Before we get started: this is part two of a monster blog post. The GDPR is a sweeping new legislation that will affect most creative business owners and will have a direct impact on how many business owners can (legally) operate their businesses online. Please remember that this information is provided for informational purposes, and is not intended to be legal advice. If you have questions about how this law will affect your individual business, I encourage you to reach out to an attorney in your state.
You know a blog post is going to be jam-packed with information when it begins with a table of contents….and that is exactly what is about to happen. After reading through the entire regulation, I can tell you one thing: this law is dense. It’s wordy, and it’s easy to confuse. For that reason, when deciding how to organize this material, I opted to include all material that I think you need to know as a business owner. The material as a whole will be broken into two parts: Part I (previous post) covered topics 1-8 below, and Part II (this post), will cover section 9. Here’s a snapshot of what to expect:
- What is the GDPR, and why do I care if I’m not an EU citizen? (Find the actual regulation here)
- What is covered by the GDPR
- To whom does the GDPR apply?
- Personal Data.
- How to legally use personal data
- Scope of the GDPR
- Privacy Policies and the GDPR
- Consent under the GDPR. ****This is the most important part of this entire article
Cookie Notice Requirements
Email List Legality Under The GDPR
- Data processes and controllers
- What You Need To Know If You Have A Website, Email List, or Some Other “Processing System”
One thing I want to note: This post is an overview of the GDPR, so you generally understand what the regulation is. However, I have created a complete guide to GDPR compliance that will map out the literal steps you must take before May 25th and after, in order to comply. Download the guide here:
Additionally, this post won’t make much sense unless you read Part I, here.
Without further ado, let’s get started!
Review: What is the GDPR, and why do I care if I’m not an EU citizen?
By now, chances are you’ve heard that the GDPR will be taking effect this month- and if you hadn’t heard that yet, consider this your official head’s up– if you have a business that “services” any citizen of the EU, then this law applies to you. The GDPR will have global influence. Unless you can absolutely guarantee that no users from the EU will ever find their way to your website, you’ll need a GDPR notice and compliant consent measures.
The GDPR is a sweeping new security measure that is designed to protect the privacy of citizens in the EU, empowering them with control over exactly how their personal data is processed. This includes: how it’s collected, stored, and then used. You may be thinking to yourself “well that’s fine, but I don’t have any EU clients, I’m in the clear!” Not quite so. Do you have an email list with any EU members on it? Do you know if EU citizens have ever left a comment on your site, or if you have processed their information via Google Analytics? You probably can’t say for certain, so better safe than sorry. And while it’s admittedly a pain to acquaint ourselves with such a dense new law… it’s important to understand why this legislation is taking place: for the enhanced security of personal information online. Even though as it currently stands, the GDPR is an EU-specific law (and already adopted by the UK), I wouldn’t be surprised if this is just the first step of many that the rest of the world will take in processing online personal data. In a time when we hear about hackers creating serious data breaches or shady companies selling email lists, the GDPR is simply putting the power of protection of personal data security back in the hands of users.
A more practical reason why you should care? Noncompliance will mean you are liable for very, very hefty fines. The maximum assessable penalty for noncompliance with the GDPR is 4% of the annual global revenue generated by the company. Avoiding liability for these fines will primarily arise out of failing to obtain sufficient consent, or failing to abide by the procedures set forth below.
What is covered by the GDPR:
Simply put, the GDPR will govern how you may process the data of EU members. “Processing”, in this sense, can be defined as “doing anything with that data”. For you, this means that the GDPR will govern anything you do with the personal data you collect from EU users (by “users”, I mean users of your website). The period of governance applies to everything you do with that data from collection point to deletion point.
9. Data Security and Processes
The GDPR vests you with a duty of care regarding the data security of your users’ personal data. All personal data that you store must be held securely, and you must be able to demonstrate what processes you have in place for doing so. The GDPR governs the safeguards you have in place as well as where you store that data. As a note, if you are transferring personal data to a US- based country, you should check and see that they’re certified with Privacy Shield, which allows data transfers between the US and EU. For example, you will want to check your email list server, as well as your website hosting service.
There are 5 required procedures under the GDPR I want you to be aware of.
(numbers 6 & 7 are applicable for larger corporations only)
- If you have a data breach and personal data has been compromised, you must notify the GDPR within 72 hours
- Right to access, right to be forgotten, and right to erasure– if a user asks, you must be able to tell them
- Whether their personal data is being processed, where, and why
- Procedures to erase the user’s personal data and remove them from your system if requested
- Data Portability– free of charge, you must be able to provide the user (free of charge) copies of their data
- Privacy by Design- you must process personal data only as necessary, and based on a legal basis. The only employees who should be able to access personal data are those on a need-to-know basis
- Nominate a Data Protection Officer-generally, only if you have over 250 employees
10. What You Need To Know If You Have A Website, Email List, or Some Other “Processing System”
This is key: although you may not even realize it, the GDPR classifies you as a “controller” of information- the person who collects and controls what happens with that data. A third party system, such as your website or your email server, is a “processor”- basically, you direct them to collect the personal data of users. For example, when someone signs up for your email list, the user will likely provide you with their name and email address. This is considered “personal data”, and then that information is stored in your email list system (ie, Mailchimp, Convertkit, etc). As the controller of the information, you have a duty of care to ensure that all of your processors are compliant.
A. Am I a data controller or a data processor?
Processors and Controllers Defined:
- Processing is any operation performed on personal data. This may include storing, collecting, or recording personal data. If you keep ALL of this information on, say, a spreadsheet, then you are the processor and the controller. If, however, you collect personal data from a user, then store the information in something like an email management system, that email management system is:
- A controller holds personal data, and also decides the purpose of the data processing activities. Your email management system, CMS, etc are controllers.
The GDPR will apply to both data ‘controllers’ and ‘processors’.
As such, each has certain responsibilities under the GDPR:
- “Processors” must:
- keep details of any transfers to countries outside the European Economic Area (EEA)
- Implement appropriate security measures for security measures
- Be able to explain those systems
- Notify the GDPR if a breach occurs
- Keep updated records of personal data you have and collect, including “data subject categories”
- “Controllers” must:
- This a trick question, because controllers are by nature also processors of information. Therefore, they are subject to the same responsibilities as above, as well as abide by certain procedures, which you can find here.
B. Keeping your website and email list legal
As a controller of information, you must ensure that your 3rd Party processors are compliant. This means your website hosting platform, your email list, and any other third parties who process data. I highly encourage you to look at any of your 3rd party processor’s websites and see what procedures they have put in place. WordPress users, you may have an extra step- you need to make sure that all of your plugins are compliant as well. A great guide on the subject can be found here: https://www.codeinwp.com/blog/complete-wordpress-gdpr-guide/.
I have written out a complete guide of email list legality under the GDPR for you here: