Unless you’ve been hiding under that famous rock, you can’t have missed all the talk about GDPR. GDPR will affect all businesses in the EU (European Union), EEA (European Economic Area) the UK, and some businesses in other countries too.
Here are some facts about GDPR represented as a series of questions and answers. I hope this helps you figure out what you need to think about and do. It helped me.
Get Legal Advice on The GDPR
However, please be aware – you may need to obtain expert legal advice for your business. If you have any concerns about legal compliance with the GDPR, please contact a lawyer who specialises in it. This article is intended to whet your GDPR appetite and get you thinking about it.
Now for a statement about my statement about seeking legal advice. You will read disclaimers similar to the one above about getting proper legal input, on many websites discussing the GDPR. But be aware that lawyers who are not familiar with the GDPR won’t be much help, and even those that are, will only be able to offer up informed opinions.
We are talking about regulations that form part of EU Law. Laws are open to interpretation and the final interpretation of some of the finer, but less obvious details will only be made obvious once companies start being taken to court. Depressing but true. The Law is not black and white.
That said, here is what I’ve understood.
- Who Should Read This?
- Anyone with a website visited by people in the EU or those with a business that serves people in the EU.
- What Do the Letters “GDPR” Stand For?
- GDPR stands for General Data Protection Regulation
- When Does GDPR Start?
- 25th May 2018.
- Why Is GDPR Important?
- Because it helps to protect people physically in the EU whose data is collected or processed by organisations in the EU or anywhere in the world.
- Will GDPR Affect Businesses In The UK or In the US?
Although GDPR is an EU invention and although the UK is leaving the UK via Brexit, and although the United States is not even in Europe, GDPR still affects UK and US business.
If you are located outside the EU, say in the United States or say, Iran, you may think that GDPR only affects multinationals like Google and Facebook. You’d be wrong though. It also affects any business that does business with EU based people.
Just having a website that can be accessed by those in the EU is enough to draw you into GDPR somewhat.
If you collect data on your website, (personal or behavioural) about a web site visitor or customer, and if any of those visitors are physically in the EU at the time the data is collected, then your business is subject to GDPR compliance with regard to those users.
It doesn’t matter if transactions on your site are non-financial – it might just be the act of signing up to an email list. The transaction still falls under the GDPR. So if your business is located in the United States (for example) and you target EU based people with your marketing, or you accept business from EU based people routinely, then the GDPR applies.
If you’re really not interested in EU customers or visitors, then you might be able to wriggle out of any issues that may arise, but you also might have to prove you were not targeting EU customers. This is really a question for a lawyer and for expert interpretation of the law.
Certainly if your business routinely sells to EU people in for example, a travel business, an eCommerce business or a SaaS type business, you will need to comply.
- So Who Has To Be GDPR Compliant?
- Any business or organisation that processes the personal data of people living in or present in the European Union, at the moment they provide the data.
- Will Brexit Affect The UK And GDPR?
Things may be affected depending on whether the UK becomes part of the European Economic Area (EEA). But until the Brexit
shamblesprocess is over, the UK is still bound by EU laws.
That said, Parliament have issued a new Data Protection Bill which complies with the GDPR in full, according to that document. So even if the UK is entirely out of the EU after Brexit completes, the UK has plans to adhere to something very much like the GDPR.
- When Are The Controllers And Processors GDPR Talks About?
GDPR mentions controllers and processors all the time.
- The controller is the “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
- The processor is the a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
What does this mean in the context of a small business?
In a small business you or one of your employees is the controller of data. You make the decisions about the data that is required and you choose the software or means of processing that data.
For example you might take down the names and addresses of customers during a phone call using a pen and paper. You might then transfer the information to a card filing system which you keep on the third shelf on the corner of your office. Or you might type the data into a spreadsheet and keep it on your computer, or in the cloud in a Google Spreadsheet.
In this case you would also be the processor. You are the controller because you are making decisions about the data you need and how it is collected, and then you are the processor because you are processing the data.
In the case where you are collecting data say via a website, but using a comprehensive third party software application such as the one I use, then you are still the controller. But the third party software company is the processor. The reason is that their software not only collects the data for you, but also holds it on their servers.
In the case where you use software on a website to collect information, but you hold the data you collect yourself, then you are also the processor. So for example, if you use Aweber to collect user data and then later send out emails to those users, then Aweber is the processor as the data is held on their servers.
