You may have heard rumblings about some big changes coming to the way we do marketing…a little something called GDPR.

But if you’re like many business owners, you may only have a vague idea of what the GDPR is and what it means for your business.

I’m going to demystify the GDPR “law” for you, by telling you exactly what it is, and how you can make sure you’re in compliance with it.

Don’t think this new law applies to you? Think again! If you have even ONE European resident as a customer or email subscriber, it most certainly applies to you…and failing to comply could cost you BIG TIME!

What is the GDPR?

GDPR stands for The General Data Protection Regulation.

Approved by the EU Parliament in 2016, it’s a privacy regulation meant to provide better protection for the personal information of EU residents.

All businesses – worldwide – are expected to be GDPR compliant by May 25, 2018.

Simply put, the goal behind the GDPR is to ensure that companies collect and store personal information in a way that provides the utmost protection for individuals.

This “personal information” can include a number of different types of data including:

• Email addresses
• Names
• Photos
• Bank info
• Social media posts
• Medical information
• Computer IP addresses

In light of the recent Cambridge Analytica/Facebook scandal, I’m sure you can understand the importance of protecting this type of information!

So, why should this concern you…especially if you don’t even live in the EU?

Well, as already mentioned, if you hold the personal data of even ONE EU resident, you need to comply with the GDPR.

And even though this regulation doesn’t come into effect until May 25, it applies retroactively – meaning it also applies to anyone from the EU who joined your list in the past (and who is still on your list).

Thinking of just ignoring these new regulations?

Not a good idea!

The consequences for not being compliant aren’t exactly nominal: with fines of up to €20 million for more serious offenses, and 2% of annual global turnover (sales) for offenses like not having your records in order or not notifying the authorities of a breach, this is nothing to sneeze at!

How to make sure you’re GDPR compliant

These impending changes will apply largely to the way you do email marketing.

Since this is the primary way businesses communicate with customers and ask for personal information, this only makes sense.

For that reason, this section will look at the main ways to ensure you’re collecting, storing and protecting your email subscribers’ information.

*Please keep in mind that I’m definitely NOT a lawyer or data protection expert, and this blog post should not be taken as legal advice! If you have any questions or concerns about how to comply with the GDPR, please consult a local expert.

1. Make it VERY clear what people are signing up for

One of the biggest concepts of the GDPR is consent – do your subscribers really know what they’re signing up for?

When asking for an email address, be extremely clear about asking for consent – not just consent to send them a free guide, ebook, etc. but also consent to continue emailing them in future.

It’s also no longer okay to simply include a pre-checked box – you know the kind that requires the person to UNCHECK it in order NOT to be sent emails?

Instead, your subscribers will need to consciously, clearly and intentionally request to join your list and receive emails from you.

You’ll also need to get permission if you want to send different TYPES of email to your subscribers; for instance, if a customer has given you their email address so you can contact them about product recalls, you can’t turn around and suddenly start sending them promotional emails!

Action item: On your email opt-in forms, include wording that makes it clear what people are signing up for. If you’re offering a free product in exchange for the email, include a (NOT pre-checked) checkbox asking if they would also like to receive regular marketing emails from your company. It’s no longer enough to simply use wording like, “By entering your email you agree to receive my guide and regular emails”.

2. Don’t ask for more info than you need

As a business owner or marketer, it can be tempting to ask for a wide variety of information in order to improve your marketing efforts.

However, the GDPR stipulates that businesses should only ask for the info they actually need.

In other words, if you’re in the personal finance business and are asking people for their favorite movie or their dog’s name, you’re probably asking for too much info!

Action item: Review the fields you currently include on your opt-in forms and ask yourself if they’re all really necessary. If you can’t easily justify why you ask for a specific piece of info, it’s probably best not to ask for it at all.

3. Make it easy for your subscribers to change or delete their info

One of the elements of the GDPR is the “right to be forgotten”. This means your subscribers should easily be able to withdraw their consent or stop having their personal information used.

Once they unsubscribe, it’s also important that their info is removed from any third party vendors you use (e.g., Stripe), OR, that you clearly state that you’re not responsible for what happens after people leave your site in your privacy policy.

Action item: Make sure your emails include a clear and working “Unsubscribe” and “Edit your preferences” link or button. Fortunately, most email marketing services already require this and include them by default in their templates. Add a clause to your privacy policy stating that you’re not responsible for what happens after people leave your site.

4. Never, ever, ever email people who have unsubscribed from your list!

While this may seem like common sense, some companies have used what they thought was a loop hole to continue connecting with those who have unsubscribed – by emailing them and asking them if they would like to receive future emails.

This is a HUGE no-no – not just in terms of the GDPR but in terms of respecting your subscribers’ wishes!

Action item: If someone has opted out of your list, do not, for any reason, email them again (unless of course they explicitly ask to re-join your list at some point). Make sure to also DELETE those people from your list…as some email providers (e.g., AWeber) will only move those emails to a separate unsubscribed list.

5. Use a double opt-in process when collecting emails

This has always been considered a best practice, but in light of the GDPR it’s probably best to now consider it a must-have.

When someone signs up for your list, most email marketing services give you two options: going through a single opt-in or double opt-in process.

The single opt-in means that the person enters their email, and that’s that – they’re now signed up to receive future mailings.

