GDPR :: What South African companies should know?
GDPR (also known as the General Data Protection Regulation) is a new European framework for data protection laws. It gives people greater protection and rights and control over how data is being used. The new European framework is set to go into effect on May 25th, 2018
So, what is it? And what action if any does a South African business need to take in relation to its digital marketing activity.
What is GDPR in simple terms?
- Companies now have to be more transparent and state what information they’re collecting
- Information can no longer be hidden in privacy policies. Consumers also have the right to see what information a company holds about them.
- GDPR sets out requirements for how that information is stored and protected and for how long it can be retained.
How does this impact South African companies?
As long, as it is clear that a brands goods or services are only available to consumers in another country outside the European Economic Area (EEA), then GDPR does not apply.
If you conduct business in the EEA and/or hold personal information for customers (even in applications like Google Analytics) then you need to make note of some important requirements.
If you are impacted and are not sure where to start, MOZ recently published a great article that explains more in simple language.
What it means for Google Analytics?
You may have recently seen a notice like the one below, when signing into Google Analytics:
So what is new? Google has introduced data retention settings which allow you to control how long individual user data is saved before being deleted. This has been set to 26 months as default. But if you are a South African business that strictly conducts business in South Africa (or another non European Economic Area), then you can set it to never expire. The above does not affect aggregated data like page views just personal information like events and transactional data.
In Google Analytics, you also now have the ability to delete the information of individual users if they request it.
Time to review your Policy?
The introduction of GDPR may not have any impact on your business BUT it does remind brands to review their data collection and usage polices / procedures. Frankly, something that any reputable business should do on a regular basis anyway.
The most obvious thing to review would be your companies public facing Privacy Policy statement. It should provide clarity on what data you have, how you use it, and why your business needs it and who has access to it
As an example of one from the EEA (impacted by GDPR) that is well written and informative, you could start by using this as an example.
Please note :: Algorithm is not a legal company and none of the information above should be taken as legal advice.