You’ve probably got GDPR fatigue. How many emails have you received from services you use letting you know they’ve updated their privacy policy or asking you to re-opt-in to an email list? 50? 100?
And you’re probably well aware by now that these GDPR regulations from the EU are all about protecting a user’s privacy. You get that part, but as a business, what do you actually have to do to be compliant?
Regardless of whether you’re based in the EU – if you’ve got clients there, are actively looking for clients there or have any details about any EU citizen stored anywhere, then GDPR applies to you. It forces you to secure your customers details, use them in an honest way and be upfront with them about how these details will be used.
“So what do I need to do?”
I’m going to offer some practical guidance based on some common situations that we see regularly with our clients that are going to be affected by GDPR. This obviously doesn’t constitute professional legal advice and isn’t an exhaustive list for all businesses, but it does cover most issues for most businesses.
It’s all about data
Storing and processing personal data on EU residents obliges you to treat that data is certain ways, namely
- Storing it securely
- Obtaining permission for holding it and doing anything with it
- Not using it for anything else other than for what was originally intended
And personal data includes a lot of things, for example:
- A list of purchases a client has made from you
- A name and email address on a mailing list
- A cookie stored on someone’s computer that identifies them on your website
- An identifiable record in Google Analytics or in a Facebook marketing campaign data
This is potentially a big deal, so let’s deal with some common situations.
Mailing Lists and Lead-Magnets
You’ve built a mailing list using a lead magnet, for example, a free ebook. You asked leads to provide an email address to download this free product. You didn’t exactly say you’d be sending them marketing emails about your other products or offers, you just thought that was implied.
Under GDPR you can no longer do this. If you’re asking for the email address to send them an ebook, and that’s all you said you’d be sending them, then that’s all you’re able to do. You can’t send them anything else. What’s more, if you have anyone in your mailing list located in the EU (and who can be sure?) then you can’t send them anything else once GDPR is in effect if you didn’t tell them they’d be receiving anything else.
Common responses to this issue include getting clients to re-opt-in or ‘re-confirm’. So far some reports suggest this has not gone terribly well despite some creative strategies. Figures I’ve read about point to a success rate of just 4%, which is hardly surprising among the current deluge of straight-to-spam GDPR-related notices from every website you’ve ever visited.
If you really want to follow the letter of the law, perhaps the best plan of action is to hold off on marketing emails, at least for now, while you implement a strategy for a re-engagement campaign that will work for your particular list and begin at a time when they’re not overwhelmed. To legally make contact with EU-based list members after GDPR comes into effect, perhaps offer them an updated and expanded version of the item they’ve already requested, and again, at a time they’re not overwhelmed with similar notifications.
For any new opt-ins and for your re-permission/re-confirm opt-ins, you’ll need to be more upfront with your leads. Remember, you can only send a lead an email concerning the specific subject they were interest in when providing their email to access it. So, if you want to send them offers, or news, or use their details for a remarketing campaign for your new product – you have to tell them upfront. Some legal professionals suggest going as far as adding a checkbox to each opt-in granting express permission to used the provided data (often just name and email) for other marketing purposes, and/or to subscribe to regular correspondence (and by law this has to be opt-in rather than opt-out, so no pre-checked checkboxes). Others suggest simply wording the lead-in text of the opt-in to explain what else they’d receive from you. As there is still some ambiguity as to how the regulations are going to be enforced, some suggest a halfway option of linking to your updated privacy policy visibly next to the opt-in.
Privacy notice/policy
Key to being able to collect user data lawfully is telling the user what you’re collecting and for what purposes. You may already have one of these for your business as a whole, or for just your website. Chances are though, it’s not 100% compliant. Key (and possibly new) things to consider are:
- Clear and concise language – no ‘legalese’
- Adding contact details of the person in charge of controlling the data (the “data controller”)
- Stating the reason behind any data processing being done and legal basis for it
- Detailing types of personal data collected (name, email, credit card etc)
- Listing the organizations the data is shared with (Google Analytics – IP address, PayPal – email address)
- Details of transfers of data outside of the EU/EEA – e.g. EU resident subscribing to list run by MailChimp has his data transferred to the US
- How long data is kept after the customer no longer uses your service
- Details on rights to erase all data you hold on them, their right to withdraw consent for processing
- Where the information was gathered (i.e. cookies and what they were for)
You should also begin to consider implementing an explicit request for permission for, or notification of the placement of website cookies. If you’re in the EU you likely already do this.
Data subject requests, deletion and opt-outs
If you’re holding data about an EU resident you’ll be legally required to fulfil requests from that resident (the data subject) to submit to them all the information on them that you have stored, regardless of whether you’ve previously specified through adequate policies what you will store and why you’ll store it. You’ll be required to respond within 30 days of them having made the request, and you’ll have to be sure redactions are made in the data so that no other person’s data is transferred by mistake.
When someone requests that all the data you hold on them is deleted (the “right to be forgotten”), you will have to comply and also record the request… and then comply with GDPR when recording it.
Raw data, is it anonymous?
If you’re collecting statistics through Google Analytics or similar, or running marketing campaigns on Facebook or Google, you’ll likely have vast amounts of stored data. These 3rd parties are taking steps themselves for the most part to comply with GDPR regulations.
For example, in the case of Google Analytics, they are simply deleting historical data – it just simply isn’t possible to make this complaint. Should you wish to retain it, you have to specifically cancel the expiry process, at which point the onus (i.e. blame) is on you.
The problem is, IP addresses aren’t considered anonymous. They can be traced back to individuals, and the tracking software installed on websites records their every move. Thankfully, at least with Google Analytics, there are configuration options to anonymize and future data. If not done already, to be completely safe, you may want to use this feature.
Data Controller, Data Processor
- Data Controller – The person who controls and is responsible for the keeping and using personal information within your systems.
- Data Processor – The person who processes the data on behalf of the data controller. The data controller decides the why and how to process the data to fulfil a service. While data processors hold and process data, they have no responsibility for or control over that data.
This means you need to establish, within your business, who is going to take on the responsibilities of these two roles, if you need them.
If you hold data on EU residents at all then you need a data controller. If you’re an individual or small business, that may just be you. If you process data on your customers yourself, you’ll need to appoint a data processor too. Importantly, if you’re a large enough business, and if the two roles could lead to a conflict of interest, these should not be the same person.
Additionally, if you send data out to another entity for them to process, you’ll need to do a couple of things.
- Make sure they are compliant with GDPR and/or if in the US certified under the Privacy Shield agreement (most are)
- That you sign a Data Processor Agreement with them outlining responsibilities (in the case of many of the services you’ll be using, and you’ll have to ask if not obvious, they’ll have a tool like this one by MailChimp.)
If you are doing anything more complex than what has been mentioned above, you should probably have an expert take a look at your business processes. But for many small businesses, the contents of this article should provide enough information to help keep you compliant. And I’ll update should we notice any other common issues with our clients.
As an individual, you’ll probably agree that online privacy is an important subject while as a busy business owner you might not be GDPR’s biggest fan. So while the EU Privacy Police are not going to be kicking down your door in the middle of the night and there are questions as to how businesses located outside the EU are going to be made to comply, bare in mind that simply trying to comply to the best of your ability makes your businesses look customer friendly, competent, honest and trustworthy. Good luck!