General Data Protection Regulation: What Australian Retailers Need to Know

General-data-protetion-regulation

Have you heard of the GDPR? You haven’t?! *GASP*

General-data-protetion-regulation

Just kidding! You’re a busy person so it’s ok if missed it amongst all the Donald Trump news and memes on your social feed. At this moment in time, it’s ok if you don’t know what those four letters mean, but sadly this isn’t a matter of ignorance is bliss.

You need to know about the new data regulations and I’m here to teach you in the most pain-free, and easily digestible manner possible.

Disclaimer: I’m not a lawyer, the advice I’m about to give is only a summary of what we know so far. If you are confused by any of the regulations and feel that your businesses current practices may breach any of them, please consult a legal professional.

What is the GDPR 

The General Data Protection Regulation (GDPR) is a set of laws designed to standardise data protection regulation across all 28 EU countries.

Before you ask, it’s not a result of the Facebook shi*tstorm, it’s been in the works for years. It just happens to come into play at a very convenient time! The regulations will impose strict (and much needed) guidelines for how companies handle and protect consumer data.

They will be enforced from the 25th of May this year and they’re no laughing matter, slap on the wrist sorta ‘guidelines’. Companies could be asked to pay up to 20 million euros (31 million AUD) or 4% of their total global annual revenue (whichever is larger) for serious breaches.

‘Ok, well that’s all well and good but how will it affect Australian’s?’, Great Question! These laws are being rolled out in the EU…however, there are instances where they could affect Australian retailers.

The Office of the Australian Information Commissioner (OAIC) has warned that businesses of any size that do any of the following will need to abide by the regulations. 

  1. Have an establishment in the EU
  2. Offer goods or services in the EU
  3. Monitor the behaviour of or collect data from individuals in the EU

‘Yay! I don’t do any business in the EU I’m safe, no need to worry’.

Hold up one sec! You may not have business in the EU…YET, but what if you decide you want to a few months down the track? OR what’s your plan if the Australian Information Commissioner all of a sudden decides, ‘hey these new data protection regulations are working well in the EU, why not bring them down under?’ <- highly probable if you ask me!

In my opinion, even if you aren’t legally bound by these regulations it’s a good idea to start practising these changes to not only save yourself a serious headache down the road but also to show your audience that you value privacy and transparency.

Let’s Take a Look at These Scary New Regulations 

It’s important that you’re aware of the regulations as you will be expected to be compliant by the cut off date May 25th. Also, don’t be scared of these regulations. They’re not here to punish marketers. They are pushing us in a positive direction and encouraging more consumer-friendly, transparent and humanised marketing…and that’s a win for all parties.

Important Terms

Data Controller 

You are the data controller when you decide the “purposes” and “means” of any processing of personal data.

So if you’re the marketer building the campaign, funding the ads or even the intern putting it into place, you are the data controller. Your responsibilities involve following compliance measures, documenting what it is been used for, how long it is being retained for and ensuring that users have a right/are aware of their right to access the data held about them.

Data Processor

The data processor in the person/or system that processes personal data on behalf of the controller. Data processors and must bind data controllers to certain contractual commitments to ensure that data is processed safely and legally.

Facebook, for the most part, operates as a data controller, controlling what you see in your newsfeed, delivering your targeted ad campaigns and giving you Facebook insights. However, there are also instances where Facebook acts as a data processor acting on behalf of businesses.

Personal Data

Anything that relates to an identifiable person – email address, IP addresses, biographical data, geographical data etc. For data to be ‘personal’ it must contain more than one identifying feature, for example, a name and a phone number. Data can be made anonymous and retained for analytical/reporting purposes by removing personally identifying points from data sets.

Now let’s look at the way data can be used

Under the new guidelines, you will need to clearly document your reasons for collecting and retaining data. You will also need to clearly identify your lawful basis for data handling. The GDPR identifies three lawful reasons for data collection and use, they are as follows:

  1. Performance of a contract: When someone makes a purchase or begins paying for your services. You can email billing information, onboarding etc. the catch? Any correspondence must be in relation to the contract that has been formed, you can’t then send them partner content
  2. Legitimate interest: there are two types of legitimate interest. Number 1, ‘you’ve bought this product, we think you may be interested in this…’ this is called a soft opt-in. Number 2, is a voluntary opt-out. This exemption is for B2B businesses who are allowed to send non-customers emails relating to actions they have taken in the past ‘We see that you are subscribed to this, are you interested in our service?’ – for non-customers, you must offer a clear opt-out and also disclose where you have obtained their data
  3. Notice and consent: users are made aware of how there data will be used and their privacy rights.

