You can’t help but notice it: there’s a tinge of panic in the air among online entrepreneurs. The EU General Data Protection Regulation (GDPR) will be enforced starting 25 May 2018 and compliance is imperative to avoid possible fines.

But how can you be sure your list-building tools are compliant? And how does the GDPR affect online entrepreneurs doing business outside the EU?

Thankfully, I had the pleasure of interviewing Dr. Jackie Mallia, a specialist in data protection law. In this interview, she helps us simplify what GDPR compliance means, in terms of how we collect emails and market our services online.

GDPR Compliance for Online Entrepreneurs Based Outside the EU

Dr. Mallia made it clear: GDPR goes far beyond the EU. Anyone with a website that collects data from someone located in the EU is subject to this regulation. That includes everything from collecting an email address to tracking their activity on your website.

“…it doesn’t even have to be EU citizens, they just have to be in the EU at that point in time. If they’re in Italy and they’re browsing your website, you are basically subject to this regulation.”

In other words, pretty much every website in the world is subject to this regulation if it’s accessible in the EU.

So how can we make sure we’re compliant?…

How to Ensure GDPR Compliance for Online Entrepreneurs

The key to compliance with GDPR is having a proper privacy policy in place that you can share with your consumers in a privacy notice. If you are collecting any information at all from anyone browsing your website, you need to disclose it in a way that’s easy to understand.

“Explain what data you collect (i.e. if you track their activity on your site). Provide different categories of monitoring: behaviour on the website, opening an account with you, tracking marketing, etc. Provide what cookies and scripts are used.

You need to explain what the data is used for… giving the consumer more targeted information based on website behavior.”

You need to explain what data you collect, why you collect it, how you store it and how you use it. Complete transparency. Additionally, you’ll need to provide the consumer with the option to gain access to the data you’ve collected.

This can be done by providing the contact information of your “data controller” or whoever is in charge of handling data and privacy in your business.If you’re the only person in your business you just need to make sure that the tool you use allows you to export this information and forward it by email.

GDPR Compliance and Email Opt-Ins

When it comes down to it, you need proof that everyone on your list opted-in through a method compliant with GDPR. A lot of tools are currently updating their tools to comply with this so double check the tool you’re using and you should be alright.

Here’s where things can get a bit tricky: If you have an email list full of people who opted-in before you were GDPR compliant, then it’s important that you “refresh their consent”. In other words, that actually means getting in touch again with those people on your database and saying, ‘Look, there’s this new law. It requires that we are letting you know exactly what happens with our information. Please look at our privacy policy for the information that you need. If you need more information, please feel free to ask us. And if you don’t actually tick this box, we will not send you any more information.’”

This may sound daunting, but in the end, it can actually help to weed out anyone on your list who doesn’t truly want to be there and give you a list full of highly responsive, engaged individuals.

Refreshing consent is also a must if any information on your list has been acquired or purchased from another company or individual.

Changing from one email service to another? It’s time to refresh that consent too. When you switch services you lose your proof of compliant opt-ins, so you need to be sure you can create that proof within your new email service.

Many email services provide tools that are GDPR compliant, so be sure to seek them out if you’re looking to switch. This will keep things simple and easy for you going forward.

GDPR Compliance for Online Entrepreneurs

How to Handle Opt-Ins and Online Incentives

If you encourage your visitors to opt-in by offering a “freebie” or a discount, that should be fine, but you need to be very clear about that opting-in for a freebie also means opting-in for a newsletter or any other communication. If your past freebies didn’t mention a newsletter subscription or didn’t have a separate box to check to subscribe to your list, it’s time to (you guessed it) refresh their consent.

Another important point to keep in mind is that whatever you offer as an incentive cannot be taken back if they choose to opt-out later. Whatever you’ve offered as an incentive, you need to continue to provide even if they have withdrawn their consent to be emailed at a later stage.

One thing you cannot do is ‘force’ a consumer to opt-in before gaining access to your products or services. For example, if you sell tickets on your website you cannot tell the consumer that they have to opt-in before buying a ticket. But you can offer a discount on those tickets for opting in.

Compliance When Merging Lists from Online Events

After running a webinar or online event, many of us take the information collected for that event and add it to the main list.

However, when accepting opt-ins for anything other than your main list, it is extremely important to be completely transparent about how you will use the email address provided, what info you will send and how often.

When you create a sign-up box for example for an upcoming webinar, you need to use those details only to send the info required to log in to this webinar. If you also want to add this user to your list to send additional information you need to add an extra tick box that says something like… “please tick this box to receive our weekly blog posts.”

It’s acceptable to send your attendees information similar to what they showed interest in, but the option to unsubscribe must be clear and easy to execute at any time. The official regulation is that opting-out must be as easy as opting-in.

Think Like a Consumer

When it comes down to it, it’s all very logical. If there’s ever any question about what is GDPR compliant, staying in the mindset of what you would like to receive as a consumer and what you’d like to be done with your data usually gets you to the right answer.

Having clear and accessible privacy policies will keep you compliant, but it’s also just good business. Keeping your consumer informed and their information safe should always be a priority. Hopefully, this interview helped give you a clear picture of what that looks like within the GDPR.

If you are working toward compliance and need help during any part of the process, be sure to follow/contact Dr. Jackie Mallia here 

DISCLAIMER:
This information course is not intended to provide or indeed be an alternative to case-specific Legal or Technical advice.

If you are working toward compliance and need help during any part of the process, be sure to contact Dr. Jackie Mallia, here.