The GDPR and what it means for you

By HGB , Jun 5 2018
No doubt by now your inbox has been hit by nearly every newsletter you’ve ever subscribed to, telling you about the GDPR or updates to their privacy policies.

But what the heck is the GDPR all about anyway, and how does it affect your business? We shed some light on the new privacy laws.

The General Data Protection Regulation (GDPR) came into effect in the European Union (EU) at the end of May 2018 with the aim to regulate data privacy globally.

The regulation has big implications on compliance requirements for organisations that store or processing personal information about anyone who lives within the EU. Great, but we’re not in the EU, you say? It turns out that may not matter…

The GDPR applies to EU organisations, and organisations around the world (including New Zealand) that offer goods or services to people in the EU (including free services like news articles and enewsletters). GDPR also applies to companies monitoring the behaviour of people if said behaviour takes place within the EU.

This means GDPR compliance is essential for any organisation that:

  • Has a presence in the EU
  • Offers free or paid goods or services to people in the EU (ie. Those with EU residents on mailing lists)

Starts to sound a bit closer to home right? If your company only targets New Zealand or other non-EU countries, then (in our non-legal-advice-opinion) the GDPR does not apply to you. Phew! However, if you do, welcome to this wonderful web of double opt-ins and explicit consent.

What types of organisations in New Zealand will the GDPR affect?

  • eCommerce websites that ship to the EU or sell digital products
  • Offline sales that ship to the EU
  • Software companies
  • Organisations in the tourism industry that are likely to have EU residents on their customer or prospects list
  • Any business running advertising (online or offline) in the EU
  • Anyone with an international audience that will have people from the EU on their email list or database

 How does my business comply?

The GDPR sets out a lot of detailed and broad reaching compliance requirements. The most applicable ones are:

New expanded definition for ‘personal data’

We’re used to thinking of personal data as a name and surname , home address, email address that contains a name, ID card number, and date of birth.

However, the GDPR has expanded this definition to include all information relating to an identified person, including:

  • location data (for example the location data function on a mobile phone)
  • an Internet Protocol (IP) address
  • a browser cookie ID
  • the advertising identifier of your phone.

Explicit Consent

The GDPR requires organisations to get both informed AND explicit consent when collecting personal data online – whereas previously, organisations only needed to get informed consent.

Organisations need to ensure they are presenting information about data processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”.

What does this mean?

When someone joins your mailing list, you must provide :

  • An explanation of what they are joining
  • The terms they are agreeing to
  • A checkbox they must tick to show they understand and agree to the terms. The checkbox cannot be pre-ticked.

Organisations need to be able to prove explicit consent was granted. Double opt-in for email lists is a good way to prove this.

Mailchimp has launched clever GDPR-friendly opt-in forms that have multiple checkboxes for your different lists. They also record a copy of the exact form the user submitted, so it can be used to prove consent if needed.

Privacy Policy

You also need to have a robust yet easy-to-read privacy policy which includes a number of important new criteria, such as stating who the Data Controller is, contact information for the Data Controller, a clear statement if you are processing data outside of the EU, and more. There is a useful article about GDPR compliant Privacy Policies here.

Existing subscribers and explicit consent

Now you’re thinking, no problem, I’ll pop a double opt-in form and a checkbox on the subscribe page and that will be that. There’s one more thing – you need to prove explicit consent for EU residents who joined your email list even before the GDPR came into force.

If you previously used double opt-in for your email newsletters, that will be enough to prove consent. But if not, you’ll need to regain consent from your EU subscribers to meet the new higher standard of consent.

If your email list is with MailChimp, it has created an easy process to send a consent email. If you need a hand sending this email to your database, HGB can help.

Right to be forgotten

GDPR requires that users have the “right to be forgotten” – which means that if they request it, all personal data about them should be deleted (unless you have a legal reason this shouldn’t happen).

Most bulk email providers and CRM providers have an option to now permanently delete a contact.  You will need to do this if someone from the EU requests it.

Data Processing Agreement

The GDPR also introduces compliance that must be followed if you are transferring or processing data outside of the EU. If your email or CRM provider is hosted outside of the EU, then this applies to you. You’ll need to tell your users where the data will be transferred to and processed, and you also need to sign a Data Processing Agreement with your email or CRM provider or CRM. See MailChimp’s smooth online process.

This is just the tip of the iceberg

The GDPR is the most comprehensive and complex data privacy regulation in the world – and it has teeth. Failure to comply could cost up to €20 million, or four percent of a company’s total worldwide annual turnover – whichever is higher.

GDPR checklist HGB

There is a lot more to GDPR than we have covered here. Other requirements include:

  • The right of access – individuals have the right to know exactly what information is held about them and how it is processed.
  • The right to data portability – this allows individuals to retain and reuse their personal data for their own purpose.
  • The right to object – in certain circumstances, individuals are entitled to object to their personal data being used.
  • Breach notifications – where a data breach is likely to “result in a risk for the rights and freedoms of individuals” a breach notification must be done within 72 hours of first having become aware of the breach.
  • Privacy by design and privacy by default – systems need to be built with strong privacy practices right from the start.
  • Certain types of personal data that require additional levels of security

…and much, much more.

But there’s good news – help is available! HGB is teaming up with DuoPlus to make sure companies are set up for the new regulations. In most cases, it’s as simple as making a few changes to your website.

We can help you through the process, so just give HGB a shout.

Extra reading

GDRP compliant Privacy Policy

Guide to the General Data Protection Regulation (GDPR)

GDPR – the biggest changes:

Free eGuide – A Marketer’s Guide to GDPR:

Read the GDPR itself:

get in touch