If you simply have a form on your website that sends you an email when someone contacts you via the form, then you are the processor as you are holding the customer data.
- Does GDPR apply to paper records as well as digital records?
This is largely open to interpretation and no doubt lawyers will spend a lot of time in the future arguing about it in court. The GDPR states, “The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria.”
I believe the current understanding is that paper records will be covered by the GDPR if they are systematic. So this means a paper filing system containing the records of all your customers will count, or a card index of patient names and addresses will count.
In other words if the system is a manual filing system then it will count. That would suggest that a random letter from a customer, left in a desk would not count. It’s not part of a system.
- Is Junk Mail Finished Under GDPR?
Wouldn’t that be great? We could use the GDPR to contact all the companies that send large quantities of irrelevant promotional material through the post and ask to be forgotten. Under the GDPR they’d have to forget us. However, the word on the internet street is that we will see an increase in paper junk mail. Why? Because they will forget our names, but remember our addresses and simply write to the “occupant” of your address.
I think this is a flawed approach. I’m not a lawyer, but if I were one, I’d argue that to bombard the lady down the road who is 85 with postal invites to order a stairlift, they must know something about her age and therefore have some of her personal data on file and that the processing of her data is “automatic” (or how could they explain sending the same stuff to many thousands of other people in the same demographic?).
- What Is The Maximum GDPR Penalty?
The maximum fine that a company will face is up to 4% of their annual global turnover or 20 million euros, whichever is the highest. Yes, you read that right. But that is for the most serious GDPR rule breaking.
For less impactful violations, such as not holding proper records or failing to notify of breaches the maximum fine with up to 2% of global annual turnover or 10 million euros, whichever is the higher.
- What About GDPR and Parental Consent?
The GDPR states you must get parental consent for those under 16 to sign up to a service. Is a newsletter a service? If it is, this seems to imply that we need to ask each person if they are 16 or over in order to say, add them to a list?
It probably depends on what the information you send out is like. If your newsletter is about dog training, it may not require a consent box, but if the information is for adults, then age consent box is going to be needed.
- Is The GDPR A Good Idea Anyway?
I think it is. You’ve seen all the issues surrounding data protection. There have been instances of user data being stolen from some sites and then used to attempts hacks into other sites. You’ve also heard about your own personal data along with that of friends being manipulated and used, without clear consent by politicians and foreign governments.
If everyone adopts GDPR these abuses of personal data will be reduced or at least subject to extremely heavy fines. Further, social media companies will have to be a lot more transparent about how they package and sell your data and that of your friends.
Not everyone realised that if they take part in a free social media platform, their data is almost certainly the product. That said, the public now have an opportunity to find you that there are good ways to use data and bad ways. Show that you are using their data in a good way by being transparent.
- What Rights Will Individuals Have With GDPR?
- The right to be informed – Organisations must show the data they hold on an individual on request.
- The right to data access – People can ask about what data is held on them and why and how it’s processed.
- The right to data update – People can insist that any mistakes in data held are corrected.
- The right to erasure – People can ask for the data a company holds on them, to be erased. This includes offline data and online data. However, the data may not be deleted if it means that company can no longer take care of you as a customer, or of they are required by law to keep the data.
- The right to restrict processing – people have the right to restrict or limit the processing of their personal data (within the law)
- The right to data transfer and portability – people can ask that their data be sent to them
- The right to object – in some situations, people can object to their data being used at all. For example on an email list.
- The right to not be included in automated decision making and profiling – so people can ask to be excluded from a process that is automated and without human intervention, and whose outcome can have a legal consequence on them.
- What Is The Right To Be Forgotten?
It’s referred to as the right to erasure above.
Any person whose data you hold, can ask you to erase the data. If asked, you must do this if you no longer require the data for the original reason it was collected. The deletion process must be easy. So for example, on an email list, just providing an unsubscribe link will not be enough because many autoresponder or CRM systems do not delete people who merely unsubscribe. You will have to check how an unsubscribe works with your particular email autoresponder or CRM system.
Each autoresponder or CRM provider will be aware of GDPR and will have advice or provision for a new way to handle those who want to be forgotten.
In general the right to be forgotten is not an absolute right. It’s only possible if the data is no longer required for the purpose it was originally for. If there is a legal obligation or law that directly obstructs the deletion then the right to be forgotten won’t apply.
- Does GDPR Only Affect B2C Business?
