18 May How GDPR Law Affects You Even If You’re Not in the EU
If you’re reading this, it’s likely because you’re confused about this whole GDPR (General Data Protection Regulation) conversation that’s going around. You’ve probably gotten a slew of emails from every site you’ve ever signed up for since the beginning of time updating you on their privacy policies. And if you’re at all like me, you’ve probably been a little annoyed by them and have just been deleting them after skimming quickly (or let’s be honest, most of them were deleted quite unread).
But the deadline for GDPR compliance is fast approaching, May 25th, so if we’re going to make any changes to our practices, it needs to be ASAP. While I am by no means an expert on this, I’ve been trying to wrap my head around the issue and have put together a few tips and resources that might help you understand how it affects you and what you might need to do moving forward to stay out of trouble.
There are quite a bit of articles out there talking about what GDPR is and who is covered and why you need to be compliant. In order to keep this article short, here are some bullet points to keep things simple.
- The GDPR aims to prevent security breaches and loss or misuse of personal data by organizations. While this was originally developed to safeguard people who are in the EU (European Union) and streamline practices across the EU, it is being applied across the board.
- I’m not in the EU, do I still need to update my practices? I mean think about it. How would you feel if a company, in essence, said to you “for anyone in the EU, we have these strict privacy policies, but for everyone else… not so much”?
- What if someone on my list, currently living in the US, moves to the EU? Yeah, they now need to be safeguarded so you may as well have the policies in place across the board. The EU GDPR law applies to anyone that is in the EU at the time you interact with them.
- Penalties for breaking the regulation can be extreme: If a firm infringes on multiple provisions of the GDPR, it shall be fined according to the gravest infringement, as opposed to being separately penalized for each provision. On the lower level up to €10 million, or 2% of the worldwide annual revenue of the prior financial year and on the upper level up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. (source)
- Processing of data collected must be used only for it’s original purpose. That means if someone signs up to receive a freebie on your site, that data must only used for the purposes of sending them that freebie. You can’t automatically add them to your mailing list, this requires additional consent.
- If you have any sort of opt-in on your site or use lead magnets or sales funnels, you have to be very careful of what data you collect and be very specific in telling your followers what you collect, how you store it and for how long, and what exactly the data is being used for.
- It is also very important that people can easily opt-out anytime from your mailings and that they are able to request that you remove any or all of their data from your business.
- GDPR takes effect May 25, 2018.
Below is a list of resources that I’ve been looking at and found useful:
- http://tandemnomads.com/how-gdpr-affects-your-portable-business/ (article and 33min podcast)
- I highly recommend downloading the Free GDPR Guide for Your Portable Business listed in the show notes, and take a peek at their sign-up form, I think it’s a great example
- http://www.amyporterfield.com/2018/04/gdpr/ (article and 57min podcast)
Practical Steps to Take
Review Your Data Collection Practices
Now is a great time to really think through what data you are collecting, why you are collecting that specific information and whether or not you should collect less or request more. This includes anything from basic information like the name and email address collected on a sign-up form, to any additional information collected when someone purchases a service or product from you (which may also include things like address, phone number, credit card information, etc).
Be particularly mindful of any sensitive data you might collect in regards to race, religion, biometric or genetic data, health etc. Anything that has to do with personally identifiable data such as a social security number, IP address, name, location, economic, cultural or psychological identity.
Aim to only collect the information that is truly necessary in order for you to interact with your clients and followers.
Additionally, you’ll want to consider where that data is stored and for how long. Make sure you’re clear on how to secure this data (stronger passwords, switching to a different data collection service, etc) and very importantly, ensure that it’s easy for someone to review the data you have on them and/or to opt-out at anytime if they choose to.
Ensure That Any Third Party Software/Apps/Platforms You Use Are GDPR Compliant
As I mentioned before, you likely received a slew of emails regarding privacy policies and data collection practices. Hopefully, you’ve already received one from any platforms that you may use to collect data, such as your CRM or Email Marketing Platforms. If you haven’t or you deleted the email, head on over to their blog and see if they have any updates on GDPR compliance. If they don’t or the information provided is unclear, write them an email and ask about their policies and how they protect data collected on your behalf.
Mailchimp, for example, sent me a link to a fairly thorough article on their updated practices and they’ve sent a couple of emails talking about updated features and how to implement them (http://eepurl.com/dqP8Bb). Convert Kit also has a very useful article on their practices and recommendations (https://convertkit.com/gdpr/).
If you’re unclear or unhappy about how they collect, use or secure data, consider switching to another company.
