How GDPR affects Australian Marketers

by Kyle Vermeulen
May 23, 2018

There’s a reason why your inbox is full of emails about updated privacy policies.

Europe’s new data protection laws, called GDPR, comes into effect on 25 May.

The General Data Protection Regulation, or GDPR, aims to protect European user data via new rules and policies on the collection, storage, and use of personal data. It also outlines the rights of individuals to protect, access, and modify their own data, including a newer clause called “Right to be Forgotten”.

The fines for non-compliance are stiff: from the 25 May, the penalty for breaches can reach up to 20 million euro or 4% of a company’s annual global turnover.

So, the 20 million euro question is…

**Does the GDPR apply to Australian businesses?


It depends.

Businesses that offer goods or services to customers in the European Union (EU) need to be GDPR-compliant—for European user data—regardless of where the business is based.

According to the Australian Government, “Australian businesses with an establishment in the EU, or that offer goods and services in the EU, or that monitor the behaviour of individuals in the EU may need to comply.”

Even more specifically…

“Australian businesses that may be covered include:

  • an Australian business with an office in the EU;

  • an Australian business whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in euros;

  • an Australian business whose website mentions customers or users in the EU;

  • an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes.”

If you’re unsure of your eligibility and obligations under GDPR, we recommend getting legal advice.

What are the key elements of the new regulations?

In case you don’t want to wade into the 150-page, 54,328-word document here’s a quick summary of key elements that impact marketers.

  • Businesses must collect users’ consent to receive communication about marketing, or any other communication that is not related to their original enquiry. The new requirements state that “pre-ticked boxes or inactivity should not therefore constitute consent” (which is in line with the Australian SPAM laws already on the books).

  • Businesses must make it easy for users to see what consent they have given, withdraw it, and register an objection.

  • Businesses need to tell users if cookies are being used to track them, and if so, they must consent to their use.

  • Users have the right to request for their personal data to be permanently deleted in a timely manner.

  • Users have the right to request a copy of their personal data.

  • Users have the right to request to update any of their personal details if they are inaccurate or incomplete.

  • Businesses must ensure that sensitive customer data is protected by up-to-date and effective security practices.

  • Businesses must report data breaches to proper authorities within 72 hours.

That all sounds complex. What’s actually going to change?

Great question.

When I recently spoke to the CEO of an international marketing platform, they admitted there’s still a ton of uncertainty about what this means for Australian marketers.

Because the new requirements apply to all data previously collected, it means companies will need to re-opt in all EU users if their data was captured in a non-GDPR way. Ouch. That could completely change the way companies use their current email marketing list.

Here are a few predictions for what GDPR means:

I believe we’ll see the European Commission going after the largest companies with the most egregious privacy violations. In the context of Cambridge Analytica, this is a good thing.

We’ll likely see global companies rethinking what data they need to capture. Perhaps we’ll say goodbye to the wild west days when brands and analytics platforms captured every single data point possible, with the hopes of crunching it into something useful later.

We’ll likely see better practices in user privacy, email opt-in, and data-management across countries and industries. Just as the 2003 American CAN-SPAM Act has become “best practice” over time (for example, including the sender’s address in marketing emails), we’ll ultimately build better practices around marketing consent and opt-ins.

The “right to be forgotten” means that marketing platforms will add in the option for companies to more easily process the removal of individual’s data from 3rd party platforms, which is a good thing.

Overall, I think the biggest change will be for email list growth and lead generation. Marketers working in the GDPR context will face a larger hurdle in building email and customer databases and will be forced to introduce clearer hurdles to opt-in processes. This is ultimately good for customers and their inboxes, but bad for companies that depended on growing their email list for sales.

As this is the largest privacy changes in the online era, it remains to be seen how this changes marketing outside of the EU.

If you’re terrified of the changes coming into effect on May 25, one option is to simply block all traffic coming from the EU.

Sort of joking… sort of not.