UPDATED: What does Brexit mean for GDPR compliance? Read this to find out.
By now, you’ve most likely heard about the European Union’s General Data Protection Regulation (GDPR). The GDPR, similar to the CCPA (California’s Privacy Protection Act), is a law on data protection and privacy in the European Union (EU) and the European Economic Area.
Your first thought may be, “This doesn’t apply to me, I’m not in the EU.” No so fast. That’s the reason for this post. It matters to everyone, whether you are EU-based or not.
But, before we go any further, we need to tell you this:
*We are not legal experts. It’s up to you to find the best solutions for your business, get assistance from a qualified professional, and ensure compliance within your business and website is met correctly.
GDPR Compliance – The Basics
- The GDPR went into effect May 25, 2018. This means your company should have been compliant by that date.
- It will be enforced. This regulation was put into effect to protect every individual’s personal and private information, and it’s going to be taken very seriously. You don’t want to procrastinate or hope for the best when it comes to getting your business and website compliant.
- The biggie that affects most businesses online? The part of the regulation that has to do with email list opt-in forms on your website, Facebook or other social media platforms that allow you to embed or link to a sign-up form. Gone are the days of site on data protection and privacy in the European Union (EU) and the European Economic Area simply exchanging their email addresses for your free gift (i.e. an ebook or coupon). If you plan to add people to your email marketing list through an opt-in form on your website or have another embedded or linked form on your site where you collect personal information (name, email, etc.), you’ll need to comply with the GDPR.
- The GDPR covers more than just your website and your email list. This regulation covers how you handle and store people’s information, if the services you use are GDPR compliant, and more.
- You must reach out (before May 25, 2018) to anyone currently on your email list who is located in the EU (meaning, he/she was geolocated by your email marketing service as opting-in while in the EU) and ask him/her if they want to continue to be on your list. There must be explicit consent given.
- On May 24, 2018, you must delete any EU subscribers who have not given consent to stay on your list.
- You can only send the type of email your EU subscriber has agreed to receive (i.e. discounts and coupons, how-to posts, etc.). Nothing else.
- You must honor any requests to be removed from your list, to edit their information, and other requests as stated in the GDPR.
- The GDPR regulation is to protect website visitors located within the EU. This means EU residents; your sister on vacation in Paris, but lives in New Mexico; possibly even EU residents who are visiting Florida; etc.
- Be aware that everyone (including companies located within the U.S.) is required to comply, because you may have people who live (or just happen to be in the EU) who visit your website, comment on a post, etc. You may be thinking, “I don’t have clients outside of the U.S., why do I need to worry about this?” You can’t control who visits your website (not without some advanced knowledge of how to do so, IF you really want to do this). So, you (just like all other businesses) are required to comply. Remember, just by the simple act of visiting your website, you are collecting information (think Google Analytics, Facebook Pixel, IP addresses, etc.).
- Companies located within the EU, even if all their clients are U.S.-based (as an example) must also comply. The GDPR was set up to protect all information going in and out of the EU.
Where to Start
We know…it’s a lot and can sound pretty overwhelming. We were overwhelmed, too. Good news is, you don’t have to lose sleep over getting your website and/or business compliant. Yes, it’s important, but if you are actively working on getting your GDPR ducks in a row and don’t just blow this off, you should be ok.
The basics that most businesses will probably need to update on their websites are:
- Providing a way (at the point where you collect an email address for your opt-in) for your online visitors to choose to be added to your list or not (and more).
Take it in baby steps as we did so it’s not so scary:
- Make a list of all of the ways you are tracking, collecting, processing, or storing data (i.e. your data processors: Google Analytics, PayPal, your excel spreadsheet, your project management software – everything). You need to know who the processors are and verify if they are also compliant.
- Update your policies (privacy, cookie, and possibly your terms).
- Sort out your EU subscribers.
- Add a Cookie banner the people can see and accept, link to your Cookie and/or Privacy policies.
- Email your EU subscribers for re-consent and to find out what type of emails they want to receive from you (i.e. sales info, info about new services, your reading list, etc.). Then, only send them those types of emails. Remove them from your list if they asked to be removed.
- Review the information in the links below for more possible steps.
During our quest to understand more about this regulation, we came across a lot of great resources. In the list below, you’ll find people who can (1) give you ALL of the details, (2) provide even more information about things covered (and not covered) in this post, and (3) help you get it all done.
What & Why (Details by the Experts):
- The GDPR Official Website
- Suzanne Dibble, Small Business Law Expert: The GDPR & Marketing Webinar and GDPR for Online Entrepreneurs Facebook Group
- Bobby Klinck, Law Firm for Entrepreneurs: How to comply with the GDPR
- Amy Porterfield: GDPR for entrepreneurs: What you need to know webinar (Featuring Bobby Klinck)
- iubenda: What is the GDPR and how it will affect your business?
- ThriveThemes: The Smart Way to Make Your Opt-In Forms & Email Marketing GDPR Compliant
- RudeGoose: GDPR for Very Simple Websites (and other helpful posts)
Get Help with Compliance:
- TermsFeed: Generate your Privacy, Cookie, Terms, and other policies. NOTE: They do have a free version, but you’ll likely need to add conditions that include additional fees. This is our top choice for policy generators as they offer very reasonable fees and an easy wizard/generator to walk you through everything.
- GDPR Cookie Compliance Plugin: Generate your cookie banner and get more information about cookies and compliance. NOTE: They offer a free version, but the paid version is (we think) the smarter choice.
- Suzanne Dibble’s Small Business Legal Academy: GDPR Compliance Pack (all forms, email language, and more) and free GDPR Checklist for Online Businesses
- Kinsta: The Lowdown on GDPR Compliance for WordPress Users
- Disclaimer Template’s “The Big 3”
- MailChimp Knowledge Base: General Data Protection Regulation FAQs
- MailChimp Knowledge Base: Collect Consent with GDPR Forms
Once you get your policies squared away, we can help implement them on your website. Check out our GDPR Website Compliance Starter Package for details.
Remember, our list of “things to do” is not inclusive of every possible business, website and/or scenario. You may need to do more to become compliant with the GDPR. In fact, the regulations set within the GPDR may change as (1) the regulation gets updated, (2) services you use may become non-compliant, (3) your record-keeping process changes, and (4) you experience changes within your business. Consult a legal professional to help you sort it all out.
A BIG thank you to the amazing resources mentioned above for helping us all understand this a little better.
If you have other great resources, please share below. Or, tell us about your experience with getting your own business complaint.
We’d love to hear from you!