The European regulation on the “protection of natural persons with regard to the processing of personal data and on the free movement of such data” becomes law today – does this affect you, and are you ready?
Now, first things first. I’m no lawyer, and no expert on GDPR – but if you’re running a public website that is collecting, or has collected, any data on people (including names, email address, IP information or pretty much anything from users or clients) where “one party is from a European Union country or European Economic Area”, then the GDPR may (and probably will) affect you.
The GDPR stands for the ‘General Data Protection Regulation’. It replaces a directive (a weaker form of rule that needs ratifying by EU member countries). This new regulation needs no ratification. It’s law. From today.
No doubt those of you, like me, have been receiving several odd sounding emails over the past few days from websites you may be a member of, forewarning you of changes to their privacy policies in the wake of the impending GDPR. You may have given them a cursory glance and wondered what all the fuss was about.
In a wonderful irony, some people have conjectured whether these emails in themselves may be conflicting with GDPR. Very meta.
So what? I hear you scream!
Readers of this who are in, say Australia, who do not have any clients or users who are residing in the EU may not affected at all. But have a look at your Google Analytics – do NONE of your users or clients reside in the EU? What information do you (or might you) store on them?
Remember, you do own client or user data, you borrow it. With the ever-growing importance of data and data analytics the world over, the GDPR is a regulation to pull some of this power back to those who own the data, the very people the data is collected from and about.
If you want to read the entire 199 page regulation, then please knock yourself out, it’s here.
There are two implications here
- Do you comply now, and do you need to make changes to how you collect and store client/user information from those who may reside in an EU country?
- What changes may come down the pipe in Australia, and will we have our own GDPR in the future?
The answer to the second question is “Probably Yes”, but we have no idea when that might be (yet), and what form that may take.
In response to the first, it is beholden on you to do your own research, ask around, and check what you need to do to comply with this regulation. In the very least, run an audit on what data you currently collect on your users and clients, where it is stored, what it is, and what you do with it. That’s probably the ‘right’ thing to do anyway, irrespective of GDPR.
The context behind this of course is how private and personal information is treated. When social media sites started growing in use about ten years ago, there were those that said “if you are not paying anything, then you are the product“. After the Facebook / Cambridge Analytica ruckus of recent months, and its possible effect on the US Presidential election, this issue has become global and in sharp focus for many.
What are WA Startups doing about it?
When Startup News contacted several startuppy types this week, we did not find many who were that bothered, to be honest.
One person who’s given it a lot of thought, is Scott Kevill from GameRanger.
“My impression is that many businesses are in denial about whether it even applies to them, and most are waiting to see what everyone else does,” Scott told Startup News. “There are no ‘right’ answers or role models to learn from. No one really knows what will happen until May 25, but it will likely take much longer than that before anything becomes clear.”
Scott also believed much of this change had been over-hyped and there was a lot of confusion around.
“I am glad that privacy and data protection are finally being taken more seriously, but far more clarity and guidance are needed,” he said. “The GDPR does affect GameRanger, and I have been preparing for it. Even though I had already taken a privacy-conscious approach to data from the beginning, the hardest part has been trying to understand exactly *what* the GDPR requires for compliance in their view, rather than the tasks themselves.”
In the very least, it might be an idea to look at your privacy policies and practices around the capturing and use of private data.
He runs through six principles of the GDPR:
- Data has to be processed in a lawful, transparent manner
- Data can only be collected for explicit uses (i.e. it has to be explained upfront)
- Data can be only used for the purpose it was collected (e.g. ‘Download my eBook by putting in your email address’ – you can only use that email address to send them the eBook)
- Data shall be accurate, correct and kept up to date
- Data that identifies a person can only be kept no longer than is neccessary
- Data is processed in a manner that assures appropriate security (e.g. using SSL certificates)
“You must get separate consent before you can place someone on an email marketing list”, Zion explained in the podcast. “In the past you could have a tick box to place someone on an email marketing list when they were signing up for something like an eBook… now you have to have a separate landing page or something like that to get their consent.”
“More than that, you have to sell people on the benefits of signing up to your mailing list – you can’t just give them a freebie to entice them.”
That’s a big change from what most websites do right now. I wonder if they’re ready…
UPDATE: After this article was first published, we heard from Stuart Hall from Appbot…
Stuart said: “Yep it was a pretty big job for us! But most of what it is trying to achieve I agree with as a user of the internet.” And Stuart provided this link in which the GDPR changes are explained as regards Appbot.