- No – even B2B business relationships ultimately happen between individuals even though they are working as employees of an organisation. So all the same GDPR rules apply to company representatives.
- How Will This Change Sales?
It used to be that at a B2B sales event, sales people could collect business cards of potential customers and then add them to a mailing list when back in the office. This is an example of an activity that is no longer possible under GDPR. In future, explicit consent will have to be given because otherwise the individual could object to receiving the information. Any data held MUST have a time and date stamped audit trail that details how the person opted in and consented for precisely what is happening to their data.
For example if you purchase a marketing list you are responsible for getting the consent information even if someone else built the list and assures you they got consent. If it turns out they did not, you are responsible and you need must have the evidence of each consent.
All email lists must now either be confirmed opt-in lists or have a check-box that allows the user to give consent. In my opinion, confirmed opt-ins are essential anway as otherwise anyone could sign someone up to an email list without their knowledge.
- Do I Have To Get Everyone On My List To Reconfirm?
If you already have an email marketing list you may have to write to everyone to get their agreement to be on the list. You don’t have to do this if you already have their agreement to
- be on the list
- receive each of the exact types of information you’re sending them
In other words, if they signed up for a free ebook, and you did not also get precise consent to send them marketing emails, then you need to make that explicit and get their permission.
Remember, it’s also wise (in my opinion) to make all signups confirmed opt-ins, so that people cannot be added to lists without their knowledge. If someone complains it could lead to problems for your business under GDPR, so protect yourself. However you do it, you do need a record of when (dates and times) people signed up with consent and what they consented to, because you must also be able to show that you got permission in your records.
Publishers must be able to point to a specific date when a subscriber consented to have their data processed by publishers. This applies to email subscribers you already have and not just the ones that sign up to your list after the GDPR deadline.
- How Will GDPR Affect My Free Giveaway?
A common practice used in internet marketing is to give away some valuable information (for example, an ebook or video training) to anyone who signs up explicitly to get it. Normally this also means they are added to your marketing list.
In future, under the GDPR, you must give them a separate opportunity to not be marketed to, but still get your free gift. Why? I think this sums is up pretty well :
The choice to provide consent must be clearly distinguishable and separate from other initiatives. This means individuals can’t be required to give consent as a condition for receiving a resource, product, or service.
This could be done via a checkbox. If the user checks the checkbox, they’ll also be added to your marketing list.
The issue with this approach is that many people will not check the checkbox and go ahead and download your free gift without allowing you to market to them as well. You may be thinking; but I’ll have put all that work into creating the free (but valuable) ebook, for nothing. Unfortunately, that’d be correct.
However you could mitigate this by providing a link inside the free giveaway to encourage them to sign up to your marketing list at a later date. And you can place affiliate links, or links to your other content throughout the free gift to bring them back to your site.
- You Must make users aware of any automated profiling
If you do any automated processing of personal data or use this to infer a user’s characteristics, then you must tell them you are doing it. So in the case of email marketing this would mean marketing automation – the type of thing Infusionsoft is famous for. You can only perform automated profiling on a person’s data if
- it is necessary for a contract
- it is authorised by law applicable applying to the controller
- the individual explicitly consented.
- Do I Have To Worry About Data Breach Notifications?
Some companies such as banks, social media platforms and music platforms and other businesses, have experienced data breaches. You know – where all their customer’s or user’s data has been hacked into and stolen. Stories about this come out all the time. GDPR says that if you suffer a data breach, then you must inform every EU located person whose data you have lost, within 72 hours.
This means you need to know if data you hold has been used or stolen by third parties.
- What about EU people’s personal data being stored outside the EU?
If the company you use to process your user’s personal data, holds that data outside the US is this an issue for the GDPR? For example, I use ActiveCampaign as my email autoresponder. Active Campaign ActiveCampaign adheres to the EU-U.S. Privacy Shield Framework Principles issued by the U.S. Department of Commerce. This ensures that adequate safeguards are in place when they transfer personal data from the EU to the US.
Check that your data processor, if located outside in the US, also adheres to the EU-U.S. Privacy Shield.
- Who Will GDPR Help Ordinary Internet Users?
Most of the time, a website visitor will sign-up to a list on your website to obtain the free download that you promised. The reason you do this typically, is so you can market to them later via marketing emails.
GDPR says marketing is fine but it’s not OK to send loads of emails after the download unless you ask permission to do so first. So you have to be clear about your intentions.
