Have you heard of the European Union’s (EU) new privacy law, the General Data Protection Regulation (GDPR)? It came into effect on 25 May 2018, and is known as “the most important change in data privacy regulation in 20 years”. While it is an EU law, it applies not only to EU-based entities, but also to any organisation worldwide (including those in New Zealand) that have personal data of EU citizens or residents, even if these residents are not living in the EU. The fine is hefty; up to $20 million euros or 4% of annual worldwide turnover (whichever is higher).
Now is a good time to review your marketing strategies that involve collecting, tracking or using your customers’ personal data. While we recommend you consult with a legal and/or privacy professional to understand the full scope of your obligations under the GDPR, here are some tips that might be helpful for fulfilling your compliance obligations.
Firstly, it’s important to understand what is meant by ‘Personal Data’.
Personal data is broadly defined in the GDPR as any information relating to a person who can be identified either directly or indirectly. These can range from from personal details such as name, address, financial, medical and location details to images and voice recordings. The Law Society of New Zealand provides a comprehensive list of all the forms of personal data included under GDPR.
What are the New GDPR Regulations?
There are multiple changes as to how a business can use personal data from now on. Three major changes that are most likely to affect New Zealand businesses are:
The customer now has to take clear, affirmation action to give consent for the use of their personal information. Inactivity does not constitute as consent.
The business must give a clear, specific explanation to the individual of what data will be collected and what it will be used for.
The data can only be collected for a specified, explicit and legitimate purpose and may not be used for any alternative purposes.
What Action Should You Take as a Business Owner?
Review these processes below to ensure they comply with GDPR requirements.
1. Update Sign Up or Subscriber Forms
Review consent with existing subscribers, and if it contained a pre-ticked box or any other form of non-action gaining of consent, run a “re-permission” email campaign to gain consent that complies with GDPR legislation.
Review your subscription forms for new subscribers and ensure they have to actively consent to the use of their personal information, such as an ‘opt-in’ box.
Ensure you have an easy “opt-out” option for users to withdraw their consent later on.
Ensure you are transparent and clearly state what personal data you will be collecting and what purpose you will be using it for.
Explicitly state any third-parties that you will share user’s personal data with, such as analytics and payment processes.
Ensure the policy is written in simple language that is easy to understand to the user.
Explain the subscriber’s right to, at any time, submit a ‘User Access Request'. This means providing the user, free of charge, the following information: what personal information is being processed, why this information is being processed, who has access to it and how this information is being used.
3. Notify Existing Customers
How Will GDPR Affect Your Social Media Marketing Strategy
The posting of content and engaging fans will not be affected majorly by the new regulations, because it does not usually collect personal data from users who view or engage with it. However, there are still two things you should avoid doing:
- Exporting or saving the contact details of your followers
If you are sending traffic from your social media account to your website and using Google Analytics to analyse this, you will need consent to track visitor behaviour
- Social advertising (or paid social media marketing) is a different story.
If you are running social media ads, and wish to use your customers’ data or track their behaviour, you must gain their legal consent to do so. This means having clear ‘opt-in’ option, which the customer must actively consent to. While most of this will be covered in the terms and conditions and privacy notices of the majority of social media platforms, it would be wise to check this and ensure you are gaining consent through their policies.
If you are using lead form ads, such as on Facebook, you will need to state what you are using the data for, how it will be processed and gain explicit consent again from the user. Facebook now allows you to add a custom disclaimer to your page, which you can use to include all the additional necessary information to comply with GDPR.