GDPR Government Regulation and Your Internet Business – Tips and Checklists
GDPR Most Likely Affects Your Internet Business
Some internet business owners may not even be aware of the GDPR EU regulations, and if they are aware of it they may believe that it won't affect them. Wrong.
It's my position that if you have an internet business then you are affected by the GDPR. Period. And you need to take reasonable steps to be sure that you are compliant. I know that I'm taking the steps, and technically that all has to be done by May 25th, 2018.
What is GDPR
First off, I'm not a lawer, or attorney, or legal advisor, or whatever you want to call it. So maybe you better not listen to me for legal advice. I'm just giving my opinion on a topic, just like so many other people are giving opinions.
GDPR is government regulation, and frankly to me it is a real pain. I can see that it has good intention behind it, but carrying out the intention amid the realities of the real world make it fairly burdensome. And the penalties of non-compliance can be rather severe.
Anyway, I'm not a huge fan of these onerous government regulations but it is reality so - as they say - get over it and get on with it.
At a macro level, GDPR seeks to give individuals more control and say-so over their information. They do this by putting in regulations in several broad categories (which I paraphrase here):
- Full disclosure as to what information is collected about them, and, in what ways that information is going to be used.
- Default to a 'no' answer. Individuals must explicitly say 'yes' before information can be collected and used.
- Provide a means for individuals to request their information, delete the information, or move it to another party.
As I said, the intent behind this government regulation is good, but complying with it will put a lot of burden on you, as your internet business. And yes, it's a good idea to comply as the penalties can be stiff - There are two tiers of fines, which will be applied depending on whether the controller (the company that is using the data) or the processor (the vendor that is processing the data) has committed a violation in the past. And of course, the nature of the violation itself. But don’t be lax: even the lower threshold or tier will prove to be an expensive proposition; it calls for a fine of either 2 percent of the company’s worldwide annual revenue or a fine of 10 million euros, whichever is higher. The higher threshold has a fine of 4 percent of worldwide annual revenue or a fine of 20 million euros — again, whichever is greater. It's not clear that the EU enforcers will be agressive in enforcing this law, or that they even have the resources to enforce it. Most likely they will go for a few high-profiole example cases that they can prosecute for highest visibility as Behnam Dayanim comments in this assessment on GDPR penalties.
And although this is an EU regulation, as an internet business owner I maintain that it applies to you. I state this because it applies to any business that collects any individually identifiable information on an EU citizen. There are two key points in that last sentence.
- Any individually identifiable information. While there are some definitions in the regulation to define what individually identifiable information is, the reality is that any internet business will, in some way, collect individually identifiable information.
- The regulation only applies if you collect information on an EU citizen. But in the worldwide internet of things it would be very difficult not to deal with an EU citizen. And even if you state that you will not work with citizens of the EU, if someone ignores that and still initiates a relationship with you (e.g. opts-in to your email list), you are responsible to be compliant with GDPR.
What You Need To Do
I'm not going to layout all the details of everything you need to do, nor am I going to address every type of business. But I will give you some guidance of things you need to do if you are running an internet business.
Make sure you have a Privacy Policy page and Terms of Use page
Your privacy policy page needs to state the types of information you collect, the ways in which you use the data.
You also need to provide clear procedures for an individual to obtain a copy of their information, delete their information, correct it, or transfer it.
If you want to roll your own feel free to do so. Here are a few resources that you can utilize:
- Thrive build your own Privacy Policy
- FTC Guardian (this is what I use)
- SEQ Legal free and paid forms
And if you think it all needs to be boring and stuffy, take a look at this hilarious poke from Writter's HQ at the GDPR and the privacy policy. Personally I prefer this but I haven't had time to rewrite my privacy policy in such a manner.
Get explicit consent from people to collect and use their information
This pretty much means for any collection or data usage. When you have someone optin for an ebook, get their consent. When you want to send someone a newsletter, get their consent. When you send someone to a quiz to fill out, get their consent.
Of course, there are multiple ways to get a person's consent, just make sure you get it.
And no more single opt-in... always double opt-in.
Get consent from existing contacts
If you don't have explicit consent from your contacts, start getting it now. Find creative ways to convince them to stay with you. And if you can't convince them, it might be better to delete them and all their data. Well, maybe not... This doesn't have to apply to everyone on your list, but make sure that you do it for those you know are in the EU countries and for those you are unsure of. Reality is that there is the strict letter of the law, there's ambiguity in the law, and there's intent. Chances are that if you are a stand-up business and provide good information and don't annoy people, no one will complain.
Opt-in Forms Must Have Explicit Consent
When you have opt-in forms, you must get explicit consent from subscribers in two specific areas. Note that however you collect this consent, you can not default the consent to 'yes'. For example, you can't pre-check the box that states agreement... the individual must actively check the box. Likewise, if you gather consent with a yes / no dropdown, they must actively select the 'yes' dropdown item.
- They must explicitly accept and acknowledge your privacy policy.
- They must explicitly agree to receive information from you.
However, explicit consent doesn't have to be in the form of checkboxes. It can be in the form of wording in the optin form also. For example, an optin form with an original wording of "Get your free investing ebook now" would not be compliant for subscribing someone to your newsletter email. But changing the wording to "Subscribe to our email and get your free investing ebook now" would work. By providing you their email address they are consenting to the newsletter and your wording is clear that they are subscribing. Here's a GDPR blog post on Wishloop that covers just that thought.
Opt-in Form With Required Consents
Where to go, What to do
Putting all the pieces together for GDPR can be a bit scary and daunting. But don't fret over it. It will take some time to review your business practices and the manner in which you collect and inform. But it is all doable.
I'm in the process of putting together a process checklist and service where I will personally help you through it all. If you are interested in that just let me know and I'll provide you a quote.
GDPR Resources
ActiveCampaign GDPR Information and Tips
If you use ActiveCampaign for your email marketing platform, this is a good page to review. It provides information on what ActiveCampaign is doing to be GDPR compliant and also sample of changes you need to make to your opt-in forms.