There is SO MUCH information floating around about the GDPR as the deadline is looming, so we asked our friends at Tactic Lab to summarise it into a something that we all can understand. Digital analytics expert, Aisling Wallace says these are the 10 things you need to know about GDPR for now:

1. You may have heard about the European Union’s General Data Protection Regulation (GDPR) policy changes in the news and perhaps in emails from your digital marketing tools and service providers. These changes take effect on May 25, 2018.

2. This relates to website traffic from the EU. They were the first to implement stricter policies around website tracking which you might have come across on the web over the last couple of years with pop-up boxes about tracking and cookies. 

3. The EU is now introducing even stricter policies, with heavy fines that can be issued to any website that is receiving visits from the EU, regardless of if it belongs to an EU country or not. I.e. Australian websites are still likely to have obligations to any EU users who visit that website.

4. The new policy is complex, but one of the main takeaways is that simply advising EU website visitors that you use tracking/cookies is no longer sufficient, but instead would require an explicit 'opt-in'.

5. Similarly, personal information collected for one purpose cannot be used for another purpose without an explicit 'opt-in'. For example when signing up to your website, a user cannot be opted into a mailing list unless they (say) tick a consent box. FYI - this courtesy to your customers is already best-practice in Australia.

6. At the moment, we are missing a single source of truth on what our obligations are and what types of tracking are included.

7. There are many sources of information on the web, but they are still contradicting each other and it may take a long time until all authorities on the topic are on the same page.

8. Here is a list of common digital marketing tools that are likely to be collecting data that relates to these policies:

1. Google Analytics - first party cookie
2. Google Analytics - third party DoubleClick cookie for demographics reports & remarketing
3. Google AdWords - conversion tracking
4. Google AdWords - remarketing
5. Facebook pixel
6. LinkedIn Insights
7. Twitter pixel
8. Hubspot tracking
9. Mailchimp and other integrated list building and CRM tools - since automatic signup to a mailing list without explicit consent is now allowed
10. Optimizely and other A/B testing tools

9. If you receive website traffic from the EU and use any of these tools, we recommend seeking legal and web dev advice on how to best find a balance of meeting your obligations, without compromising the user experience and conversion rates of your website. For example, the following reactions would do considerable business damage:

1. Shutting down all the tools that use tracking would be the worst reaction, as you will lose out on valuable marketing reach and insights.
2. Presenting an opt-in pop-up for all visitors (if most of your customers are outside the EU this is likely to affect your conversion rates).

10. It is possible (with some setup) to present your EU customers with an 'opt in' pop-up box that doesn't show to all your other website visitors. This could be a good way to isolate and manage your EU obligations, but we recommend you contact your legal and web dev teams to work out the best strategy for your business.

Disclaimer: This blog is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand GDPR. This legal information is not the same as legal advice, where a legal professional applies the law to your specific circumstances, so we insist that you consult a legal professional if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.