THE GDPR and its impact on your Australian small business

Are you sick of all those messages you are getting from every app you have on your phone, from websites you have visited or in email newsletters that you have signup to?

Me too!

Why are we getting them? What is this GDPR thing? Should I be paying attention?


The short answer is YES because on the 25th of May, 2018 the General Data Protection Regulation will come into effect for all member EU nations, including the UK. It is designed to protect consumers, by giving us more control over our data as well as requiring businesses to be more mindful of data collection, how they capture it, store it and use it

Whilst this is a regulation that is designed for the EU, it will have global ramifications.

The Office of the Australian Information Commissioner states the following.

Some Australian businesses covered by the Australian Privacy Act 1988 (Cth) (the Privacy Act) (known as APP entities), may need to comply with the GDPR if they:

have an establishment in the EU (regardless of whether they process personal data in the EU), or

do not have an establishment in the EU, but offer goods and services or monitor the behaviour of individuals in the EU.

It is this second point that we, as Australian based businesses need to be mindful of.

We have all long bought into the line, ‘I can sell to the world now I am online’, and for many of you, you are.

  • Selling Goods
  • Selling Services and also
  • Selling Information or
  • Providing it for free via your blog or website information.

Not sure if you are getting visitors from Europe? Check your analytics and look at the countries visitors are coming from.

So whilst it might seem at first glance an EU privacy law change should have no effect on you, it actually has a wide impact on all of us. This is why you have been inundated with similar messages or popups like the below from just about any app or website you have come across.

I would like to start by saying that I am NOT a legal expert and I urge you to read widely and pay attention in particular to what your email marketing provider is telling you as well as your lawyer.

So what are some terms you need to be paying attention to and what do they mean for you post the GDPR.

Cookies, Email Marketing Lead Magnets, Retargeting with Facebook, Privacy Policy more generally

So what are cookies?

Cookies are small files which are stored on a user's computer. They are designed to hold a modest amount of data specific to a particular client and website, and can be accessed either by the web server or the client computer. This allows the server to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and so is able to carry information from one visit to the website (or related site) to the next.

The GDPR means that if you are targeting EU based customers or if they are browsing your site, then you need to be upfront with your use of Cookies and their purpose when browsing your site.

This needs to be in your privacy statement, website disclaimer or terms and conditions of using your site. You may also need a cookie consent box.

If you are using Wordpress, there are plugins available, Squarespace has an easy to enable message but for my money, Insite does this well. This is a nice tool, it’s free,customisable ( it can even be in your brand colours) and easy to create and then embed into your site.

Check out

This is a simple video that helps outline this

Lead Magnets for List Building

A lead magnet is an item that you offer people in return for an email address. Once you have this email address, normally people are then added to main email list of the provider of this amazing thing.

Under the GDPR, provision of this amazing thing is not necessarily enough to drop people onto your email list. You need to specifically be asking people to sign up to your list and that provision of your amazing free thing is an end unto itself and not specifically an optin trigger.

How will this work in practice?

You need to clearly indicate via a check box that by signing up you wish to be included on the list of the website provider. It can’t be assume, it needs to be a selection that they actually OPTIN to. You cannot have the box ticked by default. It needs to be very clear that you will be also going onto a list. The key difference with this approach is that you can’t make receiving the thing conditional on being on your list.


Welcome to the club!

Essentially you just need to make sure that people signing up to get your free thing, are given the option to opt into your list. This may be on the original form, it may be on the thankyou page that this invitation occurs, it might be contained within an email sequence that you send (ie it could just be a link that they click in that sequence)

Remarketing (Facebook, Google, anywhere online)

Now this is an area that I have found very grey in my reading of the GDPR.

This area will be closely aligned to the wording in your privacy policy/cookie consent statement or terms of service for your website. People have the right to know under this legislation that you may target them. And even though this is ONLY for EU residents, the interwebs are global, so we can’t just silo our content away from anyone browsing our site.

So let’s think about how this might work. The area that we need to be mindful of is the area related to custom lists - ie lists that we have uploaded from our emails. We are the data controllers and Facebook is the data processor.

We need to let people know when they sign up to our list that they may be targeted as part of future marketing purposes. A reasonable request.

Facebook is also rumoured to be introducing an additional step to the process of creating custom audiences where we will need to indicate that we have requested consent from the people in our list and so it is appropriate that we can use it. Whilst this is only mandatory for any EU citizens, I am not about to specifically find out who is an EU citizen on my list as the list is very small. But as good practice, I am going to introduce this to ALL that I personally do and in my Facebook and Instagram Advertising teaching programs and client work.

To me this makes sense to apply this rule across the board, than to just make it the case for around 5% of my list.

Your Privacy Policy

This will be the big issue in the digital space over the coming years. This legislative change in Europe is the latest in a long line of government changes catching up to reality.

Government has been behind the market in terms of what the large tech & data companies have been doing for quite some time.

  • Google
  • Facebook
  • Mastercard
  • Visa
  • Apple

In the era of big data, we all have a responsibility to be mindful of

  • How we store it
  • How we capture it
  • What we do with it

It may be that you have not looked at your privacy policy of your website since you had one. Even if you have had several websites in the last 10 years, I would imagine that the information in your privacy policy was not looked at as part your content review.

Now is a perfect time for you to do that.

Review your policy and see if it is reflective of this new reality.

Unsure what you need to do?

Then check out this website to gain access to a correctly formatted and compliant Privacy Statement. Just following the prompts!

NB.  This is an affiliate link, but it is what I am using!

Alternatively, these are also good resources

To understand how all this fits together - visit this website

And this is a great article that outlines why you need to be paying attention.

Like all things in business - if you don’t know ask an expert.

In this instance, that would be a lawyer.