GDPR (General Data Protection Regulation)
20 minutes to read | 30 minutes with Video
This week We talk about The GDPR
On May 25, 2018, the General Data Protection Regulation (the GDPR) goes into effect. It already exists but it will be strongly enforced started on May 25th, 2018. Unless you are planning on denying access to your services, products etc. to any EU citizens or residents then you will need to comply with the GDPR or face the consequences.
You can also face penalties if someone accesses your website in the EU even if the person is not an EU citizen. We wanted to talk about what we are doing and what we are doing for our clients. This might help you. We recommend you check and update your own information.
Get Your Checklist.
Last week we started the conversation. See the rest of the blog post for deeper details, a checklist, and a conversation about how other business owners are dealing with this.
The subject matter:
The GDPR (General Data Protection Regulation)
- An Overview
- Email List/Consent standards
- Privacy Policy
- Website/Wordpress/Plugins
- Google and Analytics (cookies).
- Checklist we are following (we created)
As a business owner and a marketer helping other businesses online, this is my business and what I do here makes a difference. I will not lie it has been a bit stressful. But in order not to let fear eat my time I am jumping in with both feel to drive up my confidence on this matter. It seems there is ambiguity everywhere on this topic however we do believe there are some fundamentals to figure out. Firstly, let’s go over our website and how we collect data and what we have to change to adhere the new regulations.
Our 2-second snapshot is;
it is a pain in the butt but necessary and complying is smarter than not.In our opinion, you need (we need) to update your stuff. It will now make it harder for those collecting email addresses and more segmentation is needed. So that can be a yay for fewer emails and an ugh about updates things makes it harder.
1.GDPR Overview
A little dry for a topic but important topic and everyone needs to know about it.
Firstly, What is the GDPR?
It is Europe’s new General Data Protection Regulation (GDPR). This regulation is replacing the 1995 EU Data Protection Directive. The plan is to unify data protection rules across Europe. This new regulation will place new obligations on all organizations/businesses/entrepreneurs that offer goods and services online if participants are in the EU or part of the EU.
When Does GDPR Apply?
For the GDPR to apply a financial transaction isn’t necessary. As well as non-EU-based businesses must comply with the GDPR if it collects or processes personal data of any EU resident (EU citizenship is not required). We’re going to go through all of the below.
- What activities are covered by the GDPR? (see above)
- Who Has to Comply To the GDPR.
- The Principle behind the GDPR (help us to comply with the spirit of the law).
- The Requirements (what you have to do and not do).
- Legal uncertainties in the GDPR (Laws grow and are interpreted).
- Guidance and best practices (our view and the view we’ve gathered.
The GDPR applies to any personal data processing. Using the term Processing gives the definition a broad stroke covering doing anything with data; collection, organization, storage or alteration, erasure or structure. So everything and anything to do with data you collect. The personal data means any information ‘relating to’ an identified or identifiable person. That means it covers name, address, email addresses as well as IP address information. That means Google Analytics is involved. Did you get your email yet? This is where we deal with disclosure information. If you collect any data, CRM database, Email Database, Analytics, that’s covered.
Who Must Comply? There are different standards for different people.
Apply to any relationship where. One or more parties are in the EU. This is the 1st standard.
- ☑️ People outside of the EU – It applies to us but not in the same way. It applies when we are processing data of people in the EU (using/collecting data). If offering a product or service to people in the EU, That act makes you have to comply (this is even when you give a lead magnet to someone in the EU).
- ☑️People don’t know how the territorial limits will apply. Example running FB ads – if you are specific to USA will it affect you if they see the ad or click on the ad? Some people think if you don’t know collect the data. Or the other thought is that you ask people from the EU to leave your site do you have to track?
- ☑️Maybe it won’t apply to people in the USA. I would say maybe wait and see what the Ideas behind the Regulation.
There are 6 principles behind the regulation.
- Lawful, fair and transparent manner.
- Data is collected for explicit and legitimate and specific purposes.
- Data should be limited to what is necessary for the purpose. The concept of data minimization.
- Data is updated and corrected. This applies to Google and FB more than an individual.
- Data shall be kept no longer than necessary. Don’t keep it forever.
- Data should be processed in a secure way (SSL certificates, or password protected).
Question?
What are the bases for lawful bases to process info? You have to meet 1 of these not all 3 (there are 6 but 3 don’t apply to us)
- Consent
- Contract fulfillment
- Legitimate interest
Consent Standards – This changes how we do things. It is assumed that when we download a freebie we get added to a list. The EU doesn’t care if everyone knows this. We can’t do this anymore. We can’t just add people to a list now. Consent has to be freely given and specific to what you are asking. Therefore you can’t apply broad consent. People also have to be informed about everything. And a person has to take some action to show agreement.
Someone who gives over an email address to get a lead magnet does not consent to be put on a list.
