13 Nov 2019

Consumer Trust And Data Protection Legislation.

Data is a bottomless pit of value for organisations, and especially marketing. It creates the ability to develop deep insights into consumer behaviour, individualise communication and experiences, and extract very granular performance measurements. It makes us more effective!

The all-seeing eye

However, the scope of our ability to collect data represents an ability for organisations to know a significant amount of sensitive information about customers. There is the ability for some companies to objectively know more about a customer than themselves. A company can objectively look at a series of interactions and behaviours over an aggregate, where an individual may only have the perspective of now. There is a risk of being too intelligent, a big brother figure. Alternatively, there is the potential that this information is compromised and falls into the wrong hands. In a world where data is so easily collected and shared consumer increasingly need to feel confident that their private data is kept private. Left unmanaged, if the collective use of data from customer overreaches into or seeming prescience we could find that consumers will react and either

  1. Choose to longer share data, or

  2. Push to get the government to intervene in business practices

To that end, legislation has been developed that maps out the extent to which data should be managed by companies.


If you are a marketer, it’s almost certain that you would have heard about GDPR. GDPR is a piece of legislation that affects all data for citizens in the EU sphere. There are 7 core principles (or 6 plus 1) for GDPR. They cover: 

  • Lawfulness, fairness, and transparency: Focus on genuinely informing customers about data management and allowing consumer control of data. No fine print!

  • Purpose limitations: Personal data can only be used for specified, explicit, and legitimate purposes. And consent must be received first.

  • Data minimization: Don’t collect data that you don’t need, and is not essential to the business function.

  • Accuracy: All necessary steps must be taken to make sure data is kept up to date.

  • Storage limitation: Eliminate data that is no longer used or needed.

  • Integrity and confidentiality: Consumer data must be protected, and steps taken to enable data integrity (through encryption) even if lost.

  • Accountability and compliance: You need to prove you are compliant.

For Australian companies, this impacts companies of any size if they have an establishment in the EU if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU [Source]. This means if you export products to the EU (like shipping a t-shirt to a random customer in Belgium), then you are considered to need to align yourself to GDPR. The Australian Government further recommends GDPR adoption for:

  • Any Australian business with an office in the EU

  • Any Australian business whose website targets EU customers for example by enabling them to order goods or services in a European language (other than English) or enabling payment in euros

  • Any Australian business whose website mentions customers or users in the EU

  • Any Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes

Will Australia get a GDPR equivalent?

The EU definitely has the most progressive legislation when it comes to consumer privacy. The Australian legislation isn’t as simply defined, covering legislation including the Privacy Act of 1988 (Privacy Act), Privacy Regulation 2013 and finally the Privacy Amendment (Notifiable Data Breaches) Act 2017. While slightly more disparate, the Australian legislation is moving in a similar direction to the GDPR rules. Recently however, a great focus has been placed on data security in Australia after a raft of large data breaches. Ultimately, a measure to reinforce confidence that data will be protected by consumers.The key question is whether the legislation advances to include elements in the GDPR legislation which are not in the Australian legislation. This includes

  • The right to be ‘forgotten’ in Australia.

  • Explicit and clear acknowledgement of data handling practice

But why is Trust important?

If consumer confidence in our private organisation's ability to manage content is eroded, we will lose the freedom to be able to use data the way that helps us get the best results. Treating customer data respectfully and with care ensures that further additional requirements and business practices are not imposed upon business. Self-regulation is always preferable to imposed legislation. 

Additional resources

Tell us what you think! If you would like to talk to us about this article, drop us a line at greg@lamb.com.au.

Greg is the Managing Director of Lamb Agency, a digital agency focused on creating industry-leading websites.

Talk to us.

Talk to us.