[Note: This material has been prepared for informational purposes only, and is not intended to provide and should not be relied on for legal advice or GDPR compliance. If you have further questions about compliance, consult your legal counsel.]
New legislation in Europe, called the General Data Protection Regulation (or GDPR) goes into effect May 25, 2018, and it doesn’t just impact business and citizens in the European Union (EU). It affects all of us as bloggers and online business owners.
Simply put, the GDPR gives citizens in the EU more control over how their data is used.
If you have a blog, chances are you at some point could have a reader based in the EU, which means that technically, you could be subject to compliance these laws.
And while it might be hard to enforce right now, the reality is that legislation like this is likely to continue roll out. Truth be told, the laws regulating how we receive, use and store data need to be updated, and while it’s primarily aimed for EU companies and citizens, becoming at least somewhat compliant improves online marketing in our neck of the woods, too!
Likened to establishing speed limits, GDPR makes online data protection enforceable with hefty fees in proportion to your income. But here’s the most important thing to know right now: if you’re used to doing business “above board,” there’s no reason to panic. Stay within the established limits and you should be safe.
It’s really all about informed consent — meaning, when people give you their information (email address, contact information, etc.), they understand what type of communication they’ll receive from you.
Besides NOT panicking, here are several first steps when learning how to respond to GDPR.
- Get educated. Here are five resources to review to help you evaluate what you can do to become GDPR-compliant and help answer questions you may have about the new regulations.
- Your GDPR + Email Marketing Playbook
- Interview with Suzanne Dibble
- GDPR FAQs
- Mailchimp: Collect Consent with GDPR Forms
- The GDPR Guy Podcast
Natasha Lomas at TechCrunch explains:
“‘We may use your personal data for research purposes’ will not pass muster under the new regime. So a wholesale rewriting of vague and/or confusingly worded T&Cs is something Europeans can look forward to this year. Add to that, any changes to privacy policies must be clearly communicated to the user on an ongoing basis. Which means no more stale references in the privacy statement telling users to ‘regularly check for changes or updates’ — that just won’t be workable.”
Be able to demonstrate that you have permission (consent) if you contact any customers using e-mail, direct mail, SMS or other means. Be clear about what each customer opts to provide and receive, and you avoid using pre-checked consent boxes to get their consent.
- Include additional consent opt-ins for mailing lists and online communities. When someone gives you their information, you’ll need to have a fair processing notice to tell them why you’re collecting it, what you plan to do with it, other companies that could receive it, and how long you’ll be keeping it.
For example, on opt-in forms, tell them all the types of communication you plan to send them. If they’re downloading a free PDF from you, also mention you will send them information about your products and services.
- Make your unsubscribe and opt-out options clear and easy to access. If you use a reputable email platform like Mailchimp, Drip, ConvertKit, etc., they’ll likely have guidelines in place to make it easy for you to stay compliant.
- Prepare to report data breaches within 72 hours. You’re totally responsible for the data your website collects. So if you’re hit with a cyberattack and the data is stolen, you could be liable. GDPR requires you to demonstrate that your data is safe, and the simplest solution may be to invest in encryption software. Encryption software is not required by GDPR but might be a good option to help keep your data secure and also prove that you’re looking out for your subscribers and customers.
Once again, we would like to reiterate that WE ARE NOT ATTORNEYS, and the advice here is for informational purposes only, and should NOT be considered legal advice.