Unless you’ve been living under a rock the last month or two, you’ve heard about the European Union’s General Data Protection Regulation (GDPR).
Your first thought may be, “Why should I care, I’m not in the EU?” Well my dear, that’s the reason for this post. It matters to everyone. EU-based or not.
But, before I go any further, I need to tell you this:
*We are not legal experts. It’s up to you to find the best solutions for your business, get assistance from a qualified professional, and ensure compliance within your business and website is met correctly.
GDPR Compliance – The Basics
- This GDPR goes into effect May 25, 2018. This means your company should be compliant by that date.
- It will be enforced. This regulation was put into effect to protect every individual’s personal and private information, and it’s going to be taken very seriously. Do we think they are going to let out the internet guard dogs and you’ll be heavily fined on day one? No. But, you should not procrastinate when it comes to getting your business and website compliant.
The biggie that has most businesses freaking out right now? The part of the regulation that has to do with email list opt-in forms on your website, Facebook or other social media platforms that allow you to embed or link to a sign-up form. Gone are the days of site visitors simply exchanging their email address for your free gift (i.e. an ebook or coupon). If you plan to add people to your email marketing list through an opt-in form on your website or another embedded or linked form, you’ll need to comply with the GDPR. The basics that will probably need to be updated on your website are:
- Providing a way (at the point where you collect an email address for your opt-in) for your online visitors to choose to be added to your list or not (and more).
- It covers more than just your website and your email list. This regulation covers how you handle and store people’s information, if the services you use are GDPR compliant, and more.
- You must reach out (before May 25, 2018) to anyone currently on your email list that is located in the EU (was geolocated by your email marketing service as opting in while in the EU) and ask them if they want to continue to be on your list. There must be explicit consent given.
- On May 24, 2018, you must delete any EU subscribers who have not given consent to stay on your list.
- You can only send the type of email your EU subscriber has agreed to receive (i.e. discounts and coupons, how-to posts, etc.). Nothing else.
- You must honor any requests to be removed from your list, to edit their information, and other requests as stated in the GDPR.
- The GDPR regulation is to protect website visitors located within the EU. This means EU residents, your sister on vacation in Paris but lives in New Mexico, possibly even EU residents who are visiting Florida, etc.
- Be aware – everyone (including companies located within the U.S.) is required to comply – because you may have people who live (or just happen to be in the EU) who visit your website, comment on a post, etc. You may be thinking, “I don’t have clients outside of the U.S., why do I need to worry about this?” You can’t control who visits your website. So, you are required to comply. Just by the simple act of visiting your website, you are collecting information (think Google Analytics, Facebook Pixel, IP addresses, etc.).
- Companies located within the EU, even if all their clients are U.S.-based (as an example) must also comply. The GDPR was set up to protect all information going in and out of the EU.
We know…it’s a lot and can sound pretty overwhelming. We were overwhelmed, too. Good news is, you don’t have to lose sleep about getting your website and/or business compliant. Yes, it’s important, but if you are actively working on getting your GDPR ducks in a row and don’t just blow this off, you should be ok.
Take it in baby steps like we did (as far as the email opt-in portion of our website is concerned) so it’s not so scary:
- Make a list of all of the ways you are tracking, collecting, processing, or storing data (i.e. your data processors: Google Analytics, PayPal, your excel spreadsheet, your project management software – everything). You need to know who the processors are and verify if they are and also compliant.
- Update your policies (privacy, cookie, and possibly your terms).
- Sort out your EU subscribers.
- Update your website and opt-in process.
- Email your EU subscribers for re-consent.
- Review the information in the links below (for more steps).
During our freakout and worry sessions over this new regulation, we came across a lot of great resources. In the list below, you’ll find people who can give you ALL of the details, provide even more information about things covered (and not covered) in this post as well as options to help you get it all done.
What & Why (Details by the Experts):
- GDPR Offical Website
- Suzanne Dibble – Small Business Law Expert: The GDPR & Marketing Webinar and GDPR for Online Entrepreneurs Facebook Group
- Bobby Klinck, Law Firm for Entrepreneurs: How to comply with the GDPR
- Amy Porterfield: GDPR for entrepreneurs: What you need to know webinar (Featuring Bobby Klinck)
- iubenda: What is the GDPR and how it will affect your business
- iubenda: The Smart Way to Make Your Opt-In Forms & Email Marketing GDPR Compliant
- ThriveThemes: The Smart Way to Make Your Opt-In Forms & Email Marketing GDPR Compliant
- RudeGoose: GDPR for Very Simple Websites (and other helpful posts)
Get Help with Compliance:
- TermsFeed Generate your Privacy, Cookie, Terms, and other policies. NOTE: They do have a free version, but you’ll likely need more. Very reasonable fees and an easy wizard/generator to walk you through creating.
- Suzanne Dibble’s Small Business Legal Academy GDPR Pack (all forms, email language, and more) and free GDPR Checklist for Online Businesses
- Kinsta: The Lowdown on GDPR Compliance for WordPress Users
- Kerstin Begley: My exact steps to get GDPR ready Kerstin recommends: Disclaimer Template’s “The Big 3”
- MailChimp Knowledge Base: General Data Protection Regulation FAQs
- MailChimp Knowledge Base: Collect Consent with GDPR Forms
- Chimp Answers: MailChimp & GDPR Facebook Group
Once you get your policies sqaured away, we can help implement them on your website. Check out the GDPR Website Compliance Starter Package for details.
Remember, our list of “things to do” is not inclusive of every possible business, website and/or scenario. You may need to do more to become compliant with the GDPR. In fact, the regulations set within the GPDR may change as the regulation gets updated, services you use may become non-compliant, your record keeping process may modify, you may experience changes within your business, and other things that may affect compliancy going forward. Consult a legal professional to help you sort it out.
I can’t end this post without saying a BIG thank you to the amazing resources mentioned above for helping us all understand this a little better.
If you have other great resources, please share below. Or, tell us about your experience with getting your own business complaint.
I’d love to hear from you!