A couple of weeks ago I was talking to my good friend Jen McFarland at Foster Growth. She’s my go to gal when I have tech questions. So, as GDRP has become THE hot topic for small business owners in the last couple of weeks, I asked Jen to share her recommendations. For most of my clients we’ve talked about this already and made changes as needed. My recommendation – read Jen’s blog post and start to implement the changes with your web developer and with your newsletter signup forms in the coming weeks and months to be ahead of the game.
If you’re like me, your inbox started overflowing last week with one updated privacy policy after another. Each email referenced the need to comply with the General Data Protection Regulation (GDPR).
What in the Hell is GDPR?
In 2016, the European Union (EU) passed GDPR to serve as a data protection stand for its citizens. The regulations went into effect May 25, 2018.
The EU was ahead of the curve in viewing email addresses and online surfing habits as personal information in need of being protected. It’s almost as if they saw the whole Facebook Cambridge Analytica thing coming… but I digress.
GDPR is similar to the Payment Card Industry Data Security Standard (PCI DSS) used to protect our credit card numbers and any personally identifiable information associated with credit card payments. My advice if you’re a business owner and don’t know about PCI compliance – don’t be like the City of Portland – always use a 3rd party payment processor and never take credit card numbers on paper unless you want to comply.
Like PCI DSS, GDPR seeks to protect EU citizen’s personal information. In this case, all of the data collected, stored and processed via an online transaction.
I’m a US Business. Why Should I Care About GDPR?
You might think it has nothing to do with your business, but the regulations apply to any online service or company that collects, processes, manages or stores information.
The scope of the law isn’t to enforce EU businesses. The regulation intends to protect EU citizens regardless of when or where the data collection happened.
That means you too, local business owner.
Typical cases where your business collects information and may need to update its privacy policy or processes to comply with GDPR:
• Tracking codes installed on your website (e.g., Google Analytics, Facebook Ads, Google Adwords, Bing, Twitter, et al.)
• Newsletter opt-in or a free ebook/gift
• Collecting emails as part of a point-of-sale system (or your online store saves emails to a list)
• Exchanging information with another business or individual that results in receiving, processing, managing or storing personal information from the EU (applies to all information, including information you have from years ago)
As you can tell, these regulations are pretty far-reaching. The good news is, it’s straightforward to comply (unless you fall under #4 in the list above – in which case, consult your attorney and IT department).
Here are a few simple steps to get you started:
Step 1: read a little about GDPR on Wikipedia or other trusted sources like (here or here) and comply with any updates sent by your vendors that collect information on your behalf (e.g., Google Analytics, MailChimp, ActiveCampaign, etc.)
Step 2: create or update your privacy policy (and then follow it). I used Terms Feed to create my updated privacy policy. You can also consult your attorney.
Step 3: make it very clear what people are subscribing for and that they can unsubscribe at any time. No more auto-subscribing, unless you are strictly B2B and correspondence falls under the “legitimate interest” provision.
For example, I added these words to my opt-in forms “Subscribes you to Foster Growth LLC email list. All emails include an unsubscribe link. You may opt-out at any time. See our privacy policy.”
Most point-of-sale systems allow you to add text letting people know that by giving you their email address they are consenting to be added to a list
Step 4: notify everyone on any existing lists and give them the option to unsubscribe
Step 5: add a cookies policy to your website and notification so people can opt-out of cookies (cookies are the tracking codes you use for Google Analytics, Facebook ads, et al.). I used Terms Feed for my cookies policy and CookieBot so people can opt-out of cookies.
Here’s the link to a more comprehensive GDPR checklist.
If you have questions, consult your attorney, web developer, or tech strategist.
Take action now because there are penalties for not complying. Also, it’s likely increased data protection will spread beyond the EU.
About the Author
Jen McFarland is a technology strategist and project turnaround artist. Her company, Foster Growth, helps businesses make better technology decisions. Her superpowers are listening, evaluating problems, and finding direct, simple solutions. Jen’s approach delivers substantial results like 250% increases in web traffic and a 98% reduction in data entry.
Leave a Reply