Hi, and welcome to another ‘1st of the month’ blog post here on AidanBooth.com!
This months blog post is an important one, so please read on… first though, the mandatory disclaimer that I have to give:
Please note that this article is for information purposes only and is based on my understanding of GDPR. The tips I’m providing are not intended to be legal advice and in no way represent a comprehensive standard for ensuring the GDPR compliance. I recommend you seek your own legal advice.
Before you do ANYTHING else…
After you register using the button above, we’ll send access instruction to your email.
Now let’s dive in to what this is all about…
If you own a website that could potentially get EU visitors (ie. this basically means ANY website), then you need to read this article from start to finish to ensure you know what GDPR is, and that your website is compliant (failure to do so could result in a catastrophic fine).
The cut-off date for being GDPR compliant is the 25th May 2018 so time is of the essence (if you’re reading this after May 25th, then read faster)!
What is GDPR?
GDPR stands for the ‘General Data Protection Regulation’.
Up until now, EU citizens have had ‘control’ over their data via the ‘1995 Data Protection Directive’, however the 1995 Directive isn’t great in practice, because it leads to different laws in different member states.
The GDPR replaces the existing EU Data Protection Directive, and is a fundamental change to the way organizations must approach data privacy, providing consistency and one regulation across all EU member states which applies to all EU citizens.
Why Should You Care?
The GDPR will become law on May 25th 2018, and will impact anyone who lives in the EU, anyone that has subscribers in the EU, or anyone who collects data from people in the EU (for example, via cookies or IP tracking)… that’s a pretty broad net, and covers almost every half-decent website out there.
Wherever your business is located in the world, the GDPR will apply if you:
- Offer products/services to EU citizens and/or:
- Collect personal information from EU citizens
Hopefully I’ve beaten this to death and made it crystal clear!
Does The GDPR Affect You?
As mentioned above, GDPR affects you if you’re collecting EU citizen data in any way.
Technically speaking, the GDPR affects two groups of people;
- The Data Controller
- The Data Processor
1. The Data Controller
99% of people reading this will fall into the ‘Data Controller’ category.
If you decide how data is used, then you are the Data Controller within your organisation. In other words, if you’ve got a website, and collect email subscribers (for example), and you control how the email addresses are used, then YOU are the Data Controller (and it makes no difference if you are an individual or a business).
If you are the Data Controller (which you probably are!), you must process all personal data from your subscribers according to GDPR law.
2. Data Processor
The other 1% of people reading this will fall into the ‘Data Processor’ bucket.
The data processor is someone (or a business) that uses data on behalf of the Data Controller, for example, Aweber and other email marketing autoresponders are considered Data Processors.
The definitions of both the Data Controller and the Data Processor are laid out in Article 4 of the General Data Protection Regulation, where further definitions are found also.
The GDPR gives your EU subscribers explicit rights, it’s a smart idea to know what these are, so you can ensure you’re protecting them:
1. Right to be informed
Your subscriber can at any time ask how their personal data is being used and why it is being used.
The answer you give may be as simple as: “The personal data we have is your name and email address. It’s being used by me/my company to send you updates about how to build an online business.”
Not exactly rocket science.
2. Right of access
Your subscriber can at any time request a copy of their personal information.
If you’re collecting data via Aweber (an email list), this is pretty easy to access. You just login to Aweber, find your subscriber, and you’ll be able to see all the information you have on file:
In the image above, I’ve put red boxes around the information we have on file for this particular subscriber, and also how he subscribed (something else you may need to provide if you were ever questioned by authorities).
Again, nothing too complex if you’re using a system like Aweber.
3. Right of rectification
Your subscriber can update their personal data at any time.
This is normally pretty easy for any subscriber to do, for example, in all the emails we send out, we have a ‘Change Subscriber Options’ button at the bottom of each email, it looks like this:
And when someone clicks on the Manage Subscription button, they’re taken to a page that looks like this:
As you can see, the email address on file can be seen, along with the name on file, where I signed up, and the other lists in the same Aweber account that I’m subscribed to. Clicking on the ‘Edit Contact Information’ link allows me to change my name and email address.
