GDPR Basics + Resources

By now, you’ve most likely heard about the European Union’s General Data Protection Regulation (GDPR). The GDPR, similar to the CCPA (California’s Privacy Protection Act), is a law on data protection and privacy.

Your first thought may be, “This doesn’t apply to me, I’m not in the EU.” No so fast. That’s the reason for this post. It matters to everyone, whether you are EU-based or not.

But, before we go any further, we need to tell you this:

*We are not legal experts. It’s up to you to find the best solutions for your business, get assistance from a qualified professional, and ensure compliance within your business and website is met correctly.

gdpr Compliance – The Basics

• This regulation was put into effect to protect every individual’s personal and private information, and it’s going to be taken very seriously (it will be enforced). You don’t want to procrastinate or hope for the best when it comes to getting your business and website compliant.
• The biggie that affects most businesses online? The part of the regulation that has to do with forms on your website, Facebook, or other platforms. If you plan to add people to your email marketing list through an opt-in form on your website or any other platform where you collect personal information (name, email, etc.), you’ll need to comply with the GDPR.
• The GDPR covers more than just your website and your email list. This regulation covers how you handle and store people’s information, if the services you use are GDPR compliant, and more.
• You need to reach out (this should have been done before May 25, 2018) to anyone currently on your email list who is located in the EU (meaning, he/she was geolocated by your email marketing service as opting-in while in the EU) and ask him/her if they want to continue to be on your list. There must be explicit consent given. This doesn’t mean people who live in the EU, it means anyone who happened to be in the EU (think pre-2020 when people traveled) at the time they visited your site.
• You should have, on May 24, 2018, deleted any EU subscribers who have not given consent to stay on your list.
• You can only send the type of email your EU subscriber has agreed to receive (i.e. discounts and coupons, how-to posts, etc.). Nothing else.
• You must honor any requests to be removed from your list, to edit (or delete) their information, and other requests as stated in the GDPR.
• The GDPR regulation is to protect website visitors located within the EU. This means EU residents; your sister on vacation in Paris, but lives in New Mexico; possibly even EU residents who are visiting Florida; etc.
• Be aware that everyone (including companies located within the U.S.) is required to comply, because you may have people who live (or just happen to be in the EU) who visit your website, comment on a post, etc. You may be thinking, “I don’t have clients outside of the U.S., why do I need to worry about this?” You can’t control who visits your website (not without some advanced knowledge of how to do so, IF you really want to do this). So, you (just like all other businesses) are required to comply. Remember, just by the simple act of visiting your website, you are collecting information (think Google Analytics, Facebook Pixel, IP addresses, etc.).
• Companies located within the EU, even if all their clients are U.S.-based (as an example) must also comply. The GDPR was set up to protect all information going in and out of the EU and they clearly state, everyone should comply (EU located or not).

Where to Start

We know…it’s a lot and can sound pretty overwhelming. We were overwhelmed, too. Good news is, you don’t have to lose sleep over getting your website and/or business compliant. Yes, it’s important, but if you are actively working on getting your GDPR ducks in a row and don’t just blow this off, you should be ok. It’s important to note, each individual can weigh the risks (working on compliance or not) on their own. We are only the messengers and are here to help and provide information.

The basics that most businesses will probably need to update on their websites are:

• Updating your privacy policy to be GDPR compliant.
• Updating or adding a cookie policy (with some type of banner/pop-up notification).
• Providing a link to your privacy policy wherever you collect any type of information. This means every opt-in area, every form (i.e. a contact form), your shop, shop checkout, and any other place you may collect information of some sort.
• Providing a way (at the point where you collect an email address for your opt-in) for your online visitors to choose to be added to your list or not (and more). We know this one may leave you scratching your head. This means, if you offer some sort of freebie, you must have a checkbox that asks people if they also want to be added to your list (in case they only want the freebie and don’t want to be on your list.)

