The GDPR. Ugh. Have references to it been filling your inbox over the past few weeks like they have mine?
If you have no idea what I’m talking about or have ignored the whole thing, if you’ve got a website and you collect information from visitors (like emails) you’ve got to pay attention…for a minute to see if it applies to you. It might (and probably does). Let me share a bit.
The GDPR, or General Data Protection Regulation, is a new law that the European Union (EU) has put in place to protect the data and privacy of it’s citizens.
This is great (we could all use a little more protection and privacy, right?). The challenge is that the law applies to anyone who does business with or collects any emails or names of residents of the EU.
So, even if you’ve never stepped foot in Europe, if anyone on your business email list lives there, the law applies to YOU, my friend.
This week, I’ve watched hours of videos, listened to podcasts, read blogs and articles, and even taken a little course on the GDPR to see how it will impact not only my website but also my clients. This post is a re-cap of the basic steps you need to take to get compliant.
Disclaimer (cuz, you know, I’ve been immersed in legal stuff all week): I am NOT a lawyer or an expert in this. I am merely sharing what I’ve learned about the basic steps you’ll need to take to get compliant. I encourage you to consult with a lawyer to know exactly what to do with your business. This post should NOT be considered legal advice. At the end of this email, I’ll include several links to actual attorneys for you to delve a little deeper.
Step #1 – Does this law apply to you?
To know if you even need to pay attention to the GDPR, you have to look at your email list and check the locations/IP addresses of all of your subscribers. (MailerLite will have this information available on May 14.)
If you’ve got subscribers in either unknown locations OR in the EU, you MUST comply with the GDPR. Why? Because you’re collecting their data, even if it’s only their name and email.
If the data on your email list shows that you only serve those living outside of the EU thenget up and do a little happy dance right now and stop reading – the law doesn’t apply to you.
This is most likely for locally based organizations and businesses.
Okay….you’ve realized the law applies to you. What next?
Compliance, baby.
Step #2 – All EU subscribers MUST re-opt in to your list.
You’ll need to send an email to all EU peeps that asks for their specific and unambiguous consent to remain on your email list and receive your newsletter and/or special offers.
It’s actually a good idea to clean out your list occasionally anyway and make sure that all of your subscribers are engaged and interested in what you’re saying.
If EU citizens don’t re-opt in to your list, you must completely remove ALL OF THEIR DATA by May 24.
Step #3 – Update all email optin forms on your website to be compliant
Sad news….someone filling in their name and email to get your awesome freebie no longer gives you the right to automatically send them your email newsletter.
What?!? Yeah, really.
EU residents must give specific and unambiguous consent to be added to your list. If they request a freebie, that’s what they’re giving consent for, NOT necessarily to receive your newsletter or your sales offers.
Thankfully, most email providers are updating their forms to add the necessary GDPR compliant wording. Which means you’ll need to update EVERY form on your site to make sure it’s compliant.
You’ll then need to segment your list as people opt-in to it. You can treat your current, non-EU citizens, exactly the same as you treat them now. But your EU subs, can only receive that information to which they opted in. So, if they wanted the freebie and that’s it, then you can’t sneak them a newsletter. Or they might only want your newsletter but not any emails on your sales offers. You’ve got to segment them properly.
Step #4 – Update the Privacy Policy on your website to include GDPR Compliant Language
Your website should already have a Privacy Policy on it, but you’ll need to add some details to make it GDPR compliant. Both of the attorneys listed below have compliant policies available for purchase. You’ll need to talk to an attorney for specific details on what to include.
Once it’s updated, you have to tell your email list about your new policy and invite them to review it.
Finally, you must include a link to your new updated Privacy Policy on your opt-in boxesand on every page of your website (generally in the footer).
Step #5 – Make sure your WordPress Website is SECURE
It’s up to you to make sure that any data you do collect through your website is totally safe and secure. Make sure that you’re updating your site regularly and removing out-date themes and plugins.
You also need to have an SSL certificate, regular vulnerability/security checks, hosting security, strong passwords, and regular malware scans.
Resources
Woah…there’s a ton of information out there on the GDPR. Here are the resources that I found the most helpful. (Wikipedia, in this case, was NOT helpful, so don’t start there.)
1) MailerLite (my fav email provider) has a great introductory article that also applies the law to email marketing.
2) For a deep dive into the law itself, the terms, the definitions, and how it applies, watch this video. It’s 2.5 hours, but you’ll totally understand the law after listening to attorney Suzanne Dibble break it DOWN.
3) She’s also got a checklist that you can download. The checklist is super thorough, but you really need to watch the video to understand the checklist.
4) If you’d prefer to listen to your GDPR info, Amy Porterfield interviewed an American attorney, Bobby Klinck, on her podcast. He spelled out what the GDPR means for non-EU citizens and how it applies to those of us who have only a small portion of our clients or email subscribers from the EU.
5) Bobby Klinck also has a quick, free course that explains how to put this all in place. The email section is especially helpful. Bobby Klinck has a GDPR compliant Privacy Policy template for sale as well as a whole membership site full of legal templates that he keeps updated.
So, there you have it. The GDPR in a nutshell. While updating your optin forms, email subscribers, and privacy policy is a bit of a pain, it’s actually GOOD. We definitely need data protection.
If you’re feeling overwhelmed, take it one step at a time. First, figure out if you need to do anything at all, and go from there.
xo,
Amy
Disclaimer: Some of the links in this post are affiliate links which means that if you purchase any of the products or services using this link, I’ll earn a small commission. I use affiliate links as Entwine is my biz and as such it’s a for-profit endeavor! I encourage you to look into affiliate income as well to help offset some of the costs of building your business.