green plant in nature

Are you GDPR compliant?

By now you’ve probably heard, read, or received an email about GDPR. And, if you’re like many businesses across Australia, you’ve likely plonked GDPR compliancy into the ‘too hard’ basket. While ignoring GDPR seems far more appealing than figuring it out, it’s actually a pretty important thing to get your head around and comply with. That’s why we’ve broken down the jargon and outlined a few simple steps that you can take to get on the right side of the new rules.

What is GDPR?

The General Data Protection Regulation (GDPR) was created by the EU to protect the data rights of its people. The new regulations make it easier for EU folk to find out how their personal info is being stored by businesses and organisations, and how it will be used. It also brings in some much heavier fines for anyone who misuses personal data. In essence, the GDPR adds a layer of transparency to data collection –a good thing for everybody. 

The GDPR actually came into law in 2016 but the regulating authorities gave everybody until May 25th 2018 to make any necessary changes. The problem is, that we’re only really hearing about it here in Australia now. And while the GDPR was created with EU residents in mind, the impact is a bit more global than that.

How does it impact Aussie businesses?

You may be wondering how and why a regulation enforced in the EU would impact on Australian businesses.  The truth is, that if you have a website, send out email marketing, or have active social media accounts then your business is potentially global and therefore accessible by anyone within the EU. If you have a contact form on your website, use the Facebook pixel, or even access Google Analytics, you are technically collecting personal data. This means there are a few things you will need to do to become GDPR friendly.

How to become GDPR compliant

  1. Update your Privacy Policy

Every business must have a GDPR compliant Privacy Policy available on their website. 

It should be easy to understand and digest and it should explain:

– What data you collect

– Why you collect it

– What you do with it

– Who you share it with eg. Facebook, MailChimp etc

You must reference your privacy policy anywhere that you collect data.  If you don’t already have a privacy policy in place, this should be a top priority. IUBender offers an easy ‘build it yourself’ privacy policy option https://www.iubenda.com/en/.

  1. Keep your emails GDPR- friendly

Make sure you have an unsubscribe option on any emails you send out. 

Tip: Use an email marketing platform like MailChimp or Active Campaign rather than your personal account so that recipients have the option to unsubscribe.

Opt-ins must not be a condition of product, offer or service.

If you offer an opt-in gift such as a download, exclusive access, or any other kind of freebie, you now need to make this available regardless of whether users subscribe.

Keep your mailing lists separate

Just because someone subscribes to one mailing list does not mean you have permission to add them to other opt-in mailing lists. 

Opt-ins must be clear and unambiguous

Users must be able to easily understand what they’re signing up for and the opt-in boxes must be unticked by default.

Tip: Double opt-ins are a good way of covering yourself here.  A double opt-in is an additional step that asks the user to verify their email address and re-confirm their interest.

While this may reduce your overall number of opt-ins, it means the quality of your email list will be much better.

Do I really need to send out emails to all of my current subscribers?

No, you don’t. Providing you have collected data fairly and appropriately via opt-in before GDPR came into effect, those subscribers can stay on your list. But, if you are unsure of how you collected their personal data, it’s a good idea to send a re-subscribe email just to be sure.

What about those pesky privacy policy update emails I’ve been getting?

It is not a requirement of GDPR to send out an update of your privacy policy.  You simply need to have it accessible on your website.

What are the penalties for GDPR breaches?

The fines for non-compliance are somewhat hefty.

  • Up to 2% of your annual turnover for failing to report a data breach within 72 hours of becoming aware of it.
  • Up to 4% of annual turnover or €20 million (whichever is higher) for the data breach itself.

Anything else?

If you want to be 100% sure that you are in full compliance with GDPR, we highly recommend enlisting the services of a lawyer to go through your website and check all of the legal bits and bobs.

Need some help with your website?

We’d love to hear from you.

Click here to get started