You may have heard rumblings about some big changes coming to the way we do marketing…a little something called GDPR.
But if you’re like many business owners, you may only have a vague idea of what the GDPR is and what it means for your business.
I’m going to demystify the GDPR “law” for you, by telling you exactly what it is, and how you can make sure you’re in compliance with it.
Don’t think this new law applies to you? Think again! If you have even ONE European resident as a customer or email subscriber, it most certainly applies to you…and failing to comply could cost you BIG TIME!
What is the GDPR?
GDPR stands for The General Data Protection Regulation.
Approved by the EU Parliament in 2016, it’s a privacy regulation meant to provide better protection for the personal information of EU residents.
All businesses – worldwide – are expected to be GDPR compliant by May 25, 2018.If you have even ONE European resident as a customer or email subscriber, GDPR most certainly applies to you…and failing to comply could cost you BIG TIME! 💶💲Click To Tweet
Simply put, the goal behind the GDPR is to ensure that companies collect and store personal information in a way that provides the utmost protection for individuals.
This “personal information” can include a number of different types of data including:
- Email addresses
- Bank info
- Social media posts
- Medical information
- Computer IP addresses
In light of the recent Cambridge Analytica/Facebook scandal, I’m sure you can understand the importance of protecting this type of information!
So, why should this concern you…especially if you don’t even live in the EU?
Well, as already mentioned, if you hold the personal data of even ONE EU resident, you need to comply with the GDPR.
And even though this regulation doesn’t come into effect until May 25, it applies retroactively – meaning it also applies to anyone from the EU who joined your list in the past (and who is still on your list).💥 GDPR doesn’t come into effect until May 25 ; however, it applies retroactively – meaning it also applies to anyone from the EU who joined your list in the past (and who is still on your list). #YIKES! Click To Tweet
Thinking of just ignoring these new regulations?
Not a good idea!
The consequences for not being compliant aren’t exactly nominal: with fines of up to €20 million for more serious offenses, and 2% of annual global turnover (sales) for offenses like not having your records in order or not notifying the authorities of a breach, this is nothing to sneeze at!
How to make sure you’re GDPR compliant
These impending changes will apply largely to the way you do email marketing.
Since this is the primary way businesses communicate with customers and ask for personal information, this only makes sense.
For that reason, this section will look at the main ways to ensure you’re collecting, storing and protecting your email subscribers’ information.
*Please keep in mind that I’m definitely NOT a lawyer or data protection expert, and this blog post should not be taken as legal advice! If you have any questions or concerns about how to comply with the GDPR, please consult a local expert.
1. Make it VERY clear what people are signing up for
One of the biggest concepts of the GDPR is consent – do your subscribers really know what they’re signing up for?
When asking for an email address, be extremely clear about asking for consent – not just consent to send them a free guide, ebook, etc. but also consent to continue emailing them in future.
It’s also no longer okay to simply include a pre-checked box – you know the kind that requires the person to UNCHECK it in order NOT to be sent emails?
Instead, your subscribers will need to consciously, clearly and intentionally request to join your list and receive emails from you.
You’ll also need to get permission if you want to send different TYPES of email to your subscribers; for instance, if a customer has given you their email address so you can contact them about product recalls, you can’t turn around and suddenly start sending them promotional emails!
Action item: On your email opt-in forms, include wording that makes it clear what people are signing up for. If you’re offering a free product in exchange for the email, include a (NOT pre-checked) checkbox asking if they would also like to receive regular marketing emails from your company. It’s no longer enough to simply use wording like, “By entering your email you agree to receive my guide and regular emails”.
2. Don’t ask for more info than you need
As a business owner or marketer, it can be tempting to ask for a wide variety of information in order to improve your marketing efforts.
However, the GDPR stipulates that businesses should only ask for the info they actually need.
In other words, if you’re in the personal finance business and are asking people for their favorite movie or their dog’s name, you’re probably asking for too much info!
Action item: Review the fields you currently include on your opt-in forms and ask yourself if they’re all really necessary. If you can’t easily justify why you ask for a specific piece of info, it’s probably best not to ask for it at all.
3. Make it easy for your subscribers to change or delete their info
One of the elements of the GDPR is the “right to be forgotten”. This means your subscribers should easily be able to withdraw their consent or stop having their personal information used.
4. Never, ever, ever email people who have unsubscribed from your list!
While this may seem like common sense, some companies have used what they thought was a loop hole to continue connecting with those who have unsubscribed – by emailing them and asking them if they would like to receive future emails.
