You have likely heard of GDPR and the looming May 25, 2018 “deadline. The General Data Protection Regulation otherwise known as the GDPR applies to most websites and failing to comply could mean potentially facing some serious financial consequences.
But what all do you need to do to comply?
To comply with the GDPR you need to do more that update your email forms, you need to be able to prove consent for the information you collect and provide your audience with the ability to access their personally identifiable information. (don’t worry I’ll explain what I mean by information you collect and personally identifiable information in sec)
In this ebook, I walk you through what you need to know about the GDPR and how it affects your website as well as the action steps you should likely take to ensure you are complying.
Keep in mind: This ebook is for informational purposes only and does not constitute legal advice or form an attorney-client relationship between you and I. I am not liable for any losses or damages related to actions or failure to act related to the content in this website. If you need specific legal advice consult with an attorney who specializes in your subject matter and jurisdiction.
Hi Liz,
Love your guide. I’d like to add a couple of comments which I don’t think I explicitly heard or read. I’m not a lawyer either and this is just my personal opinion:
1. A fine is the end of the road, not the beginning. Action for most breaches flows from a complaint. If you look at the ICO website for instance (the ICO being the organisation in the UK responsible for enforcing GDPR), someone with a complaint will need to first try to resolve it directly with the organisation responsible. As I understand it, the ICO will only deal with complaints once this has been exhausted. (If you notice you’ve been hacked or your customers’ data ends up in the wrong hands some other way, this is when you clearly need to take action yourself immediately).
2. The decision on how to protect your assets is about more than GDPR. Liability could come from other sources.
3. If you clearly are not marketing to EU customers and you are not in the EU yourself, then the provisions of GDPR with respect to sales and marketing (i.e. the mailing list parts) might not apply to you. However, you still have to be able to defend your position on this, so you need to do some research if you feel it might be relevant.
I’m in the EU, and I’m finding that, on the whole, this is proving to be a very good way of sorting out those who see changes in the business climate as opportunities from those who just see it as an extra burden on them. I’m making notes!
Hi KN,
I actually am a lawyer, so I did do some hefty research for this guide, but I don’t really practice any more.
1. yes! It’s not zero to 100 in a snap, and even if you get to the point of being fined there is a proportionally part to it, so if you’re a small business and assuming you made some effort to comply, the fine will reflect that. I could only see a small business facing a huge fine as a symbolic gesture if they were grossly negligent.
2.Yes, but I know some people that decide against incorporating in some form because of cost, GDPR is just one more reason to do it so that personal assets are protected.
3. If people from the EU end up on your site and email list, then GDPR is applied to you, those based in the EU have the right to their personal data no matter where it is being processed. I don’t market to the EU but I still had about 1% of my list from the EU. Though I hope my guide helps people figure out what course of action is right for them.
I think GDPR is a good thing for business and those that don’t see it that way are likely doing something a tiny bit shady. As a consumer, I would love for the US to pass something similar, though some states already have some great data protection laws.
Oh gosh, I’m REALLY sorry I made an assumption about your experience! I should have been much more careful about that.
With regard to point 3 – I had read about recital 23 and commentaries on it and I was just going to go into it, but it would be a deep rabbit hole because fundamentally yes, the rights of people in the EU are still covered and, even if the exception suggested in recital 23 holds (which only applies to marketing activities and probably not, for example monitoring), then it’s probably risky to rely on it in practice.
I definitely agree it’s a good thing and also that some other jurisdictions have some sound laws.
No worries, I joke that I’m a recovering attorney 😉
Thank you so much for this, Elizabeth!! I definitely have a lot to do, but this helped me understand it finally. I really appreciate how much time and research you put into this!
Regarding consent from emails – if I say, “Subscribe to my email list, you’ll score bonus content and freebies!” And then have a subscribe button, that should be compliant because they understand they are signing up for the service of newsletters? If I decide down the road to advertise, then I need a checkbox for consent for that with the subscribe button? I was still a little confused on how to get consent for advertising (I think because I haven’t gotten into that).
Thanks again!
Caitlin
It depends on why type of advertising you’re doing where and how you ask for consent, you can cross that bridge when you come to it, but I think you’re on the right track.
Thank you so much! This was the best post regarding GDPR that o have found. You did an amazing job communicating this complicated situation and making it simple for us! You’re awesome!
You’re so welcome, glad it helps!
Thanks for a helpful guide!
“If you use wordpress, it’s a matter of deciding which plugin is best, when evaluating plugins make sure you stick to ones that are GDPR compliant.” In order to be GDPR compliant, does the banner just have to notify people, or does it need to prevent people from accessing the site unless they agree? And do you need checkboxes for different tiers of cookies? I’m finding the cookie plugins to be very confusing.
Ideally, you want one with checkboxes for different tiers of cookies, but at the very least you want one that notifies people and that they must do something to get rid of, for example, exit out of it or say okay. You don’t want one that disappears without them taking some kind of action.
Thanks for this great guide! It helps to clear a lot of things up.
I’m still confused about two things though:
1) Cookies. If I use one of those cookie consent banners, how do I find out exactly what information each cookie is collecting? Is this written down somewhere? And then how do I find and enter the script into the cookie banner plugin so that people can opt out? I have literally no idea where I would find this code…
2) Convertkit opt-ins. If I change my wording to something like “subscribe to my newsletter and get your freebie,” how then would I provide them the option of getting the freebie without them opting in to the newsletter? The “confirm subscription” button in convertkit is the only thing in the email that allows someone to download the freebie, if I remember correctly – and if I’m understanding this correctly, you need to provide both options (subscribe and get freebie, and get the freebie without subscribing).
1) most plugins have information about GDPR so you can look at them individually. 2) You’d likely want to phrase your offering to be more like: subscribers get access to freebies like x, subscribe now. If you worded it this way you wouldn’t have to give the freebie away if they don’t subscribe.