Alternatively, a simple email to the website administrator/owner can have data updated at any time. If you want to update data you have with us, just submit a support ticket here, and we’ll do it for you:
Like the first two subscriber rights, this one isn’t overly difficult to understand or manage.
4. Right of erasure
Your subscriber can request that their personal data is erased and any third party involved must cease any further processing of their data.
Pretty simple, give your subscriber a way they can erase their data.
5. Right to object
Your subscriber can unsubscribe from your mailing list at any time.
Also very simple, and for Aweber, it can be done from a link in every email that’s sent out.
So they’re the subscriber rights, in a nutshell. Hopefully this is all making sense.. read on, we’ve still got a lot to cover!
What Customer Data Should You Hold?
The GDPR states that you must document what customer data is used for, so what customer data should you bother keeping?
Obviously the answer will vary depending on the business you run, the key is that you can justify why you’re asking for (and keeping) customer data.
For example, if you have your customers date of birth on record, can you justify why you need that? If not, you probably shouldn’t keep it.
Not only that, we also need to document where we got this information from, for example;
- Did we buy the data?
- Did we get the data from a third party?
- Did we get the data via a web form?
- Did we get the data from a mailing?
It’s no longer enough to gather as much information as you want, just in case we might need it at a future date. You have to hold data for an explicit reason only, and it needs to be;
- Limited to what we need
For most websites, and certainly for email subscription lists, you’ll need to collect an email address (at bare minimum), and perhaps a name (for personalization so that you can offer a better service).
These will normally be collected via email optin boxes. It’s unlikely that you’ll need much more than this.
Some websites that are linked to local businesses may collect phone number and address information so that other forms of communication are possible, but again, this is pretty standard practice, and something you can explicitly explain to your subscribers at the time you’re collecting the information.
Required GDPR Documentation
To make sure you’re fully protected, it’s critical that you document EVERYTHING for GDPR.
If for any reason the regulatory body or supervisory authority want to talk to you (in the event of a customer complaint that maybe you’ve used their data inappropriately), it’s much more likely that you will be successful defending your actions if you have documented the data you hold, why you hold it, and can demonstrate that you have explicit authority to use it.
I can’t see why this would be an issue for anyone, after all, the Data Processors (Aweber, etc) all do this for you.
The 6 Key Principles of GDPR
The 6 Key Principles are:
1. Data must be processed lawfully, transparently & fairly
In other words, people must know what their data is being used for.
2. Data is collected for specific and explicit purposes
From 25th May 2018, to comply with GDPR we can no longer collect data for the purpose of collecting data in the hope it might be useful at some point in the future.
You must tell people what the data will be used for, this is pretty easy to do on the optin form you’re using to collect the information, here’s an example:
This form pretty clearly explains how the subscribers information will be used, to deliver “regular information on bushcraft, survival, outdoor life, starting with 20 free videos today”.
Pretty simple 🙂
3. Data held must be adequate, relevant and limited to what is needed
I interpret this to mean… you can get enough of your subscribers data, but not too much, only for what you need.
4. Data must be accurate
Since you’re collecting data from the users themselves, I find it hard to see why your data wouldn’t be accurate, or why you’d deliberately make it inaccurate…
5. Data retained only for the time it’s required
Only keep data for the amount of time that you actually need it, not for months and years ahead in the hope you might use it some day.
6. Data must be processed securely and you must be able to prove this
Data must be processed securely using technical or organizational measures, including the protection against the following:
- Unauthorized or unlawful processing and against
- Accidental loss
- Destruction or damage
Privacy And Transparency
You need to be 100% transparent with your customers/subscribers, make sure you have unsubscribe links on your emails, and if they ask to be removed manually from your list, make sure you do it.
Make it easy for your customer to read through your terms and conditions and privacy notices, special note of your customers reluctance to do this should be noted.
