Let me start by saying: this is not a guide on how to implement GDPR in your business.
In this article, I want to highlight some of the more practical things. GDPR has so many facets … if I hadn’t been forced to comply with it, I wouldn’t have looked at it at all. So this article is intended to be a list of facts and resources, and I am also adding some funnies to it at the end.
Also, I am not saying I am providing full and complete information in this post. What I am rather intending to do here is to give you – as the owner of an online business – some practical clues what to think about and what to work on, on your journey of complying with this new regulation. Note that I am not a lawyer, nor do I mean to provide advice in replacement of one. It is highly recommended that you seek legal advice for anything that seems unclear.
It’s an awful lot of work that is required from us. Many of us won’t have everything completed on this magical date (May 25th, 2018) — but you know what: it’s not the end of the world. We will get there over time. We will make mistakes. But we will also grow with it.
With that having said, let’s begin.
GDPR is a big deal. It’s maybe not as bad as people have made it out to seem. But it is something that shouldn’t be ignored. Here are some quick links what to expect to be included in this article:
Disclosure: Behind a few of the links are affiliate links. This means, if you click on them and decide to purchase something, I may earn something. (Thanks!)
What you have to do as a Website Owner
As a site owner, it is up to you to communicate how your customers’ information is being used. It’s more of a communication and process question, rather than something that can be solved with technology.
☞ EU has discretion to issue warnings or overlook violations. If you deal with 99% non EU information and a few EU people slip in and you are not compliant they are not likely to seek any punishment.
☞ If your visitors only read your blog / site, you don’t need to do anything, however, if they sign up for a newsletter, then you need to add some information to your Terms and Conditions. It then depends on the service you use for your email subscription. Often, the data is not stored on your WordPress blog, but on the email server. Most companies (like Mailchimp) include an unsubscribe link into all of your messages, so customers can delete themselves from the list at any time – just make sure to use double opt-in (as in: users need to confirm that they really do want to get on that list).
☞ If you are doing high volume sales and intentionally targeting EU residents/citizens, you may be subject to penalties. Do not assume this cannot be enforced outside of the EU. It is not true. Some companies will be required to have a legal representative in the EU if they are large enough.
just to be GDPR safe im gonna text everyone in my phone contacts list and tell them I hold their phone number and email address and ask if they want to continue receiving texts from me
— Chris Greene (@HateChrisGreene) May 17, 2018
When You Run an Online Shop on Your Website
GDPR is applicable to everybody who collects data from visitors from the EU.
When you sell via your website, you’re collecting even more data. Not only will you need people’s names and email addresses, you’ll also need credit card details and possibly physical addresses too.
If you collect emails when making a sale on your website and then add those email addresses to your mailing list, you must tell people, and gain their specific consent to you holding their data and using it in this way.
Question Pool: Your Questions Answered
Since the consequences of not complying seem so dire, we all are asking ourselves a lot of questions. What if this / what if that …
Looking for answers myself, I have found some trustworthy material on YouTube that I feel is worth sharing with you. The Bitesize Marketing Channel answers questions most of us are looking for answers to, like:
What Are The Consequences If You Do Not Comply?
The maximum sanction for non-compliance with the GDPR is 20,000,000 Euros or up to 4% of your annual worldwide turnover (based on figures from the the preceding financial year), whichever is the greater.
Offering a Freebie in Exchange for Subscribing to Your Newsletter Doesn’t Work Any Longer
Old times. The purpose of you creating an awesome freebie was so that you could add your new user to your list of subscribers – in exchange for your freebie. Right?
New times. With the GDPR in effect, you are only obtaining consent from your users to process their personal data to send them the freebie. They did not give you consent to be added to your newsletter list – and you cannot just add them.
If you would like to add them to your newsletter, you’ve got two options:
- You request a separate consent (maybe in the same sign-up form), or
- You use a double opt-in, and request separate consent in the email you are sending to confirm their sign up.
However, it’s important to keep in mind that under the GDPR, when you are requesting consent for separate matters, each request must be distinguishable. You are not allowed to bundle requests. Bundled requests are not compliant with the regulation.
This means, freebies are now really freebies. They are not conditional freebies, aka: “If you give me your email address, I send a giveaway your way”.
❏ With a form, say why you’re collecting the data and how you will use it.
❏ Provide a double opt-in to ensure you have informed consent.
❏ When sending out emails, provide an unsubscribe option and a ‘forget me’ option. If someone asks to be forgotten, delete their data – don’t just stop sending them emails.
❏ If you share data, tell the owners of the data and ask for their consent. Don’t share without consent.
❏ Use forms plugins and mailing list providers that are GDPR-compliant.
There is also a GDPR Compliance Checklist for purchase.
Roundup Posts & Resources about GDPR
Very useful I found Robert Partridge’s article GDPR: Does your blog need to be compliant? In his honest article, he dives into the GDPR law and extracts the important points. I also appreciated that he translated that back into plain English. Another thing that really stands out in this article is the compliance test that you can do yourself in order to determine whether or not you are subject to the GDPR as a blogger: 8 questions, yes/no answers. Easy.
Chances are you don’t actually have to worry at all about GDPR, because you don’t need to be compliant with it.
With this eBook, The Blogger’s Guide To Avoid Being Subject To GDPR, makes you understand the criteria for determining if your blog is required to be GDPR compliant along with actual strategies you can implement to keep your blog from being subject to GDPR. Read more here.
The Funniest Tweets About GDPR
Because it’s better to laugh than cry, let’s try to find some humor in this situation.
remember folks: if your ex contacts you out of the blue in the next week, it’s probably only because of GDPR compliance
— Casey Kolderup (@ckolderup) May 16, 2018
My mum is leaving it awfully close to the GDPR deadline to ask if I want to opt in to receive her emails, calls and texts.
— Sharon O’Dea (@sharonodea) May 15, 2018
“WARNING. In our butcher’s shop we might ask your name and remember your meat-related preferences. If you are worried about this, please enter the shop while shouting ‘I DO NOT AGREE!’, and we will henceforth pretend we don’t know you.”#GDPR HT @PhRoose cc @bobnease pic.twitter.com/sDhveLiBqj
— Koenfucius (@koenfucius) May 19, 2018
Do you know a good GDPR expert?
Can I have their email?
— Grant Tucker (@GrantTucker) May 23, 2018