Later this month, on May 25, the GDPR data protection and privacy law goes into effect. GDPR, or General Data Protection Regulation, is a set of rules protecting citizens and residents of the European Union and governs how companies handle their personal data. Email marketing and marketing automation activities are clearly affected. But many small businesses and nonprofits are not aware that you also need to be sensitive to GDPR if you collect personally identifiable information in any way, including contact us forms and website analytics. There's a forest of GDPR information out there so my goal is to highlight key landmarks for you.
Who Does the GDPR Affect?
GDPR applies to you the moment you collect data from someone who lives in one of the 28 member countries in the EU. If you collect customer data of any kind that could be personally identifying, such as email address, name, IP address, device, etc., or you use software that does this on your behalf (tracking software, Google Analytics, marketing automation, sales CRM), then you are affected. You must follow the data privacy regulations of the GDPR. That means all organizations, everywhere that process or hold personal data of people living in the EU.
How do you know if the information you hold belongs to a member of the EU? You probably don’t. So, it is best to assume it does and use the same compliance regulations for all the data you collect.
What do I have to do to comply with GDPR?
There are many checklists and guides available to help you plan your compliance with GDPR. Here is a quick summary:
- You need to have consent to collect and use personal data. This consent needs to be specific and documented.
- You must be able to produce a record of an individual's personal data that they can access and change or update.
- You need to be clear on all email communications how and why you obtained the email address, who you are, and why you are emailing them.
- It is wise to provide a double opt-in, confirming submission of information and how you will use it.
- In your opt-in process, you need to be clear about expectations and what individuals can expect from providing their email address. (For example: weekly blog posts and an occasional special report).
- You need to provide an opt-out on every communication. This needs to be clearly available.
- Do not buy lists. Do not use lists from others. While EU residents may have given the original organization consent for specific purposes, they did not give it to you.
You will need to provide a disclosure statement as soon as you start collecting data. If you have website tracking software (such as Google Analytics), you should provide that statement as soon as someone visits your website.
Sample website disclosure graphic:
Website traffic analytics
Just about everyone with a website is, or should be, gathering website traffic data on visitors to their website and Google Analytics is used by most of you. Unfortunately, Google's guidance on GDPR compliance isn't exactly user friendly so here's a brief video from Christopher S. Penn on the subject.
It is extremely likely GDPR applies to you and your organization. It is better to take steps now to become compliant than to face possible consequences (including costly fines) later.
The Communicator’s GDPR Checklist and Resource Guide, Spin Sucks PR
You Ask, I Answer: GDPR 101 for Marketers, C.S. Penn
Are you GDPR ready?, HubSpot