By now, chances are you’ve heard that the GDPR will be taking effect on May 25th. And if you hadn’t heard that yet, consider this your official heads up—if you have a business that “services” any citizen of the EU, this law applies to you. Unless you can absolutely guarantee that no users from the EU will ever find their way to your website, you’ll need to set up a GDPR notice and compliant consent measures.
WHAT IS THE GDPR?
The GDPR is a sweeping new security measure that is designed to protect the privacy of citizens in the EU. It gives them control over exactly how their personal data is processed, including how data is collected, stored, and used.
It’s admittedly a pain to acquaint ourselves with such a dense new law, but it’s important to understand why this legislation was passed: for the enhanced security of personal information online. With the constant stream of news about hacked websites and shady companies selling data, I wouldn’t be surprised if this is just the first step of many that the world will take to protect online personal data.
WHY SHOULD I CARE IF I’M NOT AN EU CITIZEN?
The GDPR protects EU users, but applies to any business that collects personal data of EU users. You may be thinking to yourself, “well that’s fine, but I don’t have any EU clients, so I’m in the clear!” Not quite. Do you have an email list with any EU members on it? Do you know if EU citizens have ever left a comment on your site, or if you have processed their information via Google Analytics? You probably can’t say for certain, so just be cautious and assume that the GDPR applies to you. Better safe than sorry.
A more practical reason why you should care? Noncompliance will mean you are liable for very, very hefty fines. The maximum penalty for noncompliance with the GDPR is 4% of the annual global revenue generated by the company.
WHAT’S COVERED BY THE GDPR?
Simply put, the GDPR will govern how you may process the data of EU members. “Processing”, in this sense, can be defined as “doing anything with that data”. For you, this means that the GDPR will govern anything you do with the personal data you collect from EU users (by “users”, I mean users of your website).
What counts as “personal data”?
Basically, “personal data” is anything that can identify the user or monitor what they are doing. It commonly includes:
- contact information
- medical information
- credit card or bank account details
- geolocation data
- IP Address
- Google Analytics info
Another important note for online business owners: this definition of personal data will most likely include any type of processing information that you add to a database—for example, all of your online quizzes, email opt-ins or incentive downloads, surveys, tagging, or segmenting in your email list. In addition, websites commonly collect “personal data” through comments on blogs, contact form entries, analytics, logging tools and plugins, security tools and plugins, and user registrations.
THE MOST IMPORTANT PART: CONSENT UNDER THE GDPR.
To use personal data, you must gain express consent from the user.
What is “express consent”?
One specific note that I want to point out for creatives: I know it is standard procedure in webinars (for example) for the host to give the interviewee the email list of signups from the webinar. I believe this will no longer be permissible under the GDPR, because the user did not specifically consent to interviewee having that personal data. This also means that you may never automatically add people to your list or sell lists, but that was never legal anyway.
Examples of improper consent:
- Any consent that is merely contained within your terms and conditions and implied (otherwise known as “browsewrap”).
- Language saying “by clicking or navigating the site, you agree to our collection of information” or “by using this site you agree to the placement of cookies on your computer in accordance with the terms of this policy.” This is not considered valid, because they have not expressly asked for consent for the use of personal data for a specific purpose.
LET’S REVIEW: HOW WILL THE GDPR AFFECT MY BUSINESS?
The GDPR will primarily affect four main areas:
- How you collect email opt-ins
- How you conduct your email marketing
- How you obtain consent on your website
You can find complete breakdowns of how you can prepare your business for each scenario at paigehulse.com. I know the GDPR seems overwhelming at first, but when you take it step by step, it’s something that every business owner can handle.