The 2nd piece to the consent standard – you need a separate accessible form that is clear and in plain language. You can’t get consent for multiple things in one place or in the course of some other transaction. Because consent must be specific and unambiguous. You need a stand-alone consent for each thinks you want. For example, if you have a give away you now have to get consent to get the email for that. It is considered a contract however you don’t get to put them on your list. It is coerced to cent if you do. You then you also need a completely separate consent for email opt-in.
Contract Fulfillment If someone signs up to a list your obligation is to fulfill that contract in this you can send reminder emails in advance of the meeting, calls, webinars. The contract construct will give you guidance. The law is not a clear as it could be. There is a grey zone here. The sales sequence related to your lead magnet is grey. So there is some ambiguity on this.
Q: Will the USA pass this law?
No one knows. The States is the Wild West. Canada has other laws and Canada will probably jump on board.
Your existing email list.
Storing people’s data under the GDPR is using data so deleting your list is considered the process which you can’t do. Therefore continuing to store data is using their data. Therefore you have to prove that you have the right to have those names on your list. So it is either scrap your list or get consent again from those on that list. On the 25th Between now and may 25 you want to get consent to have peoples info.
Consent of expanded process
The link between the purpose of collection. The context in which the data is/was collected. Nature of personal data. The consequence of expanded processing. The existence of appropriate safeguards. This might enable you to do a lead nurture sequence.
Sensitive Data
The higher standard for collecting certain data. Though it is not well explained what that is. Some guideline for that data includes philosophical beliefs, political, religious, ethnic things. Basically, if you segment in your list in these ways you need to be explicit and get explicit consent.
Privacy Policies. Individuals have more rights under the GDPR.
Right to Erasure (The Right to be Forgotten).
This applies to people erased or corrected from any database you have. This is not just an unsubscribe. If you have moved people into a spreadsheet then you have to go and remove them.
***This means you need a Data Map to make sure you know where they are. If you use if this then that or Zapier you need to make sure you have a system to erase things. Zapier will probably come out with something to help with this.
GDPR Representative (DPO – Data protection officer) Processing data of EU subjects. Things are not clear. For bigger companies or people with larger lists, you might want to look into this. Things seem ambiguous here.
Other provisions Companies 250 or more employees have to keep records of processing activities. If it is this core to your company’s activities you have to appoint a Data Protection Officer (for Google, FB, Leadpages, etc.) How we are being compliant. There are two angles have to think about on this how to be compliant. What you give out and what you are getting from people.
General overview done! 🙂
Phew, I know that was a lot but it is important.
2. Your Email List.
Your List building practices. Let’s dig in.
This is the big change that we need to do differently. Gone are the days are offering a lead magnet and building your general marketing list…. At least where EU residents are concerned.
- GDPR requirements
- GDPR existing list
- How to create list building campaigns
- Examples of compliance.
Requirements For Email – Consent Standard Standalone to add someone to your list. Consent must be informed unambiguous and clear. And you must give your freebie no matter what. You can deliver your email as that is the contract fulfillment when people sign up.
- This will be the important piece because this is where you can make the difference.
- Segmentation. People outside the EU- we need the consent of anyone inside the EU. For Non-entrepreneurs, we can segment the list by location. This will save a lot of time/trouble.
- Non-EU Subscribers we do what we’ve done.
Current Email List. You need to ask your list to resubscribe to create a legal basis or you have to delete
- Non-EU entrepreneurs ~Segment list into 2 groups (EU & Non-EU).
- People who are not in EU or are not in EU. If you don’t know put in the EU bucket. Your email service provider should this ability. But you need to check.
The reason we segment is you only want to do the re-engagement campaign to get consent. If we don’t need consent from everyone why get it from everyone because we know people might not even see that mean which would be the same as them not consenting. That is how you might want to preserve your current list. Now Moving forward.
New Email Lists. Can do join my newsletter. As long as you have the basic disclosure. If someone signs up having the basic disclosure is what we use. But this method was not great for marketing. The reason we’ve done giveaways is to get people on the list. So you use lead magnets and then get them to opt-in.
Your workarounds are you have a consent on the Opt-in page. Or you could have a Yes or No consent form where they have to answer but it is not defaulted to yes. The recommendation is a drop down page. Have a sandwich page between a giveaway and lead magnet. – A hey one more thing page- opt-in .. great benefits… Placing a yes or no (and if they click yes you put them in a pile and save the form.) This one can be better and get a better response to option 1.
The Consent form on the opt-in page. Get an opt-in on the delivery page or email. Congratulations on download but then include a Call To Action.
Lastly, in the lead magnet, put a paragraph that says opt into our list while on the lead magnet. Gives a reminder on the freebies. If you send them to another page to opt into that then you have a record. The smart way to go is to include it in several places. Think touchpoints like in all marketing. Guidance for Non-EU Marketers.
