The Dreaded General Data Protection Regulation (GDPR)…
This topic is way too important for me to stay silent, and there is so much confusion regarding what GDPR is, who it affects, and what needs to be done.
If you have an email list, a website, or sell things online, the GDPR will probably apply to you – even if you’re not in the EU!
And, they don’t care if you’re a small fry or a big guy; the repercussions of noncompliance are no laughing matter. We’re talking about 4% of your annual revenue or €20m, whichever is more.
So, I’m making sure that you understand what’s coming on May 25th when GDPR goes into effect.
First things first – I’m not a lawyer. I don’t even play one on TV. 😉 Make sure that you discuss your unique situation with a qualified attorney. I’ve done a lot of research, but ultimately, I’m about as qualified as my cats are to give legal counsel.
Okay, now that we’ve covered that necessity, let’s look at the basics.
What is GDPR?
GDPR stands for “General Data Protection Regulation”. It’s a new law from the European Union (EU) intended to protect the privacy rights of users. It provides users with the right to know what data is collected, how it is used, see what data you have about them, and remove their data from your systems at will.
Many sites now have a notification letting you know they use cookies, right? GDPR is an enormous upgrade of the regulation which brought that on.
Who does GDPR affect?
AKA, “But I’m not in the EU…” or “Does GDPR apply to me?”
Anyone, worldwide, who processes personal data from an EU citizen by monitoring their behavior or offering products/services. Yes, even free products and services.
Even if you’re not targeting EU citizens and did not intend to process EU citizen information, if you process personal data from an EU citizen, the law probably applies to you.
In our online world, that means almost everyone is on the hook. (At least you’re in good company, right?)
What about a disclaimer stating I don’t currently work with EU citizens?
Unfortunately, this is still being debated. The GDPR is a broad and deep set of regulations, and not every contingency is yet covered. Your best bet is to get compliant, just in case.
When does GDPR go into effect?
May 25th, 2018.
What activities are affected by GDPR?
Any activity where personal data is processed. For those of us with an online business, that translates roughly to all the things.
What’s personal data?
- Name
- Phone
- Address
- IP Address
- Other information collected by tools such as Google Analytics and Facebook Pixels
- Information added to your contact database, such as tags or segmentation based on activity
- Any other information which allows you to identify an individual
What counts as processing?
Every action from the moment of collecting the data to deleting it.
Hypothetical: Say Amy signs up for your free email opt-in PDF. Here are the “processing” steps:
- Personal data is collected by your CRM or email marketing software (name, email)
- Behavioral data is added (Amy gets tagged/segmented with your PDF’s name)
- Activity data is collected (You sent an email and the system notes she opened it)
- Personal data is permanently deleted (Amy decides you’re not her style and opts out)
What does GDPR require of me?
- You must be clear and explicit about what data you’re collecting
- You must have a legitimate reason to collect the data
- You must explain how you are going to use that data
- You may only collect the minimum amount of data required for the purpose
- You may only use the data for the purpose it was originally intended
- You must keep the data accurate
- You must not keep data you no longer need
- You must process the data in a secure, protected way
- You must announce any data breach within 72 hours of discovery to those whose data you have processed
In summary, you have to keep what data you collect to a minimum and keep it safe while being transparent about how it will be used.
A bit about opt-ins…
You can no longer add someone who requests your freebie or webinar to your general email list.
You must receive “freely given, specific, and unambiguous” consent by a subscriber to join your email marketing list.
You cannot require someone to subscribe to your email list in order to receive your freebie. Also, you may not pre-check a consent question in a form.
This regulation is retroactive, meaning it applies to your existing subscribers.
If you can’t prove freely given, specific, and unambiguous consent from your EU subscribers, then you may not email them after May 24th.
For now, you can still send emails to those not in the EU the same way you always have.
Can I send a followup email sequence?
Maybe. This is another area where the law isn’t clear, but if you’re sending valuable content that is related to the freebie and you’re contacting them securely, then you’re probably okay. If you decide to toe this line, keep it to a very small sequence and make sure they can easily opt out.
I need to get GDPR compliant.
What do I do?
There isn’t a short, easy answer to this one. That said, there are a few things you probably need to do.
- Get consent from your EU subscribers
- Update your freebie and webinar optins
- Review the tools/services you’re using to ensure they’re all “necessary” and that they are compliant by May 25th
- Update your website privacy policy (you do have one, right?)
- Review the GDPR rules with your team members
- Consult a lawyer who is familiar with the GDPR
Overwhelmed?
I’m offering a few GDPR intensive sessions
This one-on-one, 2-hour session is designed to review your existing systems to ensure they align with best practices for meeting the new GDPR law. We will comb your systems and funnels to devise a strategy for compliance.
The intensive will be recorded so you can review it again later (don’t try to take it all in at once) or share with your team so they know what the plan is and why.
After, you’ll also receive a personalized checklist listing what you need to implement and the tasks required.
Optionally, you can upgrade for a personalized Trello board with all of your checklist items, additional details/notes, a copy of your intensive recording pre-uploaded, relevant links based on your session, and due dates. (This is in addition to your printable checklist, not replacing it!)