Before you continue reading, be aware that this article should not be considered as legal advice. It’s for information purposes only, and you’re recommended to seek your own legal counsel to determine what the GDPR means for you.
If you’re running a business and not yet heard about the GDPR, you’ve been living under a brick the past few months. GDPR is, of course, the General Data Protection Regulation that has been in effect from May 25, 2018.
While it’s a European law, it has global reach, and applies to all businesses that collect, record, organize, store or otherwise process personal data of EU citizens. Personal data? That’s any information like names and email addresses—even IP addresses—that could be used to identify an individual.
The impact of this new law is significant, and affects how businesses are able to use personal data for marketing purposes for years to come.
Thinking of burying your head in the sand? Falling foul of the law can lead to huge fines of up to €20 million, or 4% of your annual global turnover, whichever is higher.
Sure, such huge fines are probably unlikely for smaller businesses with minor transgressions. But you could still be liable for compensation to the data subject concerned, and it’s important to ensure you’re doing all you can to comply.
After all, it’s about properly protecting consumers and their data from abusive practices. Doing so can only reflect well on, and give consumers confidence in, your business.
So what exactly are you supposed to do? What can you no longer do? What changes should you be making?
Unfortunately, much of the advice that’s out there on GDPR is confusing and conflicting, and that includes advice from legal experts (remember, this article is NOT legal advice and is for information purposes only).
So, just what do you need to do to ensure your website and practices are compliant with GDPR?
First, there are slightly different laws depending on whether you are a Data Controller or a Data Processor? Which are which?
If you’re at the front end, making decisions about how to collect personal data (for example, generating leads for your business) and what to do with it (for example, adding the lead data to an autoresponder service), you’re likely a Data Controller.
If you’re processing that data in some way on behalf of a Data Controller, then you’d be considered to be a Data Processor.
As an example, autoresponder services like MailChimp, Aweber and others would fit into this category.
To add a little more complication, Data Processors are often Data Controllers as well—yes, you can fit into both categories.
However, to keep things as straightforward as possible, this article will predominantly focus on Data Controllers, which more than likely covers the majority of readers.
Ready to get into the meat of it? The easiest way to understand the GDPR is to focus on six main principles of the legislation. These can be summarized using the helpful CARTES acronym (Cartes is the name of a small town in Spain):
But what do they each mean? Let’s look at each one in turn as it relates to email marketing, and what you need to do to comply.
The person must agree to how you intend to use their data.
For example, let’s say you’re offering a lead magnet of some kind, say a free report, in return for their email. They enter their email, you send them the lead magnet, but you don’t mention that you’ll be sending them regular email messages afterwards.
In this example, they haven’t given their consent. To ensure their consent, you would need words to the effect of, “Get regular information on XYZ, starting with LEAD MAGNET today.”
What about checkboxes? While there’s a lot of talk about now needing a checkbox on your forms, they’re not always necessary.
For example, clicking the button to subscribe is indication enough of the person’s consent, presuming the language on your form is clear enough.
However, if you intend to use their data for more than one purpose—for example, if you’re collecting emails for email marketing as well as address information for direct mailing—checkboxes are probably wise for each type of data processing.
Remember, however, to leave the user to check any checkboxes—pre-checking them isn’t permitted.
A better approach than multiple checkboxes might be a two-step form. After the person has initially subscribed via email, you can send them to a page with another form that offers something via direct mail in return for their physical mailing address.
In other words, this means separate consent for each different type of data and data processing, without the need for checkboxes.
Even when the person has given their consent, you need to keep a record that they have done so and be able to prove this consent.
How? For double opt-in lists, it’s relatively straightforward. The person subscribes through the form, and then further consents to the processing of their data via the confirmation email. You’ll need to keep a copy of the confirmation email used, but that’s about it.
For single opt-in lists, it’s not so easy. The proof all rides on the opt-in form itself.
Some suggestions include taking screenshots of your opt-in forms. While useful to get started, there are some drawbacks to this approach.
For example, this might not offer enough verifiable proof in a court of law (it’s just a screenshot after all).
And who is going to be responsible in your business for ensuring this is done each and every time you change a particular form, and recording it in a proper, verifiable manner?
If you’re split testing forms (which of course you should be), are you able to determine exactly which version the subscriber used to opt in? Would you be able to prove it?
What else can you do?
At optinopoli™, we’ll shortly have a solution that automatically records the form used for new leads and sends it to you. There may be other solutions, but I’ve not yet come across any.
Of course, the subscriber should be able to change their mind and withdraw their consent at any time. In other words, they should be able to opt out. With emails, that process should be automatic.
So nothing much changes here. I’m guessing your emails already have an unsubscribe link in them, so you’ll already be compliant.
Because of GDPR, a lot of businesses are recontacting people on their email lists and asking them for renewed consent. However, this isn’t always necessary.
For example, if you already have their consent for how you’re processing their data, and you can prove it in line with the Providing Proof section above, then you don’t need to ask for consent again.