Update Your Privacy Policies
Look through all the touch-point in which a client or site visitor might provide you with data and review your language. Take a look at:
- opt-in forms and lead magnets
- contact forms
- sales pages
- terms & conditions pages
- any other place where someone provides you with personal data or personal data is automatically collected
Is it clear what information is collected, how it will be used and for how long? In the case of opt-ins and lead magnets are you requesting separate consent for joining your mailing list?
Take this time to make sure your policies are clear and updated to comply with GDPR regulations.
Get Appropriate Consent
What happens with all the people you already have on your mailing list? Technically, you can’t grandfather them into your list and be considered GDPR compliant. Unless of course, the specifically consented to receive marketing emails from you.
To be clear, this does not include someone who signs up for a freebie or lead magnet being automatically added to your list. Getting consent to send them your freebie materials and getting consent to join your mailing list are two separate requirements. Unless they opted into a form that specifically only requests permission to join your marketing list, you probably want to get new consent from them in order to be compliant.
Option 1: If your marketing platform allows you to identify those folks who are in the EU and those who aren’t, you can send a targeted email to EU folks and ask them to re-sign up. Making sure, of course, that language is clear and explicit to joining your marketing list. Anyone who doesn’t opt-in should be removed from your list before the 25th.
Option 2: Request everyone on your list to re-sign up. To me, this is the safest way to go about it. This way you have new, clear and explicit content from everyone on the list. And you also don’t risk any errors or forgetting to include someone from the EU on your mailing. This also shows people who are not in the EU that you’ve taken GDPR compliance seriously and that their data is safe. Again, you’ll want to send this communication before the 25th and remove anyone who doesn’t sign up.
Note that with any of these solutions you’ll be likely to lose some folks. Either because they never opened your email or because they were too busy to sign up at the moment and later forgot. Or even because they took this as an opportunity to unsubscribe from your list. Just be mentally prepared for this and don’t take it personally. Hopefully, you’re able to explain to your followers the benefits of staying on your list. And if you’re having a hard time doing so, it’s a great opportunity to reassess the value you’re providing your followers.
Data Collection Moving Forward
The main takeaways of GDPR law are:
- data must be collected lawfully with explicit consent
- data collected must be held securely
- data usage is limited to the original purpose for which it was collected and consent was given
- data should only be stored for as long as is necessary to fulfill that purpose
- users must have the option to opt-out anytime and easily from your marketing lists
Ensure you keep those points in mind as you update your existing materials or create new ones for your business. When in doubt, ask yourself: How would I like another company to handle MY data?
You can add this as a link on your site footer and use it to link to from any place where you collect data.
But I Don’t Have Time For All This!!
I know, I know! It’s a lot to take in and it’s a lot to implement. And if you’ve left it all to last minute it sounds even more daunting. If right now is the first time that you’re even considering doing anything about GDPR, take a deep breath and let’s get you compliant.
First and foremost, renew consent from existing list members. It’s up to you whether you choose to do this for all your list members or only those who are part of the EU.
- Email your existing list and ask them to review your email policies if you’ve already updated them.
- Be very clear that they’re consenting to continue on your marketing list and provide as much info on how the data is used and how they can opt-out.
- Remove folks for whom you don’t have appropriate consent from your list.
- Do so before the 25th!
- If needed, temporarily turn off your opt-in pages until you can revise your policies.
Review your policies so that you get proper GDPR compliant consent from any new folks joining your list.
- Ensure that any freebies, opt-ins and lead magnets have clear language that differentiates consent for receiving your free materials from consent for joining your mailing list. You can no longer “force” people to join your mailing list as an exchange for receiving freebie materials. They need to have the option to ONLY receive the freebie materials and not join your list if they choose to. You can do this by:
- Including a drop-down or checkbox that folks need to select in order to join your mailing list. This should not be set by default to allow permission and this should not be a prerequisite for receiving your freebie materials.
- Include the option to subscribe to your list as part of the delivery email (where they receive your freebie) or as part of the confirmation page.
- Revisit any lead magnets and sales pages to ensure there is a GDPR compliant flow and that everything is lawful and transparent.
- When in doubt, ask yourself: How would I like another company to handle MY data?
Go Forth and Comply
“This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.”
Elizabeth Denham, Information Commissioner for the UK
The main thing to remember is that the whole point of all this is not to add more work, to make things difficult or to fine companies willy-nilly. It’s about ensuring that everyone’s data is used in a lawful, fair and transparent manner. We want to ensure that our private, personal information is kept safe and used for the purposes for which we have given consent. If we are to expect that of others, then we need to comply ourselves.
Please share any useful resources in the comments below. In particular, if you have any that have scripts folks can use to email their list members or templates for policy disclaimers. Feel free to like, share and comment!
Disclaimer: As I said, I’m not an expert on the subject but wanted to share the bits of information that I have gathered with anyone who might find it useful. Please use any information listed in my article, linked resources or comments section with discretion.