GDPR – Growing your email list & data protection

by | business, marketing, website strategy

Unless you’ve been living under a rock, you will undoubtedly have heard of the imminent change (on 25th May to be precise) in the EU data protection laws – the dreaded GDPR (General Data Protection Regulation)!

The way we shop, sell and generally communicate with each other has changed drastically since the 1998 Data Protection Act came into force. Daily and without taking much consideration, we are giving people our personal information and handling other people’s personal data. The new regulations are to help those people in the EU have better control over their personal data, access to it and what companies do with it.

So what is meant by personal data?
This is any information that directly or indirectly could identify a person (for example a name, address, email address, phone number, IP addresses). As a small business any personal information you collect, use or store on your customers and clients will fall under the new GDPR.

As more and more business is conducted online, it is increasingly important to know who you are giving your personal data to and what they are doing with it, hence the introduction of GDPR.

Before I go any further, I am NOT legal expert and the content of this post is a summary of articles I have read and my own observations. If you want legal advice then this lady, Suzanne Dibble knows her stuff and does a great GDPR pack for small businesses which you can buy. She also has a Facebook group full of great advice.

GDPR - what you need to do so you don't get fined

So how does this effect my business?

I have seen all kinds of posts in Facebook groups and blog posts comments with people freaking out about getting their business and website/blog GDPR compliant. Don’t panic!

Essentially what it means for your business is that you need to know and inform your clients/customers and even just visitors to your website:

1) What information you hold
2) Where you hold it
3) Why you hold it
4) How you got consent for that information
5) How they can access it

To be GDPR compliant this all needs to be detailed in your business privacy policy and that privacy policy needs to be easily accessed (so it needs to go on your website) and be kept up to date. Of course depending on the size, how you operate and type of business there may be more documents required in addition to your privacy policy to be GDPR compliant.

Read/download this guide from the ICO (Information Commissioner’s Office) on 12 steps you can take now to prepare for GDPR.

Not only do you have to ensure that you’re GDPR compliant as a business, you also have to ensure that all your third party service providers, who process personal data for you and are referred to in the new regulations as “processors”, are GDPR compliant too!

This is a great blog post on ensuring your processors are GDPR compliant: https://suzannedibble.com/5-simple-steps-to-check-your-service-provider-is-gdpr-compliant/

Can I still send promotions, service updates, new event information to my email list?

When GDPR comes into effect next week it will become a legal obligation to get explicit and clear consent from a person to collect their data. This should mean a world free of spam, yay!

My understanding is that going forward, if you have a newsletter sign up on your website you need to be specfic as to exactly what they are signing up to, what they will get and a link to your privacy policy so thy can understand what the information will be used for etc..

It will be no longer acceptable and non compliant to email people information about your business or services without their prior consent. In addition, once you have their details from a newsletter sign up you can only email them information they consented to. If they signed up for your free recipe download, you cannot start emailing them about your food coaching business

It is essential that you leave any opt in boxes unchecked, so that by ticking the box the user is giving their consent. You cannot assume consent and the user has to opt out. Also use double opt in when using a email sign up/lead magnet. This can be easily set up through your provider – Mailchimp and ConvertKit guides about being GDPR compliant are linked at the end of this post.

What do I need to do to make my website compliant?

To make your website compliant, their must be a detailed and GDPR complaint privacy policy on your website that can be easily found, as well as your terms of business

If you have an email opt in/sign up make sure it’s compliant as detailed in the section above. On all your contact forms create explicit required fields acceptance of both Privacy policy and terms of business before sending the form. Checkboxes are fine.

If you use Google Analytics, facebook Pixel you will need a Cookie policy to tell users to the site that their IP address is being tracked, why, how long you hold the data for and how they can opt out of being tracked.

In the event of a hack or security breach, you are responsible for letting your users know about it.

Overall I would suggest collecting no user information by default and take as little information as possible when you do get explicit consent!