This is a HUGE no-no – not just in terms of the GDPR but in terms of respecting your subscribers’ wishes!
Action item: If someone has opted out of your list, do not, for any reason, email them again (unless of course they explicitly ask to re-join your list at some point). Make sure to also DELETE those people from your list…as some email providers (e.g., AWeber) will only move those emails to a separate unsubscribed list.
5. Use a double opt-in process when collecting emails
This has always been considered a best practice, but in light of the GDPR it’s probably best to now consider it a must-have.
When someone signs up for your list, most email marketing services give you two options: going through a single opt-in or double opt-in process.
The single opt-in means that the person enters their email, and that’s that – they’re now signed up to receive future mailings.
The double opt-in, on the other hand, means that after entering their email, they also need to click a confirmation link in an email to confirm they want to receive your emails.
Action item: Go to the settings in your email marketing software and make sure you’ve selected the double opt-in process.
6. Keep records of people’s consent
If you’re using a double opt-in process to collect emails, this is a great start.
But what if you occasionally collect emails at live events, conferences or tradeshows?
Simple: just make sure you keep the original records where people ask to be added to your email list!
Another element of keeping compliant records will be to keep a record of how each person on your list signed up (a data flow map).
Basically, you just need to be able to prove how each person on your list got onto your list!
Action item: If you’re adding new subscribers manually for any reason, keep a spreadsheet or flowchart showing exactly how they opted in to your list. If you’re collecting emails at a live event, make sure to have and keep a document where your subscribers have physically signed up to be added to your list.
Basically this page should explain how you plan to use their personal data, how you plan to protect that data, who will be able to view that data, etc.
You should also know how your vendors or service providers (e.g., Stripe, PayPal) are using that data…OR ELSE include a disclaimer that you aren’t responsible for what happens when people leave your site.
Link to this page on every page of your website, especially on pages where people are sharing their email or other personal information – like any landing pages or sales pages.
8. Make sure your website is switched to HTTPS
Having a secure website (https://www.yoursite.com versus http://www.yoursite.com) is super important in terms of SEO (search engine optimization); and in light of the GDPR, it’s become a must-have for data security as well.
Switching your site to https isn’t overly complicated, and ensures your site not only ranks well in the search engines, but that it encrypts sensitive data thereby keeping that data safe.
Action item: Ask your web host to help you make this switch or do it yourself if you know how. Most provide a simple way to do this through your web hosting control panel. Keep in mind you’ll also need to make sure Google knows you’ve made this switch or you could suffer from a major drop in your search rankings!
9. Write down your procedures
To comply with the GDPR, you should have a written record of the various policies and procedures you have in place related to how you collect and use personal data.
- How will you delete personal data?
- How will you protect personal data?
- What will you do if your email or website is hacked and personal data is compromised?
Action item: Create a simple document outlining your policies and procedures for each of the items above.
10. Make sure your email marketing service is GDPR compliant
Most of the big email providers are already working furiously on this (e.g., Ontraport, Convertkit, Send Lane, Active Campaign, AWeber, Kajabi, etc.).
However, not all email systems are, so it’s on YOU to make sure they have a compliant data processing agreement in place.
Also ensure you’re able to add a tick box to your optin forms!
Action item: Reach out to your email marketing service and inquire what they’re doing to prepare for the GDPR.
11. Remove contacts that don’t comply with the GDPR
After reading this post, you may have realized some mistakes you’ve made with your list in the past and yes, it does matter! Remember, this law is retroactive so previous email building tactics can be called on the carpet.
If this is the case, now’s the time (before May 25) to go into your email marketing software and remove contacts that weren’t collected appropriately.
Remember: These guidelines only apply to subscribers from the EU. BUT, if you’re not sure where your subscribers are located, you may need to ask them to opt in again.
Action item: If you know you’ve committed a big no-no in the past (like manually adding emails without getting permission first), I’d strongly suggest removing those emails from your list. And if you’re not sure whether you collected emails appropriately or not? Send an email to your entire list asking them to opt in again.
I hope this post has taken some of the mystery out of the GDPR, and has set your mind at ease. While you shouldn’t get too stressed out about the impending changes, now IS the time to make sure you’ve covered all your bases…both in terms of fixing any mistakes you’ve made in the past, and ensuring you’re in compliance in the future.
Thoughts? Questions? Concerns? While I can’t provide legal advice, feel free to leave a comment below and I can point you in the right direction!