The General Data Protection Regulation, or GDPR, is on everyone’s minds (and in all our inboxes) lately. Sheesh! But there’s relief in sight with a fast approaching deadline of May 25, 2018 for your compliance.
What Is the GDPR?
The GDPR is a new regulation out of Europe that applies to anyone who markets to EU Data Subjects.
Huh?
Let’s break that down.
A “data subject” is just a fancy way of saying “someone we collect data on or from.” For example, if you see a tempting free online training and click to join, it will likely prompt you for your name and email address. In this example, you are a data subject, and your name and email are data for the marketer collecting them.
EU refers to where the “data subject” is accessing information from – the European Union.
But data can be a lot more subtle, too. For example, have you ever noticed those shoes you looked at online that seem to follow you around the internet? You can’t get away from them. That’s because when you looked at the shoes, the shop you visited used a thing called “cookies” that embedded on your IP address and followed you on your social, mobile and other feeds. If you browsed in private or “incognito” mode, your IP address would be hidden and therefore there’d no way for the shop to embed cookies to attempt to re-engage you.
Cookies can be really helpful because they help your sites load faster, and can remind you about tools and trainings you forgot about. But, now with the GDPR, the use of those cookies must be disclosed and you have the option to attempt to rid yourself of them.
Does the GDPR Apply to Small Businesses?
The big question, especially for U.S.-based business owners, is “Does this apply to me? Why should I comply with European rules?” You can determine if GDPR applies to you and if you need to comply if any of the four factors applies to your business:
- Marketing in an EU-based language
- Marketing using domains that end in EU-based abbreviations (e.g., domain.es for Spain, domain.uk for the UK)
- Marketing that targets the users of an EU-country (this includes the UK)
- Accepting payment in Euros
Can I Ignore GDPR?
No one knows yet how the GDPR will affect U.S.-based businesses, but I’m here to offer you three things to consider:
- We don’t know how GDPR will be enforced and to what extent. It’s too early to tell how and under what conditions the EU will enforce the GDPR. Anyone who tells you otherwise is either bluffing or trying to sell you something. This is a huge shake-up of internet laws and will have an impact for years to come. However, we only know what we know now, which is that compliance is mandatory if the GDPR applies to you, and this is not going away. Also, we still don’t know how the EU will assert jurisdiction over non-compliant U.S.-based businesses. That’s a big, legal way of saying the U.S. has enough to worry about at the local, state and national level. It’s highly unlikely that U.S.-based government agencies and authorities are ready or willing to exert any amount of resources enforcing the laws of the European Union, even if they had the ability to do so.
- There could be fines. The EU is threatening huge fines of up to €20 million for companies that gross less than €20 million annually in revenue. If history lends any signs, fines will likely be modest compared to these big “scare” numbers, but healthy enough that you don’t want to deal with them.
- The biggest blow could actually come from the SAAS we know and love. Personally, the fines aren’t the scariest or most likely problem for me. I worry more about waking up, logging into my favorite SAAS platforms (like HoneyBook, Quickbooks and Convertkit) and realizing my account has been frozen or terminated due to non-compliance. Because it remains to be seen how the EU will force U.S.-based businesses to comply (see #1, above), and the help from U.S.-based government authorities is unlikely at this point, this could be how the EU forces us all into compliance.
How to Be GDPR Compliant by the May 25, 2018 Deadline
There are three main tools you need to get into compliance by the deadline.
- Include Terms & Conditions and a Privacy Policy. You need a Terms & Conditions + Privacy Policy that houses all your basic compliance, legal and contact information. This is a great idea to have even if the GDPR doesn’t apply to you, because it informs users what they can and cannot do on your site, what information you collect and what you’ll do with that information. It’s also a helpful place to house any refund or payment information if you sell products or sell services directly through your website. If you don’t want to DIY, this privacy policy template with easy-to-fill blanks can be copied and pasted into a new page on your website.
- Obtain consent. Your Privacy Policy is sadly no longer enough when it comes to informing visitors what you do with their information. A key change with the GDPR is the mandatory and affirmative consent you must obtain at the point of opt-in. Before the GDPR, you have probably noticed lots of phrases like “we will not rent, sell or spam your contact information” under the opt-in box where you input your name and email address. After the GDPR comes into effect, there must be some kind of statement as to what information is collected and what the marketer (aka, you) will do with that info as well as some kind of consent via a checkbox or dropdown menu stating as much.
- Prepare to provide data. The final crucial feature of the GDPR, and difference from what exists now, is the ability of the “data subject” to request their data back at any time. Site users will be able to not only request they be unsubscribed, but they can also request their customer records and other marketing information that has been compiled on them. Think of it like your permanent record from elementary school, and now, people on your email list can request these permanent records back or deleted entirely.
To learn more, click here to check out a quick presentation on the GDPR, and to learn how you can be in compliance and back on your feet in no time.