- I won’t use anything until the delivery email because we can segment out.
3. Privacy Policy in GDPR
You have always needed one of these and now you need it more and it needs to change slightly. If you collect data or advertise you already know you need a privacy policy. So what you need to know. You should know
- The role your privacy policy plays and will play (why it is important).
- Information to include in your policy.
- Where to put the policy and links to policy
The Role of the Privacy policy. Under the new rules of the GPRP, you are required to inform people (especially those in the EU) at the time you are collecting information. How you provide this information is through your privacy policy. If you don’t have a privacy policy you need one because of other laws not just because of this new law. With non-compliance comes steep fines. You need to get these things in place and provide the right info. What to include. There are 3 pieces (6 from what we hear but only 3 apply).
- Have to provide relevant contact details. Contact info: disclosed the identity of the company and have contact info and if you need representative where to find them (for larger business). The Data Protection Officer contact details should be there. This would be more for Facebook, Google, Leadpages, and other larger organizations.
- The What and Why. The purpose and the legal basis (Remember the 1 of 3 things; consent, fulfill a contract, legitimate interest and spell it out here). You have to let people know what info you collect and the basis for collecting it. You have disclosed what you collect and why you collect it and you need a legitimate interest basis. For example, you state you collect data to improve services/user experience. We’d use this if you’re collecting certain data. This is about analytics in our view. Google will outline in their privacy policy what they collect but you should have a link to your privacy policy or you should put the information they ask you to put in your privacy policy stated.
- What you are going to do with the data including who gets access to the data. Most of us don’t share our data but if we do we need to be aware of this. This is where the plugin stuff comes in). You can use categories (plugins, etc.) but that being said we aren’t too sure on this yet. Now Under the GDPR disclose visitors rights. You have to say what you do with the Data. If there are 3rd party plugins who receive your data you need to address this (I believe).
For user rights. You need to let people know the amount of time you plan on keeping the data. You need to tell them they have the right to; Request access, erase or fix the data, and the right to withdraw consent at any time. You need to talk let people know they have the right to complain to an authority. Lastly, you need to let people know Whether a statute or contract requires personal data. This means letting people know that you won’t ask for additional data. The very last thing is the existence of automated decision making. Not sure about this part.
Where to put Your PolicyYou create a standalone page outline your policy. First and foremost you have a link to that policy in the footer of your website. You then put links to the policy anywhere you collect data. Every sales page, every thank you page, lead box.
4.Website WordPress/Plugins/Contact Forms
Did you know that Your Website is a Contract Between You and Your Users? You are accountable for the information provided and consequently, you need to think of the legal ramifications. Privacy policies are a must.
Other things you should consider before users submit their information in a contact form.
You should get their explicit consent with a checkbox that they know that they are giving over their information. This means on our general contact forms on our websites we might have to update them to get that direct consent we need.
Another thing to consider is comments.
What a kettle of worms right!
Before users can leave a comment they need to be able to consent. That could mean another checkbox.
We have to disclose on our site that we will store their comments and information relating to those comments such as the date and computer’s IP address and let them (the users) know how the information is used. I think we can include that info in the privacy policy and we should be fine.
And lastly, we need to include a reminder to let people know what information may be displayed publicly (name/URL/other) if they submit a comment. Maybe people in the EU will have to delete all comments or we do if we can’t figure out where those people are from and or get consent from them to have them up there.
It seems the more information I learn the more questions I have.
GDPR compliance means you have many options for plugins
Plugins to Help You Manage GDPR
I think we should or I have to check what plugin we use and are they complying with the GDPR. I think the confusion sets in when you realize that different plugins collect data. For example your contact form 7, The most widely used contact form plugin. They are collecting data for you so they have to comply.
But are they?
WordPress plugin, Shariff Wrapper has right in their docs how they are complying. I think moving forward we should definitely be checking what are plugins do and how they are managing themselves. I think if you put information about 3rd party plugins in your privacy policy you will be okay. Again I am not a lawyer.
There are a few other plugins social media examiner mentions. The GDPR Personal Data Report Wider Gravity Forms Stop Entries and Delete Me which could suit your needs.
For myself, we are going with the GDPR plugin. Firstly, it is free and it has a documentation so you know how to get started, which most of the other plugins lacked. It creates the nice and simple overlay at the bottom of your website which lets your users know that you are tracking with cookies. They can consent to track with cookies as well as click on a link to your privacy policy. There’s my recommendation. On to Google next 🙂
5. Google and Analytics (and cookies.)
The Google Analytics Advertising features, Demographics and Interest Reports, Remarketing with GA and DCM Integration. these features require the use of 3rd-party cookies i.e. the sharing of data with organizations other than the website being visited itself. If you use these Advertising features in GA, you must request explicit consent. If you do not, then you don’t. Hence the privacy implications.
