The General Data Protection Regulation (GDPR) is a European Union (EU) Law designed to give greater protection of people’s privacy and the ways in which personal information is collected, stored and used.
It was adopted in April 2016, and becomes enforceable on 25 May 2018, after a two-year transition period. The GDPR replaces the 1995 Data Protection Directive. The personal data that is protected includes any information about an individual that can make them identifiable, for example a personally identifiable email address, name, address, photo, religion, credit history, trade industry and so on.
Whilst it is an EU regulation, it affects any companies or organisations where the data controller (eg. Facebook/Instagram), data processor (eg. a marketing agency), or the data subject (individual) is based in the EU, and can also apply to organisations based outside of the EU if they collect or process personal data of individuals located inside the EU, or market to clients within the EU – even if not intentionally.
If the regulation is breached, penalties can include up to €20m EU, or 4% of an organisation’s global revenue.
Does this affect my business?
If you are a business that collects data (uses contact forms), sells products, has a Facebook Pixel on your website, uses Google Ads, uses Google Analytics, uses affiliate links and has ads on their website – then yes, it does affect you (essentially it affects everyone)!
To comply with the requirements of the GDPR, companies will have to do things like update privacy policies, stop collecting certain information, anonymise data collected, explicitly disclose what information is collected, for what reason, and for what it will be used for, and ensure individuals give consent for all of the above.
We have created a list of recommendations to ensure you are complying with the General Data Protection Regulation (GDPR) prior to 25 May.
- Complete a full audit
- A list of all tools and plugins that are being used currently.
- A list of areas where you collect data on your website
- A list of third party content areas.
These may include: Facebook Like buttons, Facebook Pixel, Google remarketing pixels etc.
- The terms of the GDPR must also be separate from other terms and conditions, they must explain why the company wants the data, what it intends to do with it, name any third-party controllers that will rely on the consent, and ensure they are compliant with the GDPR, explain how one may withdraw consent, and avoid making consent a precondition of service.
- Check your forms. Pre-empting a user’s response does not allow for you to add someone to your list, so pre-ticked boxes on forms cannot be used. Ensure that if you want to use their data, you have gained explicit consent.
- Ensure your existing email database is compliant. We recommend you run a Permission Passing campaign. This is a campaign that goes out to your current database and asks for permission to remain on your database.
- Ensure your website visitors understand the data that you are collecting as part of their visit, through a ‘cookie’ banner on your site.
- Consider activating IP anonymisation in your analytics suites. In Google Analytics, you cannot see the IP address of a visitor, but it is stored on the Google servers during tracking. Even though the IP address (by default) is never exposed in reporting, Google does use it to provide geo-location data.
- If your company regularly monitors sensitive personal information and regularly monitors personal data on a large scale, it must appoint a data protection officer (DPO).
If you would like some more information about the GDPR, we recommend the following websites for further reading:
GDPR website links:
Office of the Australian Information Commissoner:
Other marketing industry articles:
Note these are Pitstop Marketing’s recommendations, and should not be seen as legal advice.