In addition, Article 13(3) of the legislation appears to indicate that if you already have consent for one purpose, but now want to use the data for a different purpose, you can simply let them know rather than request renewed consent. Of course, they have the option to simply opt out if they object.
You might want to run this past a lawyer first, but let’s say:
- Your subscribers opted in to receive a lead magnet.
- You can prove that consent.
- You’re now emailing them more regularly, which isn’t strictly in line with the original consent they gave you.
Rather than request renewed consent from them to be able to continue emailing them, you could potentially email them to:
- Let them know you’ll continue to email them on a regular basis.
- Remind them of their ability to opt out if they no longer want to hear from you.
This will not only help clean up your list and keep it responsive, but also potentially ensure you’re compliant with GDPR.
Again, consult a lawyer to determine exactly how this might apply for your own circumstances.
While some of the GDPR requirements might seem a little onerous, so much of the GDPR legislation is just good practice and basic common sense.
Under the ‘rectification’ requirement, subscribers should be able to correct their data as required, or even provide additional information you don’t already have. Makes sense, right? And probably something you already provide.
Presuming that you’re responsive to subscriber requests to, say, change their email address—or have an automated means for them to do so—you’ll already be compliant with this part of the legislation.
Another relatively easy, straightforward principle. The subscriber has the right to do things like:
- See the data you have about them
- Be told what the purposes are for that data
- Discover who the information has been disclosed to (if anyone)
- Determine how long you will hold the data for.
The full terms are in Article 15 of the GDPR legislation, and probably not something you need to worry much about until someone gets in touch to ask about their data. Presuming you have access to supply the required information within a timely manner, you should be fine. But again, you might want to consult a lawyer to review your own circumstances!
Another common sense directive, but one that’s important to review to ensure you’re being as transparent as possible in your use of subscriber data.
- Use clear, plain language that’s easy to understand. Avoid using complex legalese that only a lawyer could decipher.
- Be as clear as you can about what you’re doing with subscriber data and why. So if you’re collecting names and email addresses to send regular information that might be of interest, state so clearly.
- State exactly how subscribers can opt out, update their data, request copies of it, or request deletion. Some of this might be automated, depending on your autoresponder (for example, an opt out facility, and sometimes the ability to change data)
- Mention services you’re using to process the data (i.e. any Data Processors such as autoresponder services). State who they are, and if they’re outside the EU, state what safeguards they have in place for the data, such as the E.U.-U.S. Privacy Shield.
This then helps you to:
- Determine if you can legally process a person’s data in a particular way at some point in the future.
- Provide proof of consent if needed.
A good way to do this is to:
- Copy across to a new file when you need to make changes.
- Update all your privacy links accordingly.
As with some other parts of the legislation, you’re no doubt doing this already, but your contact information should be easily accessible on your website. At a bare minimum, this would generally include your email address and physical mailing address.
Your subscribers not only have the right to opt-out, but to also request complete deletion of their data.
You’re also obligated under GDPR to delete personal data when it’s no longer required for its original purpose.
For example, if someone opts out of your emails, you can no longer use it to contact them. It’s, therefore, no longer required for the original purpose and should be deleted within a reasonable time frame.
It’s a good idea, in order to prove your efforts to comply with GDPR, to document and follow a regular process where you delete unsubscribed email addresses from your autoresponder. For example, this could be a regular monthly activity.
Finally, another common sense directive that you’re probably already largely compliant with. Of course, if you’re collecting personal data from people, you need to make all reasonable efforts to ensure that data is secure.
Usually, your email subscriber data will simply be held by your autoresponder. Practically all such services will have appropriate data security processes in place by design. After all, data breaches would potentially be catastrophic for them.
But remember, if you’re exporting data from your autoresponder to say a local drive, it’s then your responsibility to ensure the security of that data.
Hopefully this article has clarified many aspects of GDPR for you, in terms of how it relates to lead generation and email marketing.
In summary, your main priorities should be to:
- Review and update all opt-in forms to ensure compliance with GDPR going forward.
- Review your existing email lists and determine whether you need to request renewed consent, at least for those subscribers based in the EU.
Remember, too, that much of the GDPR legislation just represents good business practice.
If you’re doing all you reasonably can to do things like protect subscriber data, delete it when no longer required, treat it (and your subscribers) respectfully, respond appropriately when they contact you, and build up a good relationship with your list, you’re unlikely to go far wrong.
After all, GDPR is largely aimed at preventing businesses from abusing and failing to adequately protect personal data, which is a good thing for all of us. Adhering to it can mean a more responsive email list, and a better reputation for email marketers in general.
As a final reminder, remember this is just informational and not legal advice. You should consult your own legal representative to determine exactly how the GDPR applies to your own business.
Steve Shaw is the founder of the optinopoli™ lead capture service, enabling businesses to add high conversion lead generation campaigns to their websites for free. He specializes in developing powerful and innovative online-based marketing systems that enable small business owners around the world to easily and effectively grow their businesses within a global marketplace. With over 15 years of online marketing experience, his services have helped thousands of customers around the world market themselves more effectively.