How the GDPR Applies to You
You've probably been hearing the term "GDPR" a lot lately. That's because it's a regulation that goes into effect on May 25, 2018. But what exactly is the GDPR and does it apply to you?
The General Data Protection Regulation ("GDPR") is a new law that applies to the European Union. The GDPR has been in the works for about two years and finally takes effect this week. There's been a lot of education about this regulation in the online world because if you're online you need to be aware of it and comply with it. Today's blog post will explore the GDPR and give you some simple guidelines to know whether it applies to you.
The GDPR was passed in the EU to unify the Data Privacy laws across the region. If you've heard about the Facebook data sharing recently then you can understand how important Data Privacy is----a data leak is not just disconcerting, it can also harm a business and result in investigation and litigation. The GDPR has several principles: data shall be processed in a lawful, transparent and fair manner; data shall be collected for a specific, explicit and legitimate purpose; data processing shall be limited to what is necessary for its purposes; data processing shall be accurate and kept up to date; data shall be kept in a way to identify the actual person no longer than necessary; and data shall be processed in a matter that ensures security.
SO, if this law was passed in the EU, does it apply to you if you're in the U.S.?
The answer is yes. Although this is an European law, it applies to all of us who have websites or online businesses where we collect, process or store data from people. Therefore, even if you are not located in the EU this law applies to you when:
- You conduct business in the EU
- You collect data of residents of the EU
- You monitor data of residents in the EU
- You sell and/or ship goods or data to consumers in the EU
- You send emails or newsletters to people in the EU.
Don't do theses things? Then likely you don't have to comply with the GDPR---as long as you aren't collecting or monitoring data (i.e. think mailing lists, website statistics, etc) from people in the EU. Even if you don't market to people in the EU, if someone in Europe wanted to buy your products would you sell to them or say no? Further, the GDPR defines "data" to include non-personal data---IP addresses, cookies, social media posts and shares. It applies to processing of data of those in the EU, even if you just monitor behavior of those in the EU. It isn't clear at this point if you could simply say "my products and services don't apply to people in the EU" as your reason for not complying. If you refuse to do business with people in Europe then likely you don't have to comply. It also isn't clear how this policy will be enforced or what will happen if you violate the policy. Likely the fines will be related to the degree of the violation. Because there is a risk of penalty, I recommend you take some action to comply with this policy if anyone on your email list is from the EU.
To market to someone in the EU you need to get consent that is "freely given and specific". Be aware that this consent must be actionable consent. Thus, you cannot merely add someone to your email list because they bought a product from you or signed up for a lead magnet or a freebie you offered. Rather, you need to get them on your email list voluntarily. This also applies to your existing list.
How do you comply with the GDPR?
- Create compliant Opt-ins
- Do not store the data of a person that opts out or doesn't give voluntary consent
- Work with a GDPR specialist if you target customers in the EU
The trick here is to be uber safe with the way you act with other people's data. I've had an online business for over six years and have not yet encountered any problems (knock on wood) because I have always taken the extra measures to protect my customers' data and have not misused it in any way. Getting legally compliant is part of owning a business. It's not merely a recommendation to have a better business, it is required when you have a business. If you do a lot of business in the EU then you should probably work with a GDPR specialist to cover all your bases from your website to your marketing and sales.
The first step you should take before May 25th is to segment your email list and figure out if anyone on it is in the EU. If so, send an email and obtain their consent to be on your list going forward. Your goal is to get them to re-opt into your list voluntarily. If you can't get this by the 25th then you should delete them from your list. For everyone else a re-engagement campaign is not needed.