What is GDPR?
GDPR stands for General Data Protection Regulation and it’s essentially a data and privacy protection law that applies to the European Union and its residents.
So why are you getting all those notices and how does it apply to you?
In theory, it does only apply to EU businesses and individuals. In actuality however, due to our new global economy it extends its reach far beyond the borders of the European Union. Any company who does business in Europe, no matter where they are physically located must comply as well. That means even small business owners, Etsy sellers, and freelancers who provide product or services to individuals in Europe must take steps to fall in line with GDPR.
What about blogs, websites and email lists?
For email lists, you now much be very clear about the purposes of collecting names and emails, explaining exactly what information you are gathering. For instance, even if you only occasionally send emails of a marketing nature, it still must be disclosed in the sign up process. The EU subscriber much also opt themselves in, so having a check box that states they acknowledge the purpose of your email list and how their data will be used should be present and it cannot be automatically checked off. You also need to send an email so that any existing European Union subscribers can opt in, thus all those emails you are getting asking you if you still want to be on their lists.
Is that it? Is that all there is to GDPR?
Not at all. This is just a very quick overview of how it might affect you, especially if you are a small business owner, blogger or freelancer. Take for example the ‘freebie download’ marketing method.
You create a free ebook, whitepaper, webinar etc. in exchange for adding the names of those downloading or signing up to your email list. Before GDPR you didn’t need to spell out that fact that individuals signing up for those freebie items would be placed on your email list and could expect marketing email in the future. You just had to make sure that you included information about how they got on your list somewhere in fine print in your emails along with the unsubscribe link.
Now you have to provide that information, not only explaining they are signing up for an email list, but what to expect as far as the nature of the emails they will be signing up for. Should an issue ever occur with an EU subscriber, you must be able to provide proof that they received this information and chose to opt in.
There is also the fact that EU visitors to your site, commenters on your blog and contacts from your contact form can at any time ask you to provide them with exactly what data you have collected from them and they can ask you to remove it. This part is complex and tricky since the data collected may not be something you have access to but is held in some third party database of a service or plugin you may use on your website. That means you also need to provide information about those third parties and where to find their privacy and data policies.
What if I’m non-compliant?
You could be fined up to 20 million euros ($23.5 million at the time of writing) or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. There will of course be warnings, and the chances of a small business like an Etsy seller being fined that much is probably unlikely. Still, if you were fined, it would definitely be a chunk of change that still hurt plenty, even if it wasn’t in the millions.
I’m supposed to have all this in place tomorrow? I didn’t even know what GDPR was until today!
The regulation goes into effect tomorrow but it’s highly unlikely everyone is going to be compliant tomorrow. In fact, this article on The Verge, claims very few companies are going to be compliant, say nothing about small businesses, bloggers and freelancers. They suggest that for a period of time regulators will go easy on non-compliance because of the complexity of the regulation. That doesn’t mean you should just ignore it. No one really knows exactly what is going to happen, so it’s important that you pay attention and work on compliance as soon as possible. No wonder most of us are completely overwhelmed by GDPR and what we need to do.
Many of us, especially those of us in the U.S., aren’t totally clear on everything we need to do to be completely compliant, but that doesn’t give us a free pass to claim ignorance and do nothing. There is plenty of information out there. Chances are the service that your email list is on has already implemented GDPR compliance items for you to take advantage of. Mailchimp, aWeber, ConstantContact and ConvertKit all have information regarding the GDPR and your email lists and I would imagine other services do as well.
Help! I’m still overwhelmed by GDPR.
In summary, it’s likely many people are a bit behind on GDPR and are now a bit frantic about what it is and what they may need to do. If you haven’t taken steps yet, you can and should begin the process. Start by checking to see what your website platform and plugin you may use already have in place. Check with your email list service to see their tools and suggestions. While it is important that you pay attention to GDPR, it’s definitely not a reason to panic.