Take it in baby steps as we did so it’s not so scary:

1. Make a list of all of the ways you are tracking, collecting, processing, or storing data (i.e. your data processors: Google Analytics, PayPal, your excel spreadsheet, your project management software – everything). You need to know who the processors are and verify if they are also compliant.
2. Update your policies (privacy, cookie, and possibly your terms).
3. Sort out your EU subscribers.
4. Update your website and opt-in process. Add a blurb below each of your forms linking to your Privacy Policy that people can easily find and access.
5. Add a Cookie banner the people can see and accept, link to your Cookie and/or Privacy policies.
6. Email your EU subscribers for re-consent and to find out what type of emails they want to receive from you (i.e. sales info, info about new services, your reading list, etc.). Then, only send them those types of emails. Remove them from your list if they asked to be removed.
7. Review the information in the links below for more possible steps.

gdpr Resources:

During our quest to understand more about this regulation, we came across a lot of great resources. In the list below, you’ll find people who can (1) give you ALL of the details, (2) provide even more information about things covered (and not covered) in this post, and (3) help you get it all done.

What & Why (Details by the Experts):

• The GDPR Official Website. They have a GDPR checklist (though it’s helpful to have someone like Suzanne Dibble (next below) to explain in layman’s terms.
• Suzanne Dibble, Small Business Law Expert: The GDPR & Marketing Webinar and GDPR for Online Entrepreneurs Facebook Group
• Amy Porterfield: GDPR for entrepreneurs: What you need to know webinar (Featuring Bobby Klinck)
• iubenda: What is the GDPR and how it will affect your business? Plus, see their GDPR Cooke Consent Cheatsheet. Contains the most recent guidelines from the EU including specifics for various countries.

Get Help with Compliance (tools and info):

• TermsFeed: Generate your Privacy, Cookie, Terms, and other policies. NOTE: They do have a free version, but you’ll likely need to add conditions that include additional fees. This is our top choice for policy generators as they offer very reasonable fees and an easy wizard/generator to walk you through everything.
• Termageddon: Generate your Privacy, Cookie, Terms, and other policies.
• GDPR Cookie Compliance Plugin: Generate your cookie banner and get more information about cookies and compliance. NOTE: They offer a free version, but the paid version is (we think) the smarter choice.
• Complianz Plugin: Generate your Privacy and Cookie Policies + create your Cookie notification banner for your website (Premium version) NOTE: Free version is only the cookie policy and banner.
• iubenda: Generate your Privacy and Cookie Policies + create your Cookie notification banner for your website (Pro version) NOTE: There are limitations with the free version of iubenda (limited number of items you are able to add, does not include a cookie policy/banner, no styling options, and you are not able to embed your policy on a page (only a button in your footer or other areas), etc. Note: Link includes a discount.
• Your Online Genius: Website Legal Forms Pack (Terms, Privacy Policy, Disclaimer)
• Suzanne Dibble’s Small Business Legal Academy: GDPR Compliance Pack (all forms, email language, and more) and free GDPR Checklist for Online Businesses
• Autumn Witt Boyd, PLLC: How Your U.S. Website Needs to Change for GDPR (plus get a GDPR compliant privacy policy and download a compliance checklist)
• Kinsta: The Lowdown on GDPR Compliance for WordPress Users
• Cookiebot: Test your website URL to see if your use of cookies is compliant
• MailChimp Knowledge Base: General Data Protection Regulation FAQs
• MailChimp Knowledge Base: Collect Consent with GDPR Forms
• Aparavi Data Intelligence & Automation Tackle compliance and get help with automation.

Once you get your policies squared away, we can help implement them on your website. Check out our GDPR Website Compliance Starter Package for details.

Remember, our list of “things to do” is not inclusive of every possible business, website and/or scenario and is not meant to help you become fully compliant with the GDPR. In fact, the regulations set within the GPDR may change as (1) the regulation is updated, (2) services you use may become non-compliant, (3) your record-keeping process changes, and (4) you experience changes within your business. We suggest you consult a legal professional (who is savvy in GDPR) to help you sort it all out.

A BIG thank you to the amazing resources mentioned above for helping us all understand this a little better.

If you have other great resources, please share below. Or, tell us about your experience with getting your own business complaint.

We’d love to hear from you!