GDPR matters if your users are in EU
I’m sure you’ve heard about the GDPR data protection laws for the EU which apply not just to companies in the EU but for any that capture user data of EU citizens. You are likely to have some such contacts subscribing to newsletters, buying your products online, or viewing your website.
The GDPR is complex and contains many legalities about how you handle and use data: https://ec.europa.eu/info/law/law-topic/data-protection_en. You will want to work with your legal advisor to understand in more detail what you need to do.
Deadline to comply: 25 May 2018
What information must be given to individuals whose data is collected?
- who your company/organisation is (your contact details, and those of your DPO if any);
- why your company/organisation will be using their personal data (purposes);
- the categories of personal data concerned;
- the legal justification for processing their data;
- for how long the data will be kept;
- who else might receive it;
- whether their personal data will be transferred to a recipient outside the EU;
- that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection;
- their right to lodge a complaint with a Data Protection Authority (DPA);
- their right to withdraw consent at any time;
- where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.
Rights of EU Citizens
- information about the processing of your personal data;
- obtain access to the personal data held about you;
- ask for incorrect, inaccurate or incomplete personal data to be corrected;
- request that personal data be erased when it’s no longer needed or if processing it is unlawful;
- object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation;
- request the restriction of the processing of your personal data in specific cases;
- receive your personal data in a machine-readable format and send it to another controller (‘data portability’);
- request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers. You also have the right in this case to express your point of view and to contest the decision.
What’s the practical outcome for marketers? In a nutshell you need to tell people why you want to collect data and how you will do it before getting their explicit content to proceed. And once you have the data, you need to understand exactly where it is stored and have a systematic way to delete it if requested (and if you’re not obliged to keep it by tax authorities etc.)
For example on your newsletter subscribe form you might consider this…
SUBSCRIBE FORMS SHOULD
- clearly state what the subscriber is signing up for
- no prechecked subscribe boxes
- let subscribers know they can unsubscribe anytime
Campaign Monitor, a large email platform, has a good webcast about how GDRP effects marketers you might want to listen to.
If you are a Hong Kong registered company you can read more about the GDPR from Hong Kong Privacy Commissioner for Personal Data.