This post (along with other posts and pages on this site) may include affiliate links. If you make a purchase from an affiliate link, I may receive a commission at no additional cost to you.
Hopefully by now you’ve heard about GDPR – the changes to privacy and data protection that go into effect 25 May 2018 for European citizens. If you have – or if you haven’t – here’s an overview of what you need to know.
Please note – I am NOT a lawyer, and while I’ve studied GDPR a lot, this does not constitute legal advice. The best advice I have seen for online entrepreneurs is from Suzanne Dibble. Join her Facebook group and get her GDPR readiness pack here. (Affiliate link – because it’s THAT good.)
What is GDPR?
GDPR stands for General Data Protection Regulations. It’s the new set of rules about data privacy and data “processing” (i.e., using that information) that will govern the data about people in the EU
Does GDPR apply to you?
You may be sitting back and thinking that if your business isn’t in the EU, GDPR doesn’t apply to you. Sorry, but that’s not the case. Even if you’re headquartered in Georgia, or South Africa or Tahiti, if you have an email subscriber or customer from the EU, then you need to be GDPR compliant.
What does the GDPR cover?
Under the GDPR, people have more control over how organizations and businesses store and “process” (aka use) their personal data. Personal data is what makes a person a “person” and not just a number.
For example, when you look at your Google Analytics, you can dig in and see how people moved around your website – but you don’t know if that was John or Sally or Fred. They’re anonymous.
On the other hand, if someone signs up for your email newsletter – now they’re a person. They’re Amanda, and they have a real email address. That name and email address, along with any other information you collect about them ispersonal data.
With GDPR, people have the right to ask you what personal information you have about them, change that data, ask for a copy of that data, and request that you delete that data.
You also need to keep track of *why* you are processing their data. In most cases as a blogger, you’ll fall into one of three categories:
- explicit consent (i.e., they gave you permission by checking a box or signing up for a newsletter without a freebie); or,
- legitimate interest (i.e., there’s a reasonable expectation that the data will be processed – as in, they requested information from you, and you’re delivering it); or,
- performance of a contract (i.e., they purchased something from you, and you need to complete their order).
How do you get ready to comply with GDPR?
There are several steps you need to take to get ready for GDPR compliance. Here are the basics:
- Map everywhere that you hold personal data. You don’t have to have a fancy system to do this – just a simple spreadsheet will do.
- Identify if you have sensitive data. Sensitive data includes racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a person's sex life or sexual orientation
- Figure out the legal grounds for which you are processing each piece of data. Remember, the legal grounds include:
– performance of a contract
– compliance with a legal obligation
– protect the vital interest of the data subject
– processing is in the public interest or based on official authority of the controller (rare for an online entrepreneur)
– necessary for the purpose of legitimate interests of the controller (that’s you!) – except where the interests of the data subject overrule the interest of the controller.
- Identify where you transfer the data to third parties – like email service providers, scheduling systems, etc – and where those services are located.
- Update your privacy notice to be GDPR compliant
- Add opt-in wording to your sign up boxes to get explicit consent, and track that consent.
- Put a system in place for managing data subject requests, and opt-outs.
- Check for GDPR compliance with your data processors. Put a Processor Agreement in place if necessary.
The GDPR regulations are not created to make things harder for you – they're designed to protect the privacy of individuals. By taking these steps, and keeping up with the implementation of the regulations as they develop, you're protecting your business and your customers.
I don't have a crystal ball or a time machine, but I believe that with the Facebook data breach that came to light in April 2018, the US will introduce a bill to protect personal data as well – so being compliant with GDPR has the potential to help you be compliant with future regulations.