Need some holiday inspiration this summer? | Explore Victoria with Thirst Creative

GDPR: What is it and how will it affect my business?

by Angela Harbinson
on 9 May, 2018 6 min read

If you are anything like us, you have probably seen loads of information flying around about the up and coming EU’s GDPR laws. Even though we’re not in the EU, let’s face it, we now live in a global society where data protection is at the forefront of people’s minds. So as Australian-based marketers, we wanted to know how these changes impacted us and our clients.

Now that we’ve read through many many reams of information we’ve pulled together a clear guide that details what we all need to do to be compliant come Friday 25 May 2018.


What is GDPR?

GDPR stands for “The General Data Protection Regulation”, a new privacy law from the European Union that goes into effect on the 25th of May 2018. The GDPR applies to all “personal data” of EU citizens, which is considered to be any data that makes a person recognisable such as email addresses, name, physical addresses, phone numbers etc.

Put simply, the GDPR aims to unify data privacy requirements. While it is currently a European Union law, businesses worldwide must familiarise themselves with the legislation as it will inevitably change the way we all operate.


Will I be affected by GDPR?

YES! Regardless of your location, if your business markets to or processes the information of people residing in the EU, then the GDPR will affect you.

And with the May 25th deadline looming businesses have a limited amount of time to understand what these new regulations mean and devise a plan that ensures we meet the GDPR data protection requirements.


A top line summary of the GDPR regulations

GDPR is likely to affect many Australian businesses. In fact, it probably won’t be long until similar regulations are introduced within Australia.

With this in mind, we have compiled (what we believe to be) the top 5 facts you need to wrap your head around before the 25th of May this year:


1. You must process data in a lawful, regulated, transparent and fair manner

As a business YOU are responsible for collecting, processing and storing all data in compliance with the regulations. It’s a big deal, the penalty for failing to comply with the GDPR is up to €20 million or 4% of your total worldwide annual turnover of the previous financial year, whichever is higher.


2. Data must be collected and used for legitimate purposes

You must have a valid reason for collecting personal information. When collecting data you need to be completely transparent with people and communicate exactly what you plan to do with their data. People must then explicitly agree to this, and if they don’t, their data must not be used for those purposes. And if the purpose for using their data changes you must get consent before moving forward.


3. You must limit the amount of data you process to what is absolutely necessary for your business

Data should only be retained when absolutely necessary. Data that is no longer needed should be identified and deleted, it can NOT be retained for a rainy day. We recommend setting a task to cleanse your list annually – it’s highly likely that inactive data will be out of date when you come to use it again anyway.


4. Data should be accurate and up to date

Businesses need to ensure that they are processing their data in a way that maintains its accuracy. When data becomes out of date, correct it to ensure accuracy. If this can not be achieved then the data should be deleted from your list.


5. You must store data securely

As a business storing your digital and physical data securely must be your top priority. There is a vast array of protection available such as firewalls, encryption and antivirus software. Make sure you are implementing these or are partnering with an IT organisation with the expertise and knowledge to do the hard work for you.


What does this mean for my business?

You must be able to demonstrate a lawful way of processing your data


  • Be honest, you must provide a specific and non-ambiguous reason for collecting data and ensure this is communicated to those whose data you are collecting
  • Make sure their data is only used for the purpose that you outline
  • You must be able to prove that they have given you consent
  • If you’d like to use their data for something else or your purpose for using their data changes you must get consent.



  • You can’t add people to a list simply because they downloaded something else, emailed you once or passed on their business card.
  • You can’t export or scrape contact details from your social media followers or groups.
  • You can’t use lead capture forms that have an opt-in checkbox automatically selected or pre-checked.
  • You can’t use bribery to extract people’s information. For example, telling people that they only get to download your tool if they consent is not ok! But you can still ask them if they would like to sign up to your newsletter or email list with a check box.


You must change any of your data collection processes and policies to be in compliance with these laws before 24th of May

  • Update your website terms and conditions, cookie policy, and privacy policy to include the key information you must communicate when you’re receiving consent.
  • Then update the design of lead captures in your campaigns to include a clear explanation of what the user is signing up for and a checkbox (that is not pre-checked) that explicitly asks for permission to use their data.
  • You can still give your subscribers the opportunity to opt in for other lists (for example if you collected their details from a competition you can ask them if they would like to be added to your blog, newsletter or VIP list!)


You must conduct an audit of your existing data

  • Segment your list for EU, non EU and unidentifiable individuals (if you can’t work out where they are from, it’s better to just assume that they are in the EU!)
  • If the data was not collected in line with the GDPR regulations you will need to obtain explicit consent from those individuals


If you haven’t obtained consent before 24th May? Delete them

  • If you haven’t received consent prior to the 24th of May then you need to delete each contact from your list.
  • While this might lead to you significantly reducing your list, it is what it is!
  • Keep in mind deleting this data after the 25th of May is also considered ‘processing’. Avoid breaching the GDPR by taking action on or before the 24th May 2018.


Where to from here?

Now more than ever we must put practices in place to make sure that we’re protecting our data and the data of our clients or customers. There are huge benefits of these laws and as individuals we will benefit with less spam and more privacy.

But as businesses this legislation change might be a big one for your business and a bitter pill to swallow if you lose a significant amount of your marketing database lists. The best way forward is to take devise clever re-engagement campaigns to build up your list the right way.

Feeling overwhelmed? Reach out to our team for more information about how GDPR will affect your marketing tactics going forward.

Disclaimer: This information has been collected and verified to the best of our abilities. Before implementing any major changes to your business and policies we recommend partnering with a qualified legal professional.


More resources

Receive the latest in marketing, brand, design and digital


Subscribe to our insights

  • This field is for validation purposes and should be left unchanged.