The double opt-in, on the other hand, means that after entering their email, they also need to click a confirmation link in an email to confirm they want to receive your emails.

Action item: Go to the settings in your email marketing software and make sure you’ve selected the double opt-in process.

6. Keep records of people’s consent

If you’re using a double opt-in process to collect emails, this is a great start.

But what if you occasionally collect emails at live events, conferences or tradeshows?

Simple: just make sure you keep the original records where people ask to be added to your email list!

Another element of keeping compliant records will be to keep a record of how each person on your list signed up (a data flow map).

Basically, you just need to be able to prove how each person on your list got onto your list!

Action item: If you’re adding new subscribers manually for any reason, keep a spreadsheet or flowchart showing exactly how they opted in to your list. If you’re collecting emails at a live event, make sure to have and keep a document where your subscribers have physically signed up to be added to your list.

7. Include a clear link to your privacy policy or terms of use

When people opt in to your list, there should be an obvious link to your privacy policy or terms of use that they can click for more info.

Basically this page should explain how you plan to use their personal data, how you plan to protect that data, who will be able to view that data, etc.

You should also know how your vendors or service providers (e.g., Stripe, PayPal) are using that data…OR ELSE include a disclaimer that you aren’t responsible for what happens when people leave your site.

Finally, your privacy policy should clearly explain who you are, why you have the right to use their data (because they opted in), and that people have the right to complain to the ICO if there’s an issue with the way you’re handling their data.

Link to this page on every page of your website, especially on pages where people are sharing their email or other personal information – like any landing pages or sales pages.

Action item: Include a clear link to your email privacy policy or terms of use on your opt-in forms, website, as well as on the emails you send out to your list. If possible include a tick box that people can check to say they’ve read your policy. Make sure your privacy policy is written in clear language, and covers everything listed above. Here’s a good overview of what your email privacy policy should look like. **Consult your lawyer for more info on this!

8. Make sure your website is switched to HTTPS

Having a secure website (https://www.yoursite.com versus http://www.yoursite.com) is super important in terms of SEO (search engine optimization); and in light of the GDPR, it’s become a must-have for data security as well.

Switching your site to https isn’t overly complicated, and ensures your site not only ranks well in the search engines, but that it encrypts sensitive data thereby keeping that data safe.

Action item: Ask your web host to help you make this switch or do it yourself if you know how. Most provide a simple way to do this through your web hosting control panel. Keep in mind you’ll also need to make sure Google knows you’ve made this switch or you could suffer from a major drop in your search rankings!

9. Write down your procedures

To comply with the GDPR, you should have a written record of the various policies and procedures you have in place related to how you collect and use personal data.

This includes:

• How will you delete personal data?
• How will you protect personal data?
• What will you do if your email or website is hacked and personal data is compromised?

Action item: Create a simple document outlining your policies and procedures for each of the items above.

10. Make sure your email marketing service is GDPR compliant

Most of the big email providers are already working furiously on this (e.g., Ontraport, Convertkit, Send Lane, Active Campaign, AWeber, Kajabi, etc.).

However, not all email systems are, so it’s on YOU to make sure they have a compliant data processing agreement in place.

Also ensure you’re able to add a tick box to your optin forms!

Action item: Reach out to your email marketing service and inquire what they’re doing to prepare for the GDPR.

11. Remove contacts that don’t comply with the GDPR

After reading this post, you may have realized some mistakes you’ve made with your list in the past and yes, it does matter! Remember, this law is retroactive so previous email building tactics can be called on the carpet.

If this is the case, now’s the time (before May 25) to go into your email marketing software and remove contacts that weren’t collected appropriately.

Remember: These guidelines only apply to subscribers from the EU. BUT, if you’re not sure where your subscribers are located, you may need to ask them to opt in again.

Action item: If you know you’ve committed a big no-no in the past (like manually adding emails without getting permission first), I’d strongly suggest removing those emails from your list. And if you’re not sure whether you collected emails appropriately or not? Send an email to your entire list asking them to opt in again.

Final thoughts

I hope this post has taken some of the mystery out of the GDPR, and has set your mind at ease. While you shouldn’t get too stressed out about the impending changes, now IS the time to make sure you’ve covered all your bases…both in terms of fixing any mistakes you’ve made in the past, and ensuring you’re in compliance in the future.

Thoughts? Questions? Concerns? While I can’t provide legal advice, feel free to leave a comment below and I can point you in the right direction!

About Author

Kim Garst

Kim Garst is a renowned marketing strategist and speaker who is trailblazing the use of artificial intelligence in digital marketing. With over 30 years of experience as an online entrepreneur, Kim helps entrepreneurs grow their business and authority online by using AI technology. She is leading the way with proven AI frameworks that help entrepreneurs build authority in their space.

She is keynote speaker and an international best-selling author of Will The Real You Please Stand Up, Show Up, Be Authentic and Prosper in Social Media.

Named by Forbes as a Top 10 Social Media Power Influencer, Kim is well-known for her skill to simplify complex technology and make the use of AI understandable for business growth. Her relatable, actionable advice helps guide new entrepreneurs to harness the power of AI to succeed in digital marketing. Kim is leading the way in combining human and technological skills to create a new model for AI-powered marketing.

See author's posts