Many marketers don’t like to make the user jump through a confirmed opt-in as it reduces the list sign up rate. However the list quality improves so you win in the end. It’s all good.
- How Much Consent Do I Need To Get?
When someone buys something from you, you can no longer assume it’s OK to email them all your marketing stuff. You will require consent for each separate thing you might want to do.
So if you’re giving away a free PDF, you will have to get consent to get the visitor’s email address for this, and separately get consent to email them with, for example, your marketing emails.
You cannot bury that they will receive marketing communications in the terms and conditions pages of your site. The declaration and consent taking, must be in full view on the sign -p form. Also, the consent boxes cannot be pre-checked. They must be initially unchecked so that the user/visitor has to deliberately make the effort to consent. Further, the language explaining the consent and the reason for the consent, must be ultra-clear and easy to understand.
- How Do I Protect User Data?
When there is a data security breach involving “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” then you have to work out if the exposed data of the Eu people can cause “risk to the rights and freedoms” of any EU based people.
If the exposure means email addresses are leaked oor used by unauthorised parties, or any other personal data, the this must be communicated to a supervising authority within 72 hours. If high risk data is exposed – e.g credit cards numbers for account passwords, them then EU based users/customers themselves have to be informed.
Major US companies are already conforming to these new standards. Fines are significant. 2% to 4% of global yearly revenue.
- How Do I Protect Myself?
You must be able to prove that you have consent for any data you hold or to any action you took with regard to a customer or user.
For example, you have to be able to prove that you got permission to send newsletters containing a particular kind of information. You can’t gain permission to send a newsletter about say, blog post updates, and then actually send something very different.
- What Is Personal Data?
- This can be many things but includes names, photos, email addresses, bank details, social media postings, location details, medical information, or a computer IP address.
- How Will GDPR Help My Business?
Use GDPR to your advantage. In the US you can get ahead of lazier competition by showing off how amazing you are at looking after and respecting user and visitor data.
Your customers will appreciate this and will in time – once GDPR becomes well-known – start to prefer those companies that are GDPR compliant. It will become a trust signal. Also it will protect you from any issues that may arise later if you are not compliant.
- What Do I Have To Do To My Current Lists?
Ask yourself the following questions.
- Did your contacts consent to your emails through a checkbox on an opt-in form? Or did they go through a confirmed opt-in process?
- Was this contact consent given for the specific purpose for which you’re using their data? For example, if they only opted into the newsletter, did you also separately get their consent to receive email marketing?
- Have you got precise and secure records of all the opt-ins you have received, including dates?
- The law states that minors under the age of 16 may not give their consent without parental consent — does your list contain the personal data of any minors who would not have been able to properly give consent? I am not sure how you are supposed to know this other than to make users check a box at the time to state they are 16 or over. However we see very few GDPR compliant forms doing this at present.
- What Do I Do Now?
- Find out where all the data you hold on others is and identify who has access and how it is protected. Note that the data could be digitally held or on paper. It doesn’t matter. It’s all data.
- Figure out how much of this data you need to keep and delete anything you do not need. In the future, do not collect data you do not need.
- Make sure it is held securely.
- Make sure all your privacy statements are updated to reflect GDPR. If you are in the UK you can get legal documents from this company.
- Update the design of any lead capture forms on your site to reflect the GDPR and get proper consent.
- Figure out procedures for handling data, so that people can now consent, data can be easily deleted if you’re asked to do so, you can prove that data is actually deleted in all locations in your organisation, a communication plan in the case of a data security incident and that you can ensure the person asking to see their data or asking for their data to be deleted is who they say they are.
- Make sure your site runs under https and has a green padlock in the address bar.
- Appsumo has a deal out right now which will guide your business through the GDPR. You only need to buy it once for your business, even if you have more than one domain. Deals don’t last long on AppSumo so get it here now if you want it.
Are You Collecting This Data?
Review the type of data you collect, if you need to collect or if you need consent.
- Contact form details
- List sign-ups
- Customer records
- Analytics and tracking data
- Are any of your plugins collecting data?
Useful GDPR Resources
- Guide To the GDPR
- 12 Steps To Take Now
- Some examples of GDPR compliant opt-in forms
- More examples of GDPR compliant opt-in forms
- Useful email marketing tips
- For help with making your Google Analytics compliant.
- Advice on getting consent for tracking (Google Analytics/ Clicky Etc)
- WordPress adds some GDPR tools
- Get the GDPR Appsumo deal while it’s still around