As I’m sure you’ve recently heard, GPDR goes into effect this Friday, May 25th.
If you’re anything like me, this whole situation has caused you no little amount of stress and confusion. Personally, I don’t understand the legal mumbo-jumbo. I leave that stuff to the lawyers (that’s what we pay them for, amirite?).
But since the deadline is approaching so quickly, I figured I’d better get on this stuff ASAP. And then I realized that if I’M confused about it all (as a web designer), surely you must be too.
So, I’ve put together a little guide on the subject to help you get it straight before Friday (eek, 4 days! — but don’t panic, we got this).
Now, if you’re reading this and wondering ‘WTF is GDPR,’ you should probably go check out this article. I think it does a really good job of explaining everything you need to know in language we can understand (and by we I mean us ‘normal people’ who don’t think legal terms are fun *shudder*).
Basically, we need to take proactive steps to make sure we’re protecting people’s personal information. Really we should all be doing that already, but now we also have to show that we have an individual’s permission to obtain and use that information. And it’s not as complicated as it sounds.
What GDPR means for you
Everyone’s personal path to GDPR Compliance will look a little different, depending on the type of information they collect and where they store it. The best way to figure out your own path is to determine your role in the process.
Understanding your role: Data Controllers vs. Data Processors
As a business, you are most likely a data controller. Meaning: you decide what information is collected from subscribers or clients and why.
So, if you put an email subscribe form on your website to collect a name and email address so you can send out emails about your products and services, you’re a data controller. If you use an inquiry form on your website to gather contact information about potential clients and their needs, you’re a data controller.
However, if you run a business like Mailchimp, ConvertKit, Dubsado, Honeybooks, or the like — and you collect and store the information about your clients’ customers in your database on YOUR CLIENT’S behalf — you’re a data processor.
In rare cases, you might be both the data collector and the data processor. This would apply to you if you run a membership site or e-commerce store where you collect customer information and store it within your own database.
Data Controllers: About Getting Consent
As a data controller, you have a responsibility to get permission from your subscribers and the people who sign up for your services in order to USE their information in any way.
The GDPR states that websites will have to ‘get clear, unambiguous affirmative consent before collecting personal data, and explicit consent before collecting sensitive personal data’.
So what in the heck does that actually mean?
Get clear, unambiguous affirmative consent before collecting personal data
Personal data includes:
- Birth Date
- Email Address
- Phone Number
If your email subscribe form discloses what you will be doing with the name and email addresses that you collect from subscribers, you don’t need to do anything else. The action of entering their name and email address and hitting submit counts as consent so long as you don’t have any automatically-checked boxes on your form to give consent to something else as well.
However, if you don’t have a checkbox that asks people to accept your terms and conditions, and then go and sell your contact list to a third party for advertising purposes without disclosing that you intend to do so, you’re in violation of the GDPR.
Get explicit consent before collecting sensitive personal data
Sensitive personal data includes:
- Health Data
- Sexual Orientation
- Religious Beliefs
- Political Views
- Genetic Data
If you collect any of the information above, you are required to have a checkbox on your form that explicitly shows consent from your subscriber. Next to the box, you need to clearly state what it means to check that box. ‘I agree to share my personal sensitive data with XYZ Company in order to receive updates about specific health conditions,’ or ‘I consent to sharing my personal sensitive data with ABC + Co so they can send me advertisements related to my information.’
No matter which type of information you collect, you should know exactly how to set it up with your various data processors so you’re following all the rules.
Data Processors: Who you might use and what to look for
The data processors you use will vary depending on the type of business you run, but in general, they include all of the systems + software you use to collect client information. That means email marketing, client relationship managers, payment processors, call schedulers, online course hosts (like Thinkific or Teachable or Udemy)….basically anything you use that stores your clients’ information or requires your clients to login.
What you really need to know about these data processors is whether or not they’ve gone through the process of becoming GDPR Compliant themselves. Because if not, that puts you at risk.
You also need to find out from them how to make changes to your workflows and opt-ins in order to be GDPR Compliant on your own site. Most of them will have detailed information on their blog or their FAQs about steps you need to take.
Personally, I bought a new and updated version of both of those pages from The Contract Shop. It’s more than worth the money to be compliant when you consider that the GDPR non-compliance penalties are up to 4% of your annual income, or €20 million — whichever is MORE. That’s a terrifying amount for small businesses. Definitely worth the $255 investment.
A word to the wise: since these policies can vary depending on the way you conduct business, purchasing your own set is much better than copying them from someone else. They may have deleted entire sections of a policy that you would need for your own business.
Things to keep track of for GDPR Compliance
As a data collector, you are required to keep proof that the people on your list have consented to be there. Depending on which processors and methods you use for data storage, be sure you know how to access that proof should you be requested to show it.
Worldwide GPDR is Coming
In many of the articles I’ve been inhaling, I’ve read that the EU generally sets a new standard in place — and then the rest of the world follows suit. So, it’s safe to assume that GDPR will, in fact, go into effect for the entire world at some point.
With that in mind, I’ve opted to simply set up my entire list to be GDPR compliant — not only for my European subscribers — but for ALL of them.
And really, wouldn’t you rather do that as well? It will save you from having to go back and deal with this situation again in a year or two when this regulation goes mainstream in other countries.
What this means for us
- Everyone who subscribes to our email list or fills out our service inquiry forms will have to check a box giving consent to use their information for sending email newsletters or contacting them about my services.
- People who opt-in to our email list also have to complete a double opt-in. That way we have two forms of proof that they’ve consented to our use of their information.
- We’ve purchased SSL for our website, and it will go into effect this week. We’d much rather have it in place now and increase security for our subscribers all around. Besides, it’ll get rid of the pesky ‘not secure’ notice in google when people come to our website — and make us look more professional. #winwin
- We’ve sent out an email to our entire list requesting they consent to continuing to receive emails from us. Anyone who doesn’t consent by Friday will be deleted from our records.
Hopefully this post has helped you get a jump on your GDPR Compliance. It’s not too late to take action — and even if you don’t have every piece in place by May 25th, being able to show that you are in the process could grant you some leeway on penalties according to the UK IT Governance website.
Happy stress-week, friend!