This post is by Anton Buchner, a senior consultant with TrinityP3. Anton is one of Australia’s leaders in data-driven marketing. Helping navigate through the bells, whistles and hype to identify genuine marketing value when it comes to technology, digital activity, and the resulting data footprint.
Important changes to data privacy for EU marketers
From 25 May 2018, Australian businesses of any size will have to comply with the European Union’s (EU) General Data Protection Regulation (GDPR) requirements if they:
- have a business entity in the EU
- offer goods and services in the EU
- monitor the behaviours of individuals in the EU
What is the GDPR?
It’s a regulation designed to standardise data privacy laws across Europe and to protect and empower all EU citizens’ privacy.
It’s similar to the Australian Privacy Act, and is helping reshape the way organisations across the EU approach data privacy.
The GDPR applies to ‘personal data’, which means ‘any information relating to an identified or identifiable natural person’ (refer Article 4) – including a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
It also introduces a new concept of “pseudonymous data” – in simple terms, personal data that has been subjected to technological measures (like hashing or encryption) such that it no longer directly identifies an individual without the use of additional information.
And it goes further than the Australian Privacy Act in offering additional protections to the processing of ‘special categories’ of personal data, which includes:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
- the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person such as fingerprints, facial recognition, retinal scans etc
- data concerning health
- data concerning a natural person’s sex life or sexual orientation
So if you’re advertising, managing social media platforms, or conducting analytics that track or monitor activity and individuals from the EU, then you’ll need to update your policies, procedures and systems accordingly.
You’ll need to revisit what data you are collecting and understand whether it is caught by the personal data requirements of the GDPR.
And you’ll also need to evaluate your information handling practices and governance structures and seek legal advice where necessary.
- the ‘accountability principle’ (Article 5) refers to ‘principles relating to the processing of personal data’
- and data controllers must also appoint data protection officers, a sort of ‘privacy champion’ role, to monitor and advise on compliance with the GDPR and with internal privacy policies and procedures.
The basics of permission marketing & unsubscribe management
In Australia, I’m sure you know that the 2003 Spam Act governs the ability for people to unsubscribe from a mailing list. All electronic marketing and promotional communication must contain an easily accessible unsubscribe facility.
Cellarmasters Wines found this out the hard way when the Australian Communications and Media Authority (ACMA) found them to be in breach of the Spam Act. Cellarmasters Wines was fined $110,000 for sending some promotional email marketing messages which did not have an opt-out facility, as well as some messages being sent to customers who had previously opted out.
And Grays (the parent company of GraysOnline auction network) was also fined $165,000 for the same infringements.
At TrinityP3, like most organisations, we provide email addresses to our consultants and employees to allow them to do their work, including subscribing to industry trade media and communicating with clients.
When those consultants and employees leave we have a policy of continuing to monitor those email addresses to be able to follow up if clients contact the company not knowing that the person has left TrinityP3.
But one of the issues we have faced is that at least two trade media outlets, who should understand permission marketing better, do not appear to have a functioning unsubscribe process.
As part of our email monitoring we unsubscribe the email address from any subscriptions, but in these two specific cases, unsubscribing the email address many times has had no impact and their emails continue to be sent.
Is it because it is in their best interests to maintain their subscription volumes on their daily newsletter database or is that just being cynical?
But it raises the concern that if these media outlets are unable to comply with the rules on managing personal data, what hope do other companies have in complying with the new EU GDPR legislation?
So the message is loud and clear from a legal point of view.
Being personal is a matter of privacy
As part of your marketing strategy, your aim is to ideally provide personalised content that is valuable, interesting and timely.
And to do this successfully, you will need to capture some personal customer information.
So the GDPR is a good reminder for Australian businesses to make sure that they’re also up to speed with the Federal Government’s Privacy Amendment Act.
The amended act sees the National Privacy Principles and Information Privacy Principles replaced with a new set of 13 Australian Privacy Principles (APPs):
APP 1 – open and transparent management of personal information
APP 2 – anonymity and pseudonymity
APP 3 – collection of solicited personal information
APP 4 – dealing with unsolicited personal information
APP 5 – notification of the collection of personal information
APP 6 – use and disclosure of personal information
APP 7 – direct marketing
APP 8 – cross-border disclosures
APP 9 – adoption, use or disclosure of government related identifiers
APP 10 – quality of personal information
APP 11 – security of personal information
APP 12 – access to personal information
APP 13 – correction of personal information
You can delve into the detail here
And if you’d like to delve into the articles of the GDPR, then simply click here
With news breaking this week of Cambridge Analytica accessing more than 50 million Facebook profiles to profile millions of users for their clients, marketers must be even more vigilant when it comes to the use and protection of customer data and details. As investigators and regulators around the world question Facebook on how they allowed this to happen and with new GDPR data regulations from the EU coming into force in May this year, marketers will need to ensure they have a rigorous process for managing their customer data and for how they use it for email or to personalise advertising and sales messages.
Are your marketing technology solutions under-delivering on the promised results? Not sure what to do about it? Find out how we can help here