Disclosure: Some links in this post are affiliate links. I may get a commission from those links but it's at no cost to you.
What’s this GDPR thing and how does it affect online entrepreneurs?
The online world is going through a lot of changes lately, and as online entrepreneurs, we need to keep our eyes peeled for these things.
It turns out that Europe has decided to review and revise their data protection laws to match a more advanced, and in some cases more mischievous, online world.
This is actually a good thing, as their laws on data protection were outdated by 20 years, it seems.
Looking at all the data breaches and issues happening with major companies (Facebook, for instance), I’d say these new regulations come in good time and are very much needed.
But I guess you’re here because you want to know what the hell is the GDPR and how it will affect you as an online entrepreneur, right?
Before I go any further, I want to make it very clear that even if you are an aspiring online entrepreneur — rather than established one with a website up and running and actually making substantial money – the GDPR still applies to you and you would be wise to comply!
Now, moving on…
What is GDPR?
GDPR stands for General Data Protection Regulation, and it is being implemented by the European Union. It will take effect this coming Friday, May 25th, 2018.
It pertains to any personal data — that is, anything that may identify a person who enters and interacts with your website/company – and the processing of such data.
Now, laws can be very cumbersome, but essentially by “processing”, it is meant any sort of action done with that personal information, including simple storage.
That means that if you have anything to capture e-mails towards building a list, then you are, indeed, processing personal data and the GDPR applies!
Even if you don’t do anything with your list, even if you never e-mail your subscribers, you still have their information stored. Thus you need to meet certain standards.
Is GDPR just for European companies?
The short and blunt answer is: NO, no it’s not just for European companies!
Now, this is a regulation enforced by the EU to protect European residents. The GDPR does not protect people in the U.S. or Canada, but it does, nonetheless, affect businesses and entrepreneurs operating in the U.S. and Canada!
How? Well, because the beauty of the internet is that a person in Spain can order a T-shirt from a U.S. merchant, or subscribe to a blogger operating in Canada.
So, even if you have a tiny little T-shirt web store in California, you must comply with the GDPR because chances are that you have at least 1 European customer.
Because this regulation is about data protection and any processing of personal data, it isn’t limited to major eCommerce websites where people input their personal information to purchase items.
As I mentioned before, the simple storage of a name and an e-mail address would be under the GDPR, thus even bloggers must comply!
How does GDPR affect you as an online entrepreneur?
Okay… So, GDPR is a real thing that enforces and protects European residents’ data rights. It goes beyond online activities, but it certainly includes the internet, and we now know that it applies to the little blogger with no shop all the way to major companies like Google and Facebook.
But the real question here is… HOW does it affect you, as an online entrepreneur?
Well, let’s cut the legaleeze and make it as simple as possible, shall we? Here are the 3 main ways it will affect you – mom blogger, small webshop owner, affiliate marketer, book author:
- It directly affects you, as it applies to how you capture subscribers to your website, how you store their data and how you interact with your list.
Meaning that you may need to make changes to your opt-in forms, privacy terms and how you ask for consent from your readers when they subscribe. K
Key factors here are consent, transparency and limitations to what information you can and cannot ask your audience when they subscribe to your newsletter.
- If you sell products through your website, then it also directly applies to you as a product owner/affiliate/blogger, because you will be handling and processing customers’ data through purchases.
You need to ensure that customers’ information will be stored and processed appropriately and is secure, regardless of what tools or software you use to process transactions.
- It also affects you in that it limits which tools you can use to capture, store and manage users’ data and interact with them.
This is because, now that the GDPR is taking effect, you have the obligation and legal responsibility not to use tools that are not GDPR compliant.
What exactly does this mean?
It means that you now must check that your social media outlets like Facebook, Twitter, and Instagram are complying with the GDPR because you interact with customers, subscribers and followers that may or may not reside in Europe.
Most importantly, it means that now, you have the legal obligation to check that your e-mail management tool – be it ConvertKit, MailChimp or some other tool – is compliant with the GDPR.
This is why, you have been receiving a whole bunch of e-mails from companies like Facebook, Google, MailChimp and so on letting you know how they are complying with these new regulations. (That reminds me, I need to do the same!)
But here’s the good thing about all those (annoying..?) e-mails you’ve been receiving: it means that Facebook, MailChimp, Google and all those tools you have been using so far are taking GDPR seriously, and most likely you don’t have to change to other tools!
You can check out this article from Oberlo about the GDPR, where they mention a few popular tools and companies that are now GDPR compliant, like Shopify, Google Analytics and MailChimp.
How to Comply with GDPR?
Now that you know what it is, who it applies to and how it affects you, let’s move on to what exactly you need to do to be GDPR compliant!
To know what you need to do to you need to understand the 6 key components of this regulation.
The 7 Principles of the GDPR:
1. Lawfulness, Fairness and Transparency
The first principle of the GDPR enforces that you must use personal data in a fair, clear and honest manner and cannot mislead the public.
Ways to make sure you comply with this overarching principle is mainly through consent and transparency.
As I’m sure we all are aware, you need to have explicit consent from your audience to have direct interaction with them, for instance, to e-mail them or message them through private message.
One way that many online entrepreneurs do this is through opt-in forms where the individual is asked for their name and e-mail address and asked to confirm that they do, indeed, want to subscribe.
But this doesn’t apply to new subscribers only!
The GDPR also applies to your existing e-mail list! You need to go ask permission from your current subscribers to continue sending them e-mails in the future. (I talk a little more about this in a bit)
With transparency in mind, you should revise your privacy terms and conditions and ensure that a link to it is available and visible on your homepage, in the footer, in your opt-in forms and even in your e-mails.
2. Purpose Limitation
Going hand in hand with consent and transparency, the Purpose Limitation Principle states that you must be clear and specific about why you are capturing data. For instance, you must be clear if you will use it for e-mail marketing purposes or not.
Most importantly, though, you cannot just change your mind and use that same information/data for other purposes.
So, when someone follows your page on Facebook, they are agreeing to receive news feed updates from your page. You cannot, however, use any information you gather on Facebook to contact them through e-mail, because that’s a different use of their data altogether!
One significant impact this particular principle has for online entrepreneurs is that, under the GDPR, when people sign-up of your freebie, they are not actually consenting to receive your newsletter or getting other e-mails from you!
Thus, you shouldn’t really be contacting beyond the welcome and delivery e-mail for them to get that freebie. Meaning, you shouldn’t add them to your e-mail list! This may be deemed as using the original data for other purposes that are “incompatible” with the first purpose you stated (a.k.a downloading the freebie).
Luckily though, there a few lawful ways around this. I personally like how Bobby Klinck explains this concept and his strategies to go around it. He is a lawyer and online entrepreneur, so that’s also reassuring!
I took his free course on the GDPR and strongly recommend you do too. Link is below.
Bobby Klinck’s course: https://members.youronlinegenius.com/GDPR
3. Data Minimization
You can only take the data necessary for the purpose you specified!
For an opt-in form, you will need the first name and an e-mail address. You really don’t need anything else. Thus you shouldn’t ask for anything else!
Now, obviously there are some legitimate reasons to ask for more information. Say you want to send them a customized report or free audit to their website — you will need a few more pieces of information and that would likely be considered acceptable.
The point here is when they opt-in to a freebie or to your newsletter you need to a) state what you will need their information for and b) you must comply and stick to that purpose.
4. Storage limitation
Storage limitation pertains to not only how you store information, but also how long you can keep that information and use it!
For those of you who have a list that dates 10 years back, you need to either delete or contact those people to get their consent to keep them in your database. (Remember, this only applies to subscribers who live in the EU).
This principle also touches on people’s rights to access the data you have from them and to ask to be deleted (not just unsubscribed, completely erased).
5. Data security
As an online entrepreneur and someone who will collect personal data from your readers and subscribers, you also need to make sure you have all the proper systems in place to keep the data safe and secure.
In a way, we all had to make some changes towards this principle last year, when Google enforced the SSL. In that sense, there isn’t much difference for us unless you deal with more sensitive data.
Under this principle, you are responsible and accountable for how you collect, