Before we get started: this will be a monster blog post. The GDPR is a sweeping new legislation that will affect most creative business owners and will have a direct impact on how many business owners can (legally) operate their businesses online. Please remember that this information is provided for informational purposes, and is not intended to be legal advice. If you have questions about how this law will affect your individual business, I encourage you to reach out to an attorney in your state.
You know a blog post is going to be jam-packed with information when it begins with a table of contents….and that is exactly what is about to happen. After reading through the entire regulation, I can tell you one thing: this law is dense. It’s wordy, and it’s easy to confuse. For that reason, when deciding how to organize this material, I opted to include all material that I think you need to know as a business owner. The material as a whole will be broken into two parts: Part I (this post) will cover topics 1-8 below, and Part II, which will be a separate post, will cover section 9. Here’s a snapshot of what to expect:
Cookie Notice Requirements
Email List Legality Under The GDPR
One thing I want to note: This post is an overview of the GDPR, so you generally understand what the regulation is. However, I have created a complete guide to GDPR compliance that will map out the literal steps you must take before May 25th and after, in order to comply. Download the guide here:
So without further ado, let’s get started!
By now, chances are you’ve heard that the GDPR will be taking effect this month- and if you hadn’t heard that yet, consider this your official head’s up– if you have a business that “services” any citizen of the EU, then this law applies to you. The GDPR will have global influence. Unless you can absolutely guarantee that no users from the EU will ever find their way to your website, you’ll need a GDPR notice and compliant consent measures.
The GDPR is a sweeping new security measure that is designed to protect the privacy of citizens in the EU, empowering them with control over exactly how their personal data is processed. This includes: how it’s collected, stored, and then used. You may be thinking to yourself “well that’s fine, but I don’t have any EU clients, I’m in the clear!” Not quite so. Do you have an email list with any EU members on it? Do you know if EU citizens have ever left a comment on your site, or if you have processed their information via Google Analytics? You probably can’t say for certain, so better safe than sorry. And while it’s admittedly a pain to acquaint ourselves with such a dense new law… it’s important to understand why this legislation is taking place: for the enhanced security of personal information online. Even though as it currently stands, the GDPR is an EU-specific law (and already adopted by the UK), I wouldn’t be surprised if this is just the first step of many that the rest of the world will take in processing online personal data. In a time when we hear about hackers creating serious data breaches or shady companies selling email lists, the GDPR is simply putting the power of protection of personal data security back in the hands of users.
A more practical reason why you should care? Noncompliance will mean you are liable for very, very hefty fines. The maximum assessable penalty for noncompliance with the GDPR is 4% of the annual global revenue generated by the company. Avoiding liability for these fines will primarily arise out of failing to obtain sufficient consent, or failing to abide by the procedures set forth below.
Simply put, the GDPR will govern how you may process the data of EU members. “Processing”, in this sense, can be defined as “doing anything with that data”. For you, this means that the GDPR will govern anything you do with the personal data you collect from EU users (by “users”, I mean users of your website). The period of governance applies to everything you do with that data from collection point to deletion point.
This is a trick question with an important distinction: the GDPR protects EU users, but applies to any business that collects personal data of EU users (more on that below). It doesn’t matter if you’re in the US, Canada, etc. it applies to any relationship, transactional or otherwise, where one party is geographically located in the EU. This could be either the website owner or the user- the only time the GDPR will not apply is when both parties are not located in the EU. For your purposes, just play it safe and assume that the GDPR applies to you. According to Article 2 of the GDPR, the only time it will not apply is when:
in the course of an activity which falls outside the scope of Union law;
by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
by a natural person in the course of a purely personal or household activity;
by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Basically, if you use personal data for any business-based reason, the GDPR applies. You will only be able to keep that data if you have a “legal reason”, or for something like tax purposes.
So, what is “personal data”? “Personal data” is anything that can identify the user or monitor what they are doing. It commonly includes:
Important for online business owners: this definition of personal data will most likely include any type of processing information that you add to a database. For example, all of your online quizzes, email opt-ins or incentive downloads, surveys, tagging, or segmenting in your email list.
However, keep in mind my original definition- if you aren’t sure if the info you have is “personal data”, ask yourself if your info on the user can identify them or monitor their use on your site. Websites commonly collect “personal data” through comments on blogs, contact form entries, analytics, logging tools and plugins, security tools and plugins, and user registrations.
If “personal data” is defined so broadly, how can you actually use information such as someone’s name or IP address? To use personal data, you must comply with ALL 6 PILLARS, and obtain express consent (more on this below). According to the GDPR, there are 6 main pillars that define the scope of GDPR compliance:
1. “Data shall be processed “lawfully, fairly, and in a transparent manner.” Aka, You can only collect personal data if you have a legal reason to do so.
2. “Data processing shall be “limited to what is necessary” for the purpose. Some personal data may be essential for your business. For example, if you have an online shop, you will need your customers’ names, credit card information, and possibly their address. However, you may ONLY collect what is necessary for that purpose. Which leads us to:
3. Data shall be “collected for specified, explicit and legitimate purposes.” Not only must your purposes be necessary, but you must be able to explain why.
4. Data shall be “processed in a manner that ensures appropriate security.” You must (already) be putting protections in place to protect data you use, such as SSL certificates. In other words, behind a password-protected wall.
Numbers 5 & 6 dictates your duty of care regarding your use of the personal data. These 3 apply mostly to larger scale businesses, such as Facebook.
5. Data may only be kept so it identifies a person “no longer than is necessary.”
6. Data shall be accurate, kept up to date, and corrected.
Don’t forget, you can find a step-by-step guide for how to prepare your business here.
If you are going to read ANY of this article, it needs to be this paragraph.
This is a specific note that I want to point out for creatives: I know it is standard procedure, for example, in webinars, for the host of the webinar to give the interviewee the email list of signups from the webinar. I believe this will no longer be permissible under the GDPR, because the user did not specifically consent to interviewee having that personal data.
This also means that you may never automatically add people to your list or of course sell lists, but this was never legal anyways.
Examples of improper consent:
If you are collecting “cookie” information from your users, you must gain express consent from your users.
A “cookie” is a small file stored on your computer or on your server, holding specific data to the user. Cookies allow the website owner to deliver a page tailored to the user. According to Article 30 of the GDPR, Cookies are considered “personal data”, which means you must have a sufficient cookie notice under the GDPR
According to the ICO, that notice must:
Important caveat: if your cookies collect analytics or sharing information with 3rd party partners, you must:
It may be wise to put an opt-out option in place on your site, or allow the User to choose what type of cookies they will use.
And finally, you are responsible for ensuring that your 3rd party platforms (website hosting service, email marketing system, client management system, etc) are compliant. I will be breaking this down in considerably more detail in Part II of this post, and I have created a complete guide to keeping your email list system GDPR compliant here.
Arguably, the biggest impact the GDPR will have on your business will be how you run your email list, so make sure you take the time to ensure that you’ve taken the right steps to “legalize” your list!