If you use Google Analytics chances are you are collecting user ID/personal data (IP addresses, cookies). To be GDPR-compliant you have to be able to anonymize the data before your store and process it. Easy right! I don’t even know how to do that.
Option 2. The Simplest Route require consent by default. For all your visitors. That way, there are no grey areas. And this is what we are thinking for our clients. Adding an overlay to a website that gives users notice of the use of cookies. We would ask for consent before they move along on our website. A permission click box might make people leave but it will secure that we understand the new regulations.
How will our clients like it?
Well, they will probably ask questions. I might just direct them to this amazeballs blog post. Hopefully, they have a fast reader. Asking users for to and permission will help us with all tracking our site including tracking from pixels and retargeting. And this might make us more prepared when the new/old cookie regulation.
This law requires websites to get consent to store/or retrieve any information on a computer, smartphone or tablet, giving individuals rights to refuse the use of cookies that they believe reduce their online privacy.
What Google Does Let’s think about what Google does for a second. Google collects information on things you do, things you create and things that make you, you. We are most concerned with the things you do. This can include:
Things you search for, websites you visit, videos you watch, advertisements you click on/or tap, your location, device information IP address and cookie data.
Google makes it easy for you to manage and see what data is being collected. You can manage the types of data collected. You can update what personal information and you can adjust the types of ads Google shows you. You can change these settings as often as you want, go here for that.CHECKUP Google also gives users controls to manage their data. Your My Account will give you access and tools to help manage privacy and security. Google makes commitments to its users. So that is what Google does. And we should thank Google as they work hard to make the Internet safer for everyone. They have a long history of developing Internet security technology that benefits users and the online world as a whole. With that being said because of this and the new regulations, we as uses and we as business owners, need to make some adjustments to our digital assets to be in compliance.
Google is doing its part and we have to do ours. I know the waters are a bit muddy. We are all trying to navigate this new terrain. But safety first.
I recommend following what others are doing and paying attention to the big companies you definitely have to make your own decisions moving forward about how you are going to manage. Google and Facebook are in those trenches too and much will happen in the coming days. Without them making changes we would not be able to do what we do online.
Retargeting Ads and Tracking Pixels. If your website uses remarketing ads, including the Facebook pixel, Linkedin pixel, Tag manager I think website visitors must be informed when they enter your site. You will immediately need informed consent. Does your company use pixels or cookies to capture personal information? Do you remarket to your audience if you do, you must get consent from visitors immediately when they enter your site? So we will list some plugins we find to help you out here. We’ll be doing our own trial and error on this starting now
What a hot mess, right!
Oh, my goodness, so many things to worry about.
I felt my stress level go up 10 fold. I quieted that feeling and as I dig into the info I get more worried. So many others are in the same boat. The last thing I want to touch on
Conclusion
Yep, we are close to the end here. Right! took long enough.
We covered a lot. Albeit this article might have left you with more questions. If you are just jumping into this right now check out all our resources. They really helped us.
We want to give a special shout-out to Bobby from Your Online Genius and the Measure School because without them we’d be way more lost.
Ready or not, GDPR is coming and compliance is mandatory. Hold your Hat! May 25, 2018, is just around the corner. The GDPR is likely going to impact your business, however, being knowledgeable and prepared you can ensure your compliance.
Sign up Get Your Checklist.
It is the checklist we are following. So if you have questions you can always ask.
What do you think? Will you be taking some steps to be GDPR-compliant? Listen to a few online experts. Our specialists dive into a conversation.
Tip -Best |
Don’t panic. Realize everyone is struggling with this and if you follow what the professionals are doing you’ll probably be alright.
Contact us if you are in need of a marketing strategy.
Increasing your visitors, sales, and social reach is a team effort. We share your cause while living ours. Let’s come tLet’sher and bring the change you feel you need.
GDPR References
- Measure school-video- GDPR Compliance – The Steps I take to prepare
- Google Getting ready for Europe’s new data protection rules
- Google How Ads work
- Google Business and data
- Social Media ExaminerHow GDPR Impacts Marketers: What You Need to
- Your online Genius HOW TO COMPLY WITH THE GDPR
- Privacy
- Fellowship Productions HOW DO YOU MAKE YOUR WEBSITE GDPR COMPLIANT AND WHAT IS THE GENERAL DATA PROTECTION REGULATION ANYWAY?
- attorney-drafted documents.
- Google-Welcome to the Google Privacy Policy
- Brianclifton-Google Analytics, GGDPR, and Consent
For how to write a GDPR compliant To and Privacy Policy
- Smart insights– Example forms.
- ShopifyPrivacy Policy
- https://digitalmarketinginstitute.com/blog/05-04-2018-the-definitive-gdpr-checklist-for-marketers
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]