Consent: freely-given, opt-in 

  • Track consent on individual basis
  • Offer clear pathways to opt out

Notice: transparent, easy to understand privacy notices

  • Explain the reason for acquiring data/ use of data (checkbox opt-in) – should a regulator come you’ve got proof
  • Also, explain their right to access, modify and redact any data given

Note: Both options require you to clearly identify how you plan to use the data. This must be done in the form of high-level notices at the point of data collection,not small print hidden in your T’s and C’s. Let’s be honest no one reads the T’s and C’s word by word!

The Changes You Need to Keep on Top of 

Pixels 

If you are using Facebook pixels to track traffic on your website and landing pages you will now need to disclose to users that Facebook or any other third party may use cookies, web beacons, and other storage technologies to collect or receive information, how these users can opt out of this and instructions on how they can exercise their privacy rights by blocking cookies.

You or partners or partners acting on your behalf may not place pixels on websites place pixels associated with your ad account or business manager on websites you do not own without your written permission.

Data Retention

The GDPR advises that if you haven’t had an interaction with someone in 12 months you should delete (or de-indentify it) that data, or better yet reach out to them before that period is over to try and regain their consent.

Data Breaches and Security

You’re required to ensure your data collection and management services are up to a certain security standard and any sort of security breach is reported within 72 hours – you may also be required to notify the data subjects if their privacy has been breached.

Facebook Changes

While we are at it I also want to explain some important changes to Facebook’s data privacy laws!

Once again Facebook’s changes weren’t entirely shaped by the recent data scandal, they were already in the process of rolling out the changes in order to meet compliance by the GDPR cut-off next month. However, the recent data scandal has caused them to clamp down harder on data privacy and develop their own regulations that go above and beyond those set by the GDPR.

Large Facebook Followings

Facebook pages with large followings will now need to be verified. Without that infamous blue tick, you will be blocked from posting to your audience until you have cleared the proper verification process. This will make it much harder for scammers to buy pages with large followings.

Goodbye Third-Party Providers 

The biggest change comes as no surprise! Third-party data, which has been subject of controversy in the past (how on earth does Facebook know our average houselhold income!?) is in the process of being phased out. Third party data sourced from companies like Datalogix, Epsilon, Acxiom, and BlueKai makes up almost half of Facebook’s 1,200 targeting points so this is a huge change!

Here’s a timeline of events you need to be aware of:

May 10: From this day you will no longer be able to create or edit Facebook campaigns using Partner Catergories built on data sourced from the UK, Germany, and France. Previous campaigns will continue to run until May 24

May 25: Targetting options will no longer be available for Partner Categories built on data sourced from UK, Germany and France

June 30: Marks the last day for creating of editing existing campaigns using non-EU partner campaigns. They can continue running until September 30.

October 1: All other partner categories will no longer be available as targeting options and Facebook will stop delivering to these audiences

You will be notified along the way if you campaigns are using source data that is about to phased out, but save yourself a headache and get onto it proto!


Sorry for writing a short novel but there’s just so much you need to know. If you’ve made it this far you should reward yourself with a your favourite Uber Eats takeaway, or stuff it just take the rest of the workday off (kidding! Don’t listen to me).

In all seriousness, there’s a lot you need to be aware of with the new Facebook and GDPR regulations. I would recommend you do your research and there’s no harm in consulting a professional to make sure you’re compliant by the cut-off date. This could save you some serious moolah in the long run.

I want to finish this on a positive note by saying, although it may look like the government is just adding a few extra pages to your already mile-long to-do list, these new regulations are much-needed. We’re in an age of transparency and the businesses that choose to empower the consumer and show respect for their privacy are the ones that will thrive!

Leave a Reply

Your email address will not be published. Required fields are marked *