Is Your ‘Data Processor’ Compliant?
In most cases, yes, all the main players, such as AWeber, GetResponse, Mailchimp etc., have GDPR plans in place which you can check out on their websites to ensure they are compliant by 25th May 2018.
Should You Use ‘Double Opt-ins’?
There’s no written rule that says you MUST use double opt-ins, but by using them you’ll have an easier job showing that you got consent from your customer to collect their information.
What You Need To Do Today…
Get your business compliant prior to May 25th.
Our software and checklist will guide you through in more detail:
Here are a few things you may need to do:
1. Ask your subscribers to re opt-in
Unless you can prove you’ve received consent from your subscriber, prior to the GDPR taking affect, it might be a smart idea to ask your subscriber to opt in again.
Here’s an example of how you might do this (you could format an email broadcast to look like the message below):
NOTE: Based on everything I’ve read on this topic, I would ONLY ask for someone to opt-in again if I were uncertain as to whether I had their consent in the first place. And remember, this ONLY applies to EU citizens (not your full list of subscribers).
If you’re unsure if you’ve got consent, then dive into your subscriber data and check to see if you’ve got the following:
- The date your subscriber signed up
- The time your subscriber signed up
- The source of sign up
- A copy of the sign up form used to collect their data
If you haven’t got the above information, then you could send a re-engagement email prior to the 25th May 2018 and request that consent to receive emails is given again.
If you take this path, and get no response from your subscriber by 25th May 2018, you should not email them again, and you must delete not only their email address, but any data you hold on that person.
2. Ask for explicit consent to use personal data
GDPR law states that you need to ask your EU subscribers for explicit consent to use their personal data.
Again, this is only something I’d personally worry about if I was unsure that I had consent in the first place.
Let’s say you’re unsure if you’ve got consent, you could address this by sending a re-engagement email to your current subscribers and explicitly ask for consent to use their name and email (or whatever) to communicate with them. This would be worked into the same communication as the re opt-in, as explained in number 1 above, I wouldn’t send out two different emails to address this.
GDPR states that before collecting any personal data, you need to provide the following information to your subscriber:
- Who you are
- Your contact information
- Why and how you are going to use the subscribers data and the reasons for doing so
- How long you will keep their data
- How the subscriber can erase or change their data
- If you are planning on sharing the subscribers data with anyone else (i.e., with a third party)
Update your policies
As mentioned earlier, you need to make it easy for subscribers to view your policies by making them easy to find, for example by having a link to them in the footer of your website, email, and perhaps in your sign up forms.
You need to communicate information about processing of personal data that’s:
- In clear plain language
- Easily accessible
- Free of charge
It’s always good practice to keep your policies up to date, so now is the perfect time to do just that.
Here are a few Privacy Policies of big firms who I’ve seen proactively address GDPR:
To check these out for yourself, browse around your favorite websites and hunt for the ‘Privacy’ link.
Revisit your cookie statement
Cookies are classed as ‘personal’ data under the GDPR as they can identify an individual via their device, therefore it’s time to check your cookie statement.
The following cookie statement is no longer sufficient “By using this site, you accept cookies”, you need affirmative action from the subscriber such as clicking an opt-in box, or clicking a preference or setting to confirm consent, therefore visiting a website no longer counts as consent.
Here are a couple of examples:
A €10,000,000 Fine (or more)
At the time of writing this article, €10,000,000 is equivalent to $12.27 million dollars.
Those found to be in breach of the GDPR, could face fines up to 10 Million Euros, or 2% of their global turnover (whichever is higher).
Needless to say, a fine like this should make being compliant a no-brainer 🙂
If you wish to dive into this rabbit hole yourself and learn more about the GDPR, visit: https://www.eugdpr.org/
To sign off, let me leave you with this final thought:
Legal stuff like this bores me to death, but it’s a small price to pay for the ultimate freedom that running an online business can give you… so battle through it, it’s not that terrible.
And before you go, don’t forget to register for free access to our GDPR software and checklist: