The lowdown on GDPR compliance for entrepreneurs
Disclaimer: I’m absolutely not a lawyer, and this is not legal advice. I’m sorting this new law out myself and relaying the information I find to you guys. As with everything in life, do your own due diligence and research.
If the initials GDPR are seared into your brain this week, you’re probably an online entrepreneur. If they aren’t, and you are, you should probably get to Googling.
In short, the General Data Protection Regulation (GDPR) is a new law regulating how the data of citizens of the European Union (EU) is collected, processed, used, and stored. It goes into effect May 25th. You can read the whole thing here: ICO GDPR Guidelines
The first question I see most people asking is “Does this affect my business?”, followed by “What do I actually DO about it?”. These were my first questions too, so I took it upon myself to do some research and find out the answers, for both of us.
Keep in mind that this law is brand new, and from what I can tell the exact implementation is still a bit muddy, especially for small businesses and entrepreneurs. There do seem to be a few steps most people are advising we take right now though.
The GDPR Basics
Under this new law, you must receive explicit consent and have a lawful basis for collecting and using personal data from any citizens of the EU, and you must explain in simple language exactly how you’re collecting and using the data, as well as what they are getting in exchange.
Basically what this means for us is we can no longer offer a free opt-in in exchange for adding someone’s email address to a regular marketing list like a newsletter.
This is an issue for a lot of people, and I tend to agree. While I think data protections have become necessary, I believe exchanging a freebie for an email address should be the choice of the business owner as long as they are clear on what they’ll be using the email for.
I guess the problem comes when people are unclear and you suddenly find yourself the recipient of way too many black market viagra ads though...
Does it Actually Affect You?
The loophole here at first glance is obviously that this law only applies to the data collected from EU citizens.
So if you are absolutely certain that you won’t be accepting the email address or personal data of an EU citizen then I suppose you could consider yourself off the hook.
I personally feel like that’s setting you up for potential issues in the future, because anyone, from anywhere, can sign up on your email list or potentially purchase from you. Also, I love having clients from other parts of the world, it just makes life more interesting.
What Am I Doing About It?
So what actionable steps can you take to make sure you’re covering your bases here?
I personally have a couple of lovely clients in the EU as well as a few email list subscribers, so I want to make sure I'm doing what I can to protect their data and abide by the law.
To be clear, I’m absolutely not a lawyer, and this is definitely not legal advice. This is just what I'm personally doing in my business, with my understanding of the law.
With that said, here are the steps I’m taking myself to make sure I’m in compliance. Hopefully they give you some clarity and a few actionable steps you can take yourself!
Adding a cookie banner to my website
Adding GDPR checkboxes to my MailChimp signup forms
Again, software made my life easier here. MailChimp has given us the option to add GDPR notices and check boxes to our signup forms, as I’m sure other services like LeadPages and ConvertKit have too.
Squarespace hasn’t made their forms compliant (yet), so for now I’ll be switching my Squarespace Newsletter and Form blocks over to the MailChimp signup forms that have the compliance built-in.
To learn more about the GDPR tools MailChimp is providing check out this post on their blog: https://blog.mailchimp.com/gdpr-forms-and-more-tools
Changing the language around what I’m providing in exchange for an email address
Because you can no longer offer lead magnets in exchange for adding someone’s email to your marketing list, I’ll be changing the language around my opt-in. I’m still deciding the approach I want to take here... the two options I can see right now are:
Allowing the newsletter itself to be the offer with my free resources as a bonus. This is the direction I’m currently leaning, and have seen other people lean as well. I have several lead magnets that are valuable resources, like the Brand Confident challenge. I may even bundle those together into a free resource library and offer that as a bonus for my newsletter subscribers (as opposed to that being the reason they sign up).
Continuing to offer a freebie, but not automatically adding them to my mailing list. Instead I would send an email at the end of my branding challenge email series giving them the option to subscribe to my primary list. This option has the advantage of time to build a relationship with someone before asking for their commitment to your email list, especially if you offer something like a two week challenge. This gives you a chance to prove the value you can provide.
I’m still not sure which route I’ll go, but I’m moving towards offering several free resources as bonuses for signing up for the newsletter. This feels more authentic to me, and I can be crystal clear about what’s involved in the transaction. I also already use double opt-in on my newsletter, which makes me feel a bit better about that anyway.
Making sure no one is added to my list in a non-explicit way
I’ll be checking my shopping carts on my website, Creative Market, and Etsy shops to make sure I’m not automatically adding anyone to my email list on checkout, unless they receive a double opt-in confirmation. I also have a Zapier integration that adds someone to my mailing list once they’ve purchased a service from me, I’ll be changing that as well. Other integrations you might check would be your invoicing or client management software.
Making sure I have a DPA from all third party processors
According to the GDPR if you use third-party services like PayPal, 17Hats, Stripe, Squarespace and others to process data from EU citizens, you must have a written DPA or Data Processing Agreement in place with that processor.
This doesn’t seem to be something most processors are offering automatically yet. The articles I’ve found indicate you have to contact places like Stripe directly and ask for a DPA yourself. MailChimp allows you to sign a DPA online, and Google Analytics requires you to accept their DPA in your Analytics Account settings.
So far this sounds like the most time-consuming part of the process, but maybe I’ll be pleasantly surprised.
Deciding whether to obtain new consent from my list
This part seems to still be mostly up for debate. Should you, or shouldn’t you, email your entire list and ask for updated consent to continue emailing them? The perceived risk is that you lose a large portion of your list, but at the same time why would you want to market to people who don’t really want to hear from you?
Note that if you aren’t based in the EU, or don’t have anyone from the EU on your list currently, this may not be an issue for you. But also keep in mind that with Gmail and other cloud based email services you have little way of knowing where the names on your list are actually from.
I’m considering sending out a reconfirmation email, and perhaps even asking my list to select what they most want to hear from me as well, but I haven’t fully made that decision yet. The reason I may decide not to is that I’ve always had double opt-in activated on my sign-up forms, so from what I understand anyone who is currently on my list has already given me explicit consent and should be considered compliant under GDPR.
Again, I’m not a lawyer by any means, so take this post with a grain of salt and a lot of Googling. But these are the steps I’m taking over here to make sure I’m respecting the law and the data of anyone who trusts me enough to share their email with me.
There are some great articles out there about this right now, but I found that it can be a rabbit hole of confusion with no one completely sure on the right next step. Definitely do your own research and be diligent, but know that the key may be to take these small actionable steps now so that we’re compliant and tweak as we know more.