If you’re reading this, it’s likely because you’re confused about this whole GDPR (General Data Protection Regulation) conversation that’s going around. You’ve probably gotten a slew of emails from every site you’ve ever signed up for since the beginning of time updating you on their privacy policies. And if you’re at all like me, you’ve probably been a little annoyed by them and have just been deleting them after skimming quickly (or let’s be honest, most of them were deleted quite unread).
But the deadline for GDPR compliance is fast approaching, May 25th, so if we’re going to make any changes to our practices, it needs to be ASAP. While I am by no means an expert on this, I’ve been trying to wrap my head around the issue and have put together a few tips and resources that might help you understand how it affects you and what you might need to do moving forward to stay out of trouble.
There are quite a bit of articles out there talking about what GDPR is and who is covered and why you need to be compliant. In order to keep this article short, here are some bullet points to keep things simple.
Below is a list of resources that I’ve been looking at and found useful:
Now is a great time to really think through what data you are collecting, why you are collecting that specific information and whether or not you should collect less or request more. This includes anything from basic information like the name and email address collected on a sign-up form, to any additional information collected when someone purchases a service or product from you (which may also include things like address, phone number, credit card information, etc).
Be particularly mindful of any sensitive data you might collect in regards to race, religion, biometric or genetic data, health etc. Anything that has to do with personally identifiable data such as a social security number, IP address, name, location, economic, cultural or psychological identity.
Aim to only collect the information that is truly necessary in order for you to interact with your clients and followers.
Additionally, you’ll want to consider where that data is stored and for how long. Make sure you’re clear on how to secure this data (stronger passwords, switching to a different data collection service, etc) and very importantly, ensure that it’s easy for someone to review the data you have on them and/or to opt-out at anytime if they choose to.
As I mentioned before, you likely received a slew of emails regarding privacy policies and data collection practices. Hopefully, you’ve already received one from any platforms that you may use to collect data, such as your CRM or Email Marketing Platforms. If you haven’t or you deleted the email, head on over to their blog and see if they have any updates on GDPR compliance. If they don’t or the information provided is unclear, write them an email and ask about their policies and how they protect data collected on your behalf.
Mailchimp, for example sent me a link to a fairly thorough article on their updated practices and they’ve sent a couple of emails talking about updated features and how to implement them (http://eepurl.com/dqP8Bb). Convert Kit also has a very useful article on their practices and recommendations (https://convertkit.com/gdpr/).
If you’re unclear or unhappy about how they collect, use or secure data, consider switching to another company.
Look through all the touch-point in which a client or site visitor might provide you with data and review your language. Take a look at:
Is it clear what information is collected, how it will be used and for how long? In the case of opt-ins and lead magnets are you requesting separate consent for joining your mailing list?
Take this time to make sure your policies are clear and updated to comply with GDPR regulations.
What happens with all the people you already have on your mailing list? Technically, you can’t grandfather them into your list and be considered GDPR compliant. Unless of course, the specifically consented to receive marketing emails from you.
To be clear, this does not include someone who signs up for a freebie or lead magnet being automatically added to your list. Getting consent to send them your freebie materials and getting consent to join your mailing list are two separate requirements. Unless they opted into a form that specifically only requests permission to join your marketing list, you probably want to get new consent from them in order to be compliant.
Option 1: If your marketing platform allows you to identify those folks who are in the EU and those who aren’t, you can send a targeted email to EU folks and ask them to re-sign up. Making sure, of course, that language is clear and explicit to joining your marketing list. Anyone who doesn’t opt-in should be removed from your list before the 25th.
Option 2: Request everyone on your list to re-sign up. To me, this is the safest way to go about it. This way you have new, clear and explicit content from everyone on the list. And you also don’t risk any errors or forgetting to include someone from the EU on your mailing. This also shows people who are not in the EU that you’ve taken GDPR compliance seriously and that their data is safe. Again, you’ll want to send this communication before the 25th and remove anyone who doesn’t sign up.
Note that with any of these solutions you’ll be likely to lose some folks. Either because they never opened your email or because they were too busy to sign up at the moment and later forgot. Or even because they took this as an opportunity to unsubscribe from your list. Just be mentally prepared for this and don’t take it personally. Hopefully, you’re able to explain to your followers the benefits of staying on your list. And if you’re having a hard time doing so, it’s a great opportunity to reassess the value you’re providing your followers.
The main takeaways of GDPR law are:
Ensure you keep those points in mind as you update your existing materials or create new ones for your business. When in doubt, ask yourself: How would I like another company to handle MY data?
You can add this as a link on your site footer and use it to link to from any place where you collect data.
I know, I know! It’s a lot to take in and it’s a lot to implement. And if you’ve left it all to last minute it sounds even more daunting. If right now is the first time that you’re even considering doing anything about GDPR, take a deep breath and let’s get you compliant.
First and foremost, renew consent from existing list members. It’s up to you whether you choose to do this for all your list members or only those who are part of the EU.
Review your policies so that you get proper GDPR compliant consent from any new folks joining your list.
“This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.”
Elizabeth Denham, Information Commissioner for the UK
The main thing to remember is that the whole point of all this is not to add more work, to make things difficult or to fine companies willy-nilly. It’s about ensuring that everyone’s data is used in a lawful, fair and transparent manner. We want to ensure that our private, personal information is kept safe and used for the purposes for which we have given consent. If we are to expect that of others, then we need to comply ourselves.
Please share any useful resources in the comments below. In particular, if you have any that have scripts folks can use to email their list members or templates for policy disclaimers. Feel free to like, share and comment!
Disclaimer: Like I said, I’m not an expert on the subject but wanted to share the bits of information that I have gathered with anyone who might find it useful. Please use any information listed in my article, linked resources or comments section with discretion.
Join my list so you can receive extra content, tips & resources directly to your inbox!
Previous Post: Hiring a Brand Designer? Do This First!