Before we get started: this is part two of a monster blog post. The GDPR is a sweeping new legislation that will affect most creative business owners and will have a direct impact on how many business owners can (legally) operate their businesses online. Please remember that this information is provided for informational purposes, and is not intended to be legal advice. If you have questions about how this law will affect your individual business, I encourage you to reach out to an attorney in your state.
You know a blog post is going to be jam-packed with information when it begins with a table of contents….and that is exactly what is about to happen. After reading through the entire regulation, I can tell you one thing: this law is dense. It’s wordy, and it’s easy to confuse. For that reason, when deciding how to organize this material, I opted to include all material that I think you need to know as a business owner. The material as a whole will be broken into two parts: Part I (previous post) covered topics 1-8 below, and Part II (this post), will cover section 9. Here’s a snapshot of what to expect:
Cookie Notice Requirements
Email List Legality Under The GDPR
One thing I want to note: This post is an overview of the GDPR, so you generally understand what the regulation is. However, I have created a complete guide to GDPR compliance that will map out the literal steps you must take before May 25th and after, in order to comply. Download the guide here:
Additionally, this post won’t make much sense unless you read Part I, here.
Without further ado, let’s get started!
By now, chances are you’ve heard that the GDPR will be taking effect this month- and if you hadn’t heard that yet, consider this your official head’s up– if you have a business that “services” any citizen of the EU, then this law applies to you. The GDPR will have global influence. Unless you can absolutely guarantee that no users from the EU will ever find their way to your website, you’ll need a GDPR notice and compliant consent measures.
The GDPR is a sweeping new security measure that is designed to protect the privacy of citizens in the EU, empowering them with control over exactly how their personal data is processed. This includes: how it’s collected, stored, and then used. You may be thinking to yourself “well that’s fine, but I don’t have any EU clients, I’m in the clear!” Not quite so. Do you have an email list with any EU members on it? Do you know if EU citizens have ever left a comment on your site, or if you have processed their information via Google Analytics? You probably can’t say for certain, so better safe than sorry. And while it’s admittedly a pain to acquaint ourselves with such a dense new law… it’s important to understand why this legislation is taking place: for the enhanced security of personal information online. Even though as it currently stands, the GDPR is an EU-specific law (and already adopted by the UK), I wouldn’t be surprised if this is just the first step of many that the rest of the world will take in processing online personal data. In a time when we hear about hackers creating serious data breaches or shady companies selling email lists, the GDPR is simply putting the power of protection of personal data security back in the hands of users.
A more practical reason why you should care? Noncompliance will mean you are liable for very, very hefty fines. The maximum assessable penalty for noncompliance with the GDPR is 4% of the annual global revenue generated by the company. Avoiding liability for these fines will primarily arise out of failing to obtain sufficient consent, or failing to abide by the procedures set forth below.
Simply put, the GDPR will govern how you may process the data of EU members. “Processing”, in this sense, can be defined as “doing anything with that data”. For you, this means that the GDPR will govern anything you do with the personal data you collect from EU users (by “users”, I mean users of your website). The period of governance applies to everything you do with that data from collection point to deletion point.
The GDPR vests you with a duty of care regarding the data security of your users’ personal data. All personal data that you store must be held securely, and you must be able to demonstrate what processes you have in place for doing so. The GDPR governs the safeguards you have in place as well as where you store that data. As a note, if you are transferring personal data to a US- based country, you should check and see that they’re certified with Privacy Shield, which allows data transfers between the US and EU. For example, you will want to check your email list server, as well as your website hosting service.
(numbers 6 & 7 are applicable for larger corporations only)
This is key: although you may not even realize it, the GDPR classifies you as a “controller” of information- the person who collects and controls what happens with that data. A third party system, such as your website or your email server, is a “processor”- basically, you direct them to collect the personal data of users. For example, when someone signs up for your email list, the user will likely provide you with their name and email address. This is considered “personal data”, and then that information is stored in your email list system (ie, Mailchimp, Convertkit, etc). As the controller of the information, you have a duty of care to ensure that all of your processors are compliant.
Processors and Controllers Defined:
The GDPR will apply to both data ‘controllers’ and ‘processors’.
As such, each has certain responsibilities under the GDPR:
As a controller of information, you must ensure that your 3rd Party processors are compliant. This means your website hosting platform, your email list, and any other third parties who process data. I highly encourage you to look at any of your 3rd party processor’s websites and see what procedures they have put in place. WordPress users, you may have an extra step- you need to make sure that all of your plugins are compliant as well. A great guide on the subject can be found here: https://www.codeinwp.com/blog/complete-wordpress-gdpr-guide/.
I have written out a complete guide of email list legality under the GDPR for you here: