How to Be GDPR Compliant

How to Be GDPR Compliant for Small Businesses

This isn’t the most exciting post, but it is important because if you have a website or offer services and you don’t comply with GDPR, you could be fined 20 million Euro.

The General Data Protection Regulation (GDPR) went into effect May 25th 2018 and it is to enhance the rights of EU citizens to protect their personal information.

 

Does it Affect You?

If you offer products or services to citizens in the EU – YES it does

If you collect information from citizens of the EU – YES it does

Basically, if anyone in the EU visits your site and you have an opt-in form, sales page, or use cookies/pixels, then you need to need to comply.

 

I’ll start with the aspect of the GDPR that will affect most people reading this.

 

If you send emails or do email marketing: 

Anyone on your email list that did not give explicit consent to receive emails from you, must be asked to opt-in again, and you MUST clarify when they opt in that they are giving consent to receive emails from you.

If you sold someone something or offered a free download in exchange for an email, and then they were automatically added to your email list but you didn’t tell them that buy doing so they were giving you permission to email them in the future, you MUST ask them to opt in again, and you MUST make it clear that by opting in, they are giving consent to get emails from you.

If your opt-ins forms or check out forms DID NOT clearly say that by opting in or buying, they give permission to receive emails from you, then you must:

  • Update all your opt-in forms and sales pages to let people know that by opting in or buying, they are giving consent to be contacted and agree to the privacy policy.
  • Keep accurate records of everyone who opts in or purchases (if you use something like mailchimp, aweber, getresponse or convertkit, they do it automatically) especially the date.

 

If you haven’t been specifically asking your opt-ins and buyers for consent to get emails, then send an email to everyone in your list and ask them to opt in again and on your opt in page be sure to specify that by opting into that form, they give consent to receive emails and consent to your privacy policy.

Yes, this is a big pain in the butt, and your list size will decrease A LOT!  But at least you won’t have any problems with any GDPR Supervising Authorities (SA).

Is it worth the hassle and decreased list size?

When it comes to how the GDPR will be enforced, it’s up to each EU country to assign their own SA, and then each SA will have their cronies who find offenders and take action against them.  It is still pretty new, so no one is sure how they plan on enforcing things, but it’s still a good idea to follow the law!

ACTIONS YOU SHOULD TAKE NOW  

  1. Add a Cookie Consent script or plugin to your page.  (GDPR Comply comes with one)
  2. Make sure your privacy policy includes
    1. What personal information you collect
    2. How and why you collect it
    3. How you use it
    4. How you secure it
    5. Any third parties with access to it
    6. Any cookies you use (Google Analytics, FB Audiences, etc…)
    7. How users can control any aspect of this
    8. The 8 rights of users (covered later in this post)
    9. For more details about specifics to include in your privacy policy check out this article

One of the fastest and easiest ways to become GDPR compliant (for most small and medium-size companies) is to use GDPR Complygdpr compliant

 

 

 

 

If you collect information   

You must first determine what type of information you are collecting, Personal Information or Sensitive Personal Information

 

Personal Information means any of the following

  1. Name
  2. Address
  3. Email Address
  4. Photos or Videos
  5. Online Identifies – IP addresses, cookies, etc..

If you collect any of the above personal information from people in the EU (can mean something as small as people in the EU can visit your website and you use cookies or pixels on your website), then you must comply with these follow privacy principals

  1. Lawful, Fair and Transparent – Data processing must not violate the GDPR tests. You must be open about what you’re collecting and your process must match up with what you claim.
  2. Limit your Purpose – Only collect data for “specified, explicit and legitimate” purposes and no others without further consent.
  3. Minimize Collection – Limit the amount of data you collect to what’s adequate and relevant for the purpose.
  4. Be Accurate – Make sure the data you collect is accurate and kept up to date.
  5. Limit Storage Time – Keep data for no longer than necessary and remove data after it’s no longer required.
  6. Protection and Confidentiality – Handle data carefully so as to secure it against loss, damage and destruction.

 

You must also satisfy at least one of the following processing conditions

  1. Consent – This one will be the most common which just means the person opted in to a form or consented in some way for you to collect their personal information.
  2. Necessary for performance or prep of a contract with subject
  3. Necessary for legal obligation compliance
  4. Necessary to protect vital interests when consent isn’t possible
  5. Necessary for performance of public interest task or exercise of vested official authority
  6. Necessary for purpose of legitimate interests

 

For those who collect Sensitive Personal Information (which are things like sexual orientation, religious/philosophical views, health data, political views, genetic data, etc..) you must comply with the same 6 privacy principals listed for those who collect personal information, as well as satisfy at least one of the following processing conditions:

 

  1. Have explicit consent of subject, unless reliance on consent is prohibited by EU/Member State law
  2. Necessary for fulfilling obligations under employment, social security, social protection law or collective agreement
  3. Necessary to protect vital interests when consent isn’t possible
  4. Processing is carried out by not-for-profit for members/former members and there is no third party disclosure
  5. Data is made public by subject
  6. Necessary for legal claims or courts
  7. Necessary for reasons of substantial public interest under law, with safeguard measures in place
  8. Necessary for medical purposes on the basis of law or contract
  9. Necessary for public health interests such as cross-border threats
  10. Necessary for archiving purposes in public interest, science or research

 

If you collect personal information or Sensitive Personal Information, you are required to do a Data Protection Impact Assessment

You’ll also have to implement  Privacy by Design (PbD)

And respect the 8 rights of users:

  1. To be informed– Provide transparent information about data processing
  2. Of access– Let individuals access any data you’ve processed from them
  3. Of rectification– Let individuals rectify incomplete or inaccurate data
  4. To erasure– Individuals can request you delete their data
  5. To restrict processing– Individuals can block the processing of their data
  6. To data portability– Individuals can reuse their data for other services
  7. To object– Individuals can object to the processing of their data
  8. In relation to automation– Individuals are protected from automated decision-making processes

 

 

Those are the overall things most of you reading this will have to comply with, but for larger companies and those who collect large amounts of data, there is a lot more involved.

You can check out all 11 Chapters of the GDPR Here

 

GDPR Compliant

 

Brian Gray

I love digital marketing and everything that comes with it. Besides making money online, I'm also partner of a successful communications and digital marketing agency and my client list includes EU, UN, World Vision, Hennessy, Vespa, Corona Extra, Krispy Kreme, Canon, Total and Hyundai (just to name a few). I was in the education sector for over 13 years, and I loved it, but then transitioned into digital marketing and eCommerce (more freedom when you work online). I realized I didn't want to give up teaching, so I decided to teach online.

Leave a Reply

Your email address will not be published. Required fields are marked *

This website uses cookies to give you the best experience. Agree by clicking the 'Accept' button.