitly outlines on their website that they do not sell goods outside of Australia. However, due to the popularity of their product, they have had people from the EU sign up to email lists through their website. These email addresses are fed into Facebook to create a lookalike audience and are not properly filtered to remove the emails of people within the EU, though they are only geotargeting within Australia.
Would Retailer C be affected?
Retailer C is likely to be a controller under the regulations as they are collecting personal information from people. They are also then passing that data on to Facebook as a processor.
However they are explicitly not selling products into the EU, so 2(a) will not apply. Retailer C may be caught by 2(b) though, as they are monitoring the behaviour of people within the EU. It therefore seems possible that they are required to comply with the GDPR or risk facing a fine. If they do need to comply, they will need to ensure they have complied with consent provisions.
Retailer D
Retailer D used to sell into the EU, however after hearing about the GDPR last year they made the commercial decision to cease trading within the EU.
Due to their previous operations within the EU, Retailer D has collected a large amount of personal data from people within the EU, including email addresses, postal addresses, gender, and purchase history. All of this information has been collected after customers agreed to receive marketing material’ during the purchase process. Clicking on the ‘What do we use your data for?’ link next to the pre-selected check-box took the user to a page with tens of thousands of words of Ts&Cs, written by their lawyer in typical ‘legalese’. Without a JD, it’s difficult to understand exactly what you’re agreeing to.
Despite no longer selling to the EU, Retailer D has decided that they would like to keep their existing customer data as they believe it will be helpful to their future marketing efforts. They don’t intend on marketing directly to these people, selling to them, or selling within the UK.
Would Retailer D be affected?
Retailer D is clearly a controller under these regulations, as they are controlling how the personal data of people within the EU is being dealt with. Despite the fact that they are no longer selling to the EU, it could be argued that by retaining this data they are monitoring people within the EU. The retrospective ‘consent’ provision therefore becomes an issue.
Under the GDPR, Consent must be a clear and affirmative action (so the pre-checked box may be an issue), plus any Ts&Cs must be easy to understand (which these were not). Retailer D will now need to decide whether the benefit gained by retaining this historical personal information is greater than the cost they will need to incur in order to get the appropriate consent all data subjects within the EU.
Time to get compliant
Okay, so you’ve weighed up the benefits of selling into the EU or monitoring behaviour within the EU against the cost of complying with the GDPR, and you’ve decided to get compliant. If you’re feeling overwhelmed or unsure of exactly what you need to do, you’re not alone. The majority of businesses even within the EU are simply not ready.
The first thing we recommend doing is consulting an expert, or a team of experts. Until then, here are 12 steps from the UK Information Commissioner’s Office (ICO) that businesses should do to prepare from the GDPR.
The intention of the GDPR is to protect individuals and their privacy – an admirable goal. Australian companies who do a significant amount of business within the EU would do well to get their policies and procedures up to scratch, stat (especially where they are also established within the EU).
With fines of up to €20m or four percent of global turnover, a serious breach could cause the offending business to topple over.
This does raise the question of whether for a smaller retailer operating within Australia and doing the occasional sale into the EU, total compliance with the GDPR is a reasonable goal. Obviously, if it’s achievable it should be done, and total compliance should be the goal.
However with the likely cost of compliance and the massive question marks around enforceability within Australia, these businesses will need to make a commercial decision weighing up the risks and costs associated with total or partial compliance with the new GDPR.
We recommend consulting with an expert in the area to determine your path forward.
Sam Wood is general manager at Alpha Digital. This is a condensed version of a post which first appeared on the Alpha Digital blog.
Another case study for your comment Sam, if you have a moment:
Digital brand X has email addresses of customers, but doesn’t know which of them are EU residents.
Can they upload them into Facebook (or other platform) to create an audience?
(I think: NO, not without express and informed consent)
User ID not verified.
Hmmm good question. My guess is that, at it’s most simple, ignorance is not a defence so I’d lean towards ‘no’ as well. Just because you didn’t know they were in the EU doesn’t mean you’re exempt from the GDPR.
A good suggestion I heard the other day was putting the onus back on the user by making clear in all privacy policies, EDMs etc that ‘we do not sell to the EU, please contact us to have your data removed if you reside in the EU’. Also ensuring the fact you don’t ship/sell to the EU is clear on the website (assuming that’s the case).
I’m no expert, but that’s my opinion!
User ID not verified.
Hi Sam, Thanks for this info. I have only become aware of these regulations today, so am still a bit confused!
I am a sole trader in Australia with customers all over the world. I provide an online service, where I list dance costumes for sale on behalf of their owners. I do no email marketing and only collect customer email addresses to include with their costume ad so that buyers can contact them directly.
Customers submit their costume for sale by way of an online form. If I add a check box to my form for EU residents to consent to the use of their email address for the sole purpose of selling their costume, with a link to clarify that I do not store their info, on-sell it or use it for any other purpose, would this be enough?
Thanks for any advice you might have,
Lisa.
User ID not verified.
Apparently, silence or inactivity are not consent. See https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation
User ID not verified.