What the heck is GDPR and Why Should I Care?
On May 25th, 2018, a new regulation is going to take effect in the European Union ("EU") and it impacts anyone who either lives in the EU or has subscribers in the EU.
Even though it’s a European Union law, all online entrepreneurs need to be paying attention because the GDPR will mean major changes for the way we operate.
Essentially, if you have an online business and have been growing and nurturing an email list of subscribers, you can’t ignore this new regulation.
Bummer for us but hopefully it will force us to be much more targeted with our communications and offer even greater value to retain those on our list.
So here's the scoop…
If the term GDPR is new to you, here’s what it’s all about: , GDPR stands for “The General Data Protection Regulation” and it's a privacy law from the European Union that changes the rules around collecting, storing and using personal data, and can affect all of us (even if you aren’t in the EU).
I know the topic can be confusing and I also know you need all the facts.
What is the goal of the GDPR
The goal of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.
It’s first important to understand the key rights this new law protects and allows you to better understand your responsibility in protecting these rights:
Right to be informed: EU subscribers can ask about personal data, how it is stored, how it is used, and why it is being used at any time.
Right of access: EU subscribers can request a copy of their personal information at any time
Right of rectification: EU subscribers can update (or request updates to) their personal information at any time
Right of erasure: EU subscribers may request that you erase their personal data at any time
Right to object: EU subscribers may unsubscribe from any of your emails at any time
Who does the GDPR apply to?
The GDPR applies to any organization in the European Union that is processing personal data. It also applies to any organization that processes the personal data of people in the EU (regardless of their residency status).
What should I be doing?
1. Educate yourself about GDPR and make sure you understand how it relates to your business processes
2. Consent requires a positive opt-in, we cannot use pre-ticked boxes. For consent to be valid under GDPR, a customer must actively confirm their consent, such as ticking an unchecked opt-in box. Pre-checked boxes that use customer inaction to assume consent are not valid under GDPR, they must have an option to subscribe to our emails. Example:
3. Document and communicate a process for data requests from EU subscribers. • Your EU subscribers have the right to opt out, make changes to their personal data, request copies of their personal data, or request that their data be deleted entirely from your records.
Make it easy for people to withdraw consent and tell them how to do it. All major email laws, including the US and Canada, require that we give our subscribers the option to opt-out of receiving our emails. Every email we send must include an option to unsubscribe. If you are already compliant with this law they you shouldn't have to do anything here.
Subscribers also have the right to rectify or update their personal data at any time. Similar to the unsubscribe link in your emails, subscribers could have the ability to update their personal data on their own using a “Change subscriber options” link in the footer of your emails. However, you can update their information manually upon request. Make sure you document a process for how EU subscribers can make a request within both your email and your public-facing privacy policies.
4. Keep great records of how you collect personal data from EU residents, making sure you can prove their consent. You can do this by making sure your email service provider captures the signup source coupled with the "yes" captured in your check-box you added in item #2 above. Tip: make sure you name your signup sources like opt-in forms appropriately, instead of Form#1 it will need to be "The ADHD Entrepreneur Roadmap".
5. Lastly, the GDPR doesn’t just include subscribers after May 25th, it applies to your current subscriber list as well. You'll need to audit your list, to identify who on your list is in the EU, and those that have an unknown location. Hopefully your email provider has already captured an IP location to make it easier. For any of your contacts that you don’t have GDPR-proof consent—or if you are unsure about whether or not their consent is compliant—you’ll have to run a reengagement campaign to refresh that consent, or remove the subscriber from your mailing list. Example:
Where can I get more information?
EU GDPR Information Portal
ICO (UK's Information Commissioner's Office) Guide to the General Data Protection Regulation (GDPR)
ICO (UK's Information Commissioner's Office) 12 Step Guide
Amy Porterfield has a great podcast episode with guest is a lawyer and walks you through everything, including the "grey" areas of the law.