WTF is GDPR?
On 25 May 2018, the European Union introduced sweeping reforms to their privacy regulations, in the form of the General Data Protection Regulation (GDPR). Generally, they're a set of new regulations that aim to give individuals in the EU control over their private data. They represent one of the first modern laws designed specifically to tackle online privacy issues in this modern post-Facebook world. Due to the global nature of the World Wide Web, these regulations naturally have a wider-ranging scope than just the European Union, which is where things can get confusing for those of us outside that region.
Straight up, here's a disclaimer: I'm a CTO, not a... law talkin' guy. I'm not here to lecture you about European privacy laws. This post simply aims to sum up what GDPR means for you, as a digital marketer in Australia.
GDPR in a nutshell
There are a few key terms and definitions that relate to our industry, in terms of managing private data, and individuals' rights to their own. According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer's IP address."
Obviously the regulation is very detailed and far-reaching, however in most cases, any action we are likely to be involved with boils down to one of three things:
Personal data may not be processed at all, unless the person has explicitly given informed consent. This sounds familiar, but it is really a very different kettle of fish to the old "I agree to the terms" checkbox.
Kentico provide some nice tips and real-world examples on writing good consents in their blog post GDPR – Building Consents and Privacy Notices
Consent must be "specific, freely-given, plainly-worded, and unambiguous affirmation". It can't be assumed, with the option to opt out, the way many sites currently warn you about cookies - this would be a clear violation and is a key example they use frequently. Consents for different things also can't be bundled together. And finally - consent must be able to be withdrawn at any time, and it needs to be just as easy as giving consent in the first place.
There are some rare instances where it can be assumed that the person has given consent, for example a merchant can assume it's ok to use a customer's postal address to post them their order.
2. Right of access
Individuals have the right to know what private data is being held and how it is being processed. They can request this data, and if requested, they must be given not just a copy of the data, but also an overview of what kind of data is being processed, how it's being processed, how it was acquired, and with whom it is being shared.
This then extends to a right to data portability, which essentially means if a user wants to request their data and take it elsewhere, you can't prevent them from doing so.
3. Right of erasure
Perhaps more commonly (and less awesomely) called the "right to be forgotten", this simply means a person can request that any personal information on them be deleted.
Cool, but how can a European regulation affect Australians?
First, a few more definitions:
An organisation that collects personal data, even if they don't do anything with it.
Any organisation that processes data on behalf of a data controller.
A person. Someone with personal data.
Here's the pinch: the rights and regulations apply to all citizens or residents of the EU, not just business conducted within the EU, or even just organisations located within the EU. If anyone at all involved - the data controller, data processor, or data subject - are European, then the regulation applies, and can be enforced, regardless of whether the processing takes place in the European Union or not.
This can all be a bit much to process, so here are a few examples:
- if your SaaS service (such as a headless CMS) is hosted in Europe, they need to comply with the regulations since they're controlling your customers' data
- if you have European customers, or business in Europe, then you must comply with the GDPR
- if you target even a proportion of your business at customers who are citizens or residents of the EU, you must comply
- if you have a German language version of your site, you're targeting Germans, so you must comply
- if you operate entirely outside of Europe, in English, but you list multiple prices including Euros on your online store, you're targeting Europeans, so...
(Sorry, I couldn't resist.)
Ooh, I'm scared... what are you going to do about it Europe?
The fines for non-compliance can be very, very hefty: 20 million Euros, or 4% of your revenue, whichever is larger.
Sure, we are a long way from Europe, and we run completely separate legal and court systems. So the sanctions and penalties work a little differently. They have, however, committed to enforcing the regulation outside of the EU.
It's unclear without a lot of precedent, but some examples of how it could be enforced include:
- Restriction of trade in the EU
- Official legal action brought against you in European courts, which you could have to face if you ever arrived to do business (or potentially even just visit, if you're a company director)
In my highly opinionated view however, the reason you need to be getting across GDPR now is not the threat of international fines, it is this...
Australia's current privacy regulation
The Privacy Act 1988
Yep. 1988. One year before English scientist Sir Tim Berners-Lee invented the World Wide Web.
There's not much point going into how ours work, because they're outdated, and in my very strong opinion, they're not going to last much longer now that the rest of the world is setting a better example.
Serial privacy regulation challengers/violators such as Facebook are already being dragged over the coals in countries all over the world, and privacy regulations on the most part have not caught up. The whole world is watching what's happening in the EU.
Countries with ageing privacy laws (such as The Privacy Act 1988) are likely to follow suit, with some changes. At its core, the GDPR is really quite reasonable, and is designed to protect the rights and privacy of individuals.
In short, I would expect Australians to be looking at conforming to something like this within a few years.
What can I do to be ready?
The good news is that most of our preferred CMS platforms are headquartered in the EU, so they're all over it!
While compliance with any legal requirement is always up to you in the end, a good CMS platform should include features that help you take action when you need to. For example, it could provide features that help you:
- find and export or remove any personal data when requested to do so
- prevent personal data from being recorded or processed without consent
- obtain and record consent for processing user data
It just so happens that our CMS platforms of choice provide these very features.
The right tool for the job
Kentico EMS spent years building up its impressive data controlling and processing features, just to then spend months fine tuning them and adding more features on top to allow you to use them while still complying with GDPR.
Kentico Cloud has the benefit of having a narrower/headless feature set and being developed almost entirely within the timeframe of GDPR being a known quantity, so even though it is the new kid on the block, it comes with its own Personal Data API to help you meet your GDPR obligations.
In 2018, any enterprise-level CMS platform worth its salt should provide resources and tools to help you meet emerging privacy regulations, be they the GDPR of today, or the inevitable Australian privacy regulation update of tomorrow.
Want to tap into the expertise of an agency that’s been in operation since 1999?Get in touch
Want more? Here are some other blog posts you might be interested in.