WARNING: This is not a juicy, warm, lovely blog post. It's downright overwhelming and will likely make most of you want to stick your heads in the sand. I get it. I feel the same. But it's important. So please read it... and make an informed decision for yourself. Y'all put a lot of effort into supporting informed consent for the families you serve. Now I get to be your website doula and offer you care and support with informed decision making on the GDPR privacy legislation.
ALSO, I HAVE CREATED A FREE PRIVACY LAW CHECKLIST TO HELP GET YOU ON TRACK. DOWNLOAD AT THE BOTTOM OF THIS POST!
Ready? Here we go!
Hey y'all. I've been swamped this week preparing for our big family move from Costa Rica to MINNESOTA(!!!) while also working on some fabulous client projects. Between packing binges I have been doing my best to wrap my head around the new GDPR privacy legislation in the EU, and assessing the implications for all of you.
Now if you live in the European Union, you're likely already well on your way to having your website compliant with the new privacy requirements and have spent hours - and hours - trying to figure it all out. I encourage you to identify local experts who can help you be 100% confident in your compliance, including a lawyer with specialization in GDPR. I am here as a resource, but in general I strongly advise you to work with someone within the EU.
What about those of us living in the US, Canada, and elsewhere?
Well, it's complicated. One might imagine that European Union laws have no bearing on us - but remember that the internet is a wide open public space with zero borders, so people from all over the world can potentially visit your website and request information, download a giveaway or join your mailing list - instantly making you liable if they are from the EU. The general consensus is that any website that could possibly collect data from an EU citizen needs to be in compliance with the new laws.
After extensive research here's my best assessment of the implications for those of you whose businesses are based OUTSIDE of the European Union.
CAUTION: I am definitely NOT a GDPR expert. I'm doing my best to figure it all out along with everyone else in the online realm. If you decide you want to make the below recommended changes to your website, my assistant Alison and I are available to help guide you, but I make no guarantees of 100% compliance. Any of you who want to take this seriously should definitely consider consulting with a lawyer who is skilled on online legislation and very familiar with GDPR. I will be doing so myself just as soon as we complete this crazy family move!
First, I want to affirm that overall this is a good law. It may be insanely complicated to understand, and interpretations of how to follow the law vary widely, but the intentions are GOOD. Basically the law ensures that anyone using your website and entering their personal data knows how you will use that data, and is assured of their right to delete it upon request. So even if you have NO concern that an EU citizen will use your website, the basic concepts here are good practice to follow regardless of the law.
First, I’m writing to be sure you are aware of new legislation on the horizon that is having a big impact on how websites around the world collect and maintain data about their customers. The new law is based in the EU, but affects any business website that could potentially be visited by a citizen of the EU. Take a moment to think about that - we're not necessarily talking about someone in France chancing upon your website. It could just as easily be an EU citizen who is living and working in your service region.
You must reach out before May 25th to anyone currently on your email list that is located in the EU and ask them to re-enroll in your mailing list with a checkbox where they give explicit consent to the exact type of email you want to send to them (i.e. discounts and coupons, how-to posts, etc.). On May 24, 2018, you must delete any EU subscribers who have not given consent to stay on your list.
If you use mailchimp, sign their mailchimp data processing agreement.
If you have a giveaway form on your website with the goal of collecting email addresses for your newsletter there are 2 steps you need to take:
1) Add a checkbox to that form confirming that they ALSO want to join your newsletter. Here's an example.
3) Make sure that double optin is enabled on your signup forms within mailchimp or whatever system you use.
Please note that they MUST be able to get your giveaway without joining your mailing list.
If you have a contact form on your website, and probably 95% of you do, there are 2 steps you need to take:
2) Make a note on your calendar to actually go in and delete those entries once a month so that you are not in the position of storing personal data on your website.
3) Don't ask questions you don't truly need the answer to. Review your form for any excessive personal information that goes above and beyond what is truly essential to you doing your job.
WHY YES, THERE'S MORE!!!
And not in the good way. There are many more requirements - a cookies policy and agreement popup, data processing spreadsheet, blocking your form system from collecting IPs and more, and I encourage you to dive in and learn it all. The above steps are the bare minimum I encourage all of you to follow regardless of where you live.
A few solid and informative free resources to learn more:
Hubspot: What is the GDPR?
Bobby Klinck, Law Firm for Entrepreneurs: How to comply with the GDPR
Amy Porterfield: GDPR for entrepreneurs: What you need to know webinar (Featuring Bobby Klinck)
The Essential Website: Solid overview of GDPR with plenty of resource links
Kerstin Begley: Great Detailed Video Tutorial & Blog Post on How to be GDPR Ready
What's the risk?
Obviously most of you have teeny tiny businesses when compared to say, Walmart, and a very small % of EU website users. The chances of being fined are of course small. Still, it has yet to be seen to what extent EU countries will be enforcing the legislation, how actively penalties will be assessed, or what enforcement will look like for businesses outside the EU. If you are charged in violation the fines are 4% of your business revenue for the past year. With a few small changes as described above you can minimize your risk.
It is 100% up to you whether or not you decide to take the leap and take steps towards compliance.
It's pretty intense legislation, and I know my head is swimming with all of the implications. The official deadline for compliance is May 25th, but general consensus is that there will be a grace period for smaller companies just trying to figure this all out. Honestly we have no way of knowing even how it will be enforced for overseas businesses. I would have loved to put out this blog post earlier, but it has taken me a full two weeks to wrap my own head around what is required, amidst packing up our house for the big move (anyone have an extra suitcase in Costa Rica that I can borrow???)
Overwhelmed? I get it.
My assistant Alison and I are here as a resource if you need practical help getting it all together. If you decide to ignore this blog post altogether, I totally understand. It is my job as your Website Doula, however, to make sure you are doing so in an informed way. Let me know if you have any questions or need help putting these elements together. Need help? Email us at firstname.lastname@example.org. Most of your websites will require 1 - 2 hours of hourly website doula care to take care of the all the details. While I am on the road for the next 3 weeks for our move, Alison will be standing by ready to help!
Warmly, Sarah Juliusson
p.s. More on the big move for our family soon! I will dearly miss Costa Rica, but am admittedly excited to have an easy USA phone number and way more reliable internet 🙂