This post has been a long time coming but because I was in the midst of dealing with my clients’ General Data Protection Regulation (or GDPR) issues (and my own), I wasn’t ready to add to the conversation. Now those of us in the digital space are becoming more comfortable with GDPR and after spending months on my own learning everything I could, I can comfortably discuss it.
GDPR is Important
By now you should know what GDPR is. You may not yet understand why you need to know this but at the very least, you need to know what.
From Wikipedia:
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU
Of course there’s a lot more to it than that one statement.
In laymen’s terms this means that any company, LLC, or otherwise, no matter where it’s located that does business with anyone in the EEA and collects personal information about their customers (and let’s face it, in the digital age, there is almost NO BUSINESS that doesn’t collect some kind of personal information), must have safeguards in place on their website to protect a visitor’s or customer’s personal information.
What Does that Really Mean?
So let’s clear up exactly what GDPR means with some simple Q & A.
- Does your business have a website?
- Do you use Google Analytics or other traffic services to track where your website visitors come from?
- Is there a newsletter or a sign up form on your website for people to “stay up to date” with your business?
- Are you an affiliate for other companies or do you run ads on your website?
- Do you sell products or services on your website? (A product could even be a digital product like a printable or ebook)
If you answered YES to any of these; you need to be concerned about GDPR. Forbes has two great GDPR articles that I think really dig into what GDPR means.
Why GDPR Affects Your Business
Unless you can guarantee without any doubt that you’ve never had an EU citizen visit your website, sign up for your email list, or buy a product (digital or otherwise) from your website, you need to take action to protect their personal data.
I know that I’ve had visitors from the EU to this website because Google Analytics tells me. It doesn’t tell me their name; but it tells me their location, their IP address, and the pages they visited.
As a professional copywriter I have had clients from the EU though I don’t directly sell my services here (as in there is no shopping cart aspect to this website), a potential client can contact me.
So you see, because I know where my visitors come from and my contact form does collect personal information when a person fills out the form (Oh yes, it does keep personal information – even if I don’t personally keep the info, the tool I use does), I need to comply with the GDPR.
What You Need to Do Now
At the very least, update your privacy policy. If you don’t have one; get one. Anyone who reads your privacy policy needs to understand what it says. This means you should probably forgo the lawyer-speak and write it yourself. Use laymen’s terms because no one talks like an attorney. (Unless your visitors ARE ATTORNEYS, and then by all means, use lawyer-speak).
If you’re using analytics services (such as Google Analytics), then you need to include a cookie policy along with the privacy policy and you need to notify visitors upon arrival to your website that your site does use cookies. If you think about it, you’ve probably already seen this on many of the sites you’ve visited recently. That’s because everyone is still scrambling to be in compliance with GDPR.
If you have an email list or a membership site (any site that allows you to make an account, regardless of whether or not it’s free or paid), you need to send out an email with the notice about your privacy and cookie policy.
(Watch this video because I love how these guys explain cookies.)
For those of you with email lists, you must make sure that your Email service provider is complying with GDPR as well. Most services like Mailchimp, ConvertKit, Constant Contact, and AWeber, have already complied but it’s on you to check that out. In some cases, you may need to send out an email asking your subscribers to opt-in again to receive emails.
A Special Note about Email Lists
When you send out privacy policy notices, your email should have a place for people to unsubscribe. A privacy policy notice is still an email to your subscribers and they should have the option to opt out.
I feel so strongly about that last part because I’ve received hundreds of emails in the last three months as GDPR has been rolling out. And I didn’t realize I was still subscribed to so many of them. Sadly only a handful have had the unsubscribe option at the bottom of the email which is why I’m mentioning it.
Maybe you haven’t sent an email in six months or the email list was only for a giveaway or a one-time event. It doesn’t matter. If you’ve collected any personal information to have that email list, YOU NEED TO ALWAYS ALLOW A WAY FOR PEOPLE TO LEAVE YOUR LIST.
What are the Ramifications of not Complying with GDPR?
In some cases, the ramifications can be serious.
It’s probably not a coincidence that both Google and Facebook were sued by the EU almost immediately after the regulation went into effect. Of course that’s purely speculation on my part but when you think about it, someone had to have that lawsuit drafted weeks ahead and were just itching to send it when May 25th came.
Otherwise the consequences for not complying vary. You could be subject to penalties up to $23 Million (that’s US dollars, FYI). However the EU has stated that the GDPR isn’t about fining businesses, it’s about protecting people so there is somewhat of a DEFCON level of criteria that needs to be met before a business gets to the $23 Millon penalty. The penalties will vary in serious and the criteria the EU deems to be sufficient.
Some of the criteria include:
- Intention – Did you just NOT know or did you mean to ignore it?
- How users were affected – How many people have been hurt, scammed, or had their personal info used or stolen?
- Damage Control – What are you doing to mitigate the damages?
- Prevention – What steps had you taken to prevent misuse of personal data or non-compliance?
- History? Is this the first time the EU has contacted you about non-compliance?
Of course there is other criteria and I encourage you to seek out that information. If anything, knowing what the criteria are can help you in making sure you are compliant.
Final Thoughts on GDPR
I think it’s possible that GDPR won’t apply to every single business or website on the internet. However, I do think the ones that should pay the most attention include any kind of business that has a membership or rewards club for their customers or visitors and those in the travel or hospitality industry. Think visitors bureaus, hotels, B&Bs, etc.
I am willing to go so far as to suggest that travel destinations need to have privacy policy and cookie policy notices as I think they are one of the industries that stand to lose the most if they are in non-compliance.
To the best of my ability I’ve updated my policies here and utilized what I hope to be a GDPR compliant plugin for cookie notices.
Again, we’re all still learning about this so if you have something to add or think I need to know more, please comment and tell me!
[…] I have a much better explanation of GDPR and how it affects both internet users and businesses on my business blog if you’d like more information. […]