Hello and welcome to Social Media Nibbles, I’m your host Paula O’Sullivan, social media strategist and head possum at Possum Digital. Today in our very first episode we’re going to have a look at what marketers need to know for when GDRP rolls out on May 25 and how this may impact us here in Australia.

Now first a very short disclaimer, this podcast is not legal advice for your company to use or rely on in complying with any data privacy laws, like the GDPR or the Spam Act. It purely serves to provide background information to help you better understand these issues. Please contact your lawyer for specific advice.

Now back to the podcast.

Unless you’ve been hiding a rock you know that Facebook has been the subject of much controversy, especially on the issue of personal privacy. Well this combined with the European General Data Privacy Regulation will see huge changes to the way we collect and use data to market our goods and services to potential customers.

Taking a quick step back, in Australia we currently have the Spam Act and also privacy legislation, which governs certain marketing activities. For example to be able to send commercial or electronic messages, like broadcast email marketing or SMS, you need to gain express consent to collect and use that information. You also need to make sure that you store personal data, like email addresses and phone numbers in a safe and secure way.

If you do not have consent you’re effectively sending spam, and we all know what spam is like. You sign up to an email list, all of a sudden you get bombarded with email marketing and things that you never thought you’d receive from anyone else. If someone has not gained your consent, they can’t send email marketing to you. So just be aware.

So how will GDPR impact what we do as marketers in Australia? At this point I want to highly recommend that you speak to a lawyer, if you want to know if your business will definitely be impacted by GDPR or not. Even if you’re in Australia you can be impacted, so make sure you get advice.

Broadly the key changes are around two central themes, firstly express consent and stronger regulations around that. Secondly data rights.

Let’s work through this issue in a classic marketing funnel.

When someone arrives on a lead capture page or blog page of your website, there will need to be explicit transparency around how their data will be used. This is not just for collecting email addresses but also for third party pixels. If you’re using say a Facebook pixel or a Google pixel to re market to people that come to your site, then they need to know what you’re actually going to be using that data for.

If you haven’t done it already, this is the point at which you need to review your privacy policy and terms and conditions on your website.

If someone comes along, gives you their information, agrees to the purpose that you’ll use that data, you need to make sure that you’re very clear about what you’re going to be using it for.

So if this person decides to give you their information, only collect the information that is relevant to why you are wanting to have it in the first place. If you don’t need a phone number, so if you’re giving away something for free that you’re going to be sending via email, and you have no reason to phone this person, then think about whether you actually need to collect it or not.

The third piece to this funnel puzzle, data needs to be stored in a secure way, and be updated if requested. If someone rings you up and says, hey I need to change my phone number, my address, my email. You need to update that as per their request, and businesses will be required to keep records to prove that they have consent to hold the information.

Coming back to the reason why data was collected in the first place, you can only use what you’ve collected for the purpose you said to begin with. If you want to use the data for something else you may need to get permission again. So make sure when you’re constructing your privacy policy and your marketing messages that you think about that first.

Which leads to how long you can hold onto the information for, it appears that the answer is only as long as you need. Now I know that sounds really quite vague, so essentially going back to the reason you collected the data in the first place. What did you communicate at the time someone signed up?

If that person signs up to a lead capture page, they then go on an email journey and then don’t open an email or don’t receive communication for six months, 12 months, two years. Is it really worthwhile holding onto that information? That’s something to think about as well.

Lastly, and this is really, really important if someone wants you to delete their data you’ve got to do it no questions asked.

The GDPR changes, relate to your own website and your own digital architecture, they’re only one piece to the puzzle, the other part relates directly to third party platforms that you use to market your business.

This includes social media.

Doing the rounds of Facebook recently are Facebook’s updated terms of service for their advertising platform.

Let’s look at the key changes here for marketers and businesses.

So Facebook says, “If you are an agency acting on behalf of an advertiser you are responsible for the data that is collected through Facebook or uploaded as custom audiences.” In real language what that actually means is you need to help your clients comply with the new guidelines. If you’re an agency and you manage data and advertising on your clients’ behalf, have a look at whether your contract terms and conditions accommodate for this, and making sure that you educate your clients as to what they need to do to comply.

The next change Facebook says, “You or partners acting on your behalf may not place pixels associated with your business manager or ad account on websites that you do not own without our written permission.”

What this actually means your pixels that you own through your business manager can only go on your website, or websites that you own. That’s it. So this may have consequences for marketers that use other platforms where they can put a pixel, and it’s hard to understand how this is actually going to impact how those pixels are used and pixel activity.

Now Facebook says, “If you have a pixel on your site you must clearly warn and advise users that you are collecting information.” Essentially what this means is you’ve got to review your privacy policy. There’s a couple of sentences in the Facebook updated terms of service that you can use to pop into your privacy policy. But what the other thing that you can think about doing is potentially putting a pop up on each page of your website that talks about, or warns people that you’re going to be collecting data about them, or certain data – that there’s actually a Facebook pixel on the site and this is what it’s going to be used for. Again, it comes back to this explicit transparency around what users can expect when visiting your website.

Facebook says, “People who manage pages with large numbers of followers,” now the numbers of followers here haven’t been determined, “will need to be verified. Those who manage large pages that do not clear the process will no longer be able to post. This will make it harder for people to administer a page using a fake account.”

So what this actually means, no more having two accounts. If you’re a marketer, or if you’re a journalist, or if you’re someone who uses an account for personal reasons and an account for business reasons that won’t happen any longer under this particular change. What’s really unclear is we don’t know how this change is going to be implemented. We don’t know how people are going to be verified, we don’t know what the mechanism is for that. But it seems, and this is actually a really good thing, that Facebook wants to crack down on those fake accounts.

Lastly Facebook says, “You have all necessary rights and permissions and a lawful basis to disclose and use the hash data.” So this would be email data that you own, “In compliance with all applicable laws, regulations and industry guidelines. If you are using a Facebook identifier to create a custom audience you must have obtained the identifier directly from the data subject in compliance with these terms.”

This is all about if you are someone who uses an email list to upload into Facebook to create a custom audience, you are going to have to verify it to Facebook. Again the mechanism by which we’re going to be doing this is really unclear, it hasn’t been defined as far as I can tell. The other component to this, and this is quite interesting, is that Facebook potentially will be asking you or looking at whether your list is compliant in things like if someone has requested to be removed, that you actually remove them.

So this could impact campaigns like reengaging people who have unsubscribed from email. But that’s something that we can discuss when those changes actually take place.

All of these changes are just on one platform, that is just Facebook.

So over the coming weeks I’ll share with you what some of the other large platforms are doing to make sure they are GDPR ready, LinkedIn and Twitter most importantly. But ultimately these changes are about improving data privacy for the many, many billions of people around the globe who use all sorts of websites, apps and other digital experiences in their everyday lives.

Let’s be honest, anything that brings more transparency to online marketing and puts people at the centre of better marketing practice and behaviour in my books is a good thing.

Thank you so much for listening and if you liked what you heard please subscribe to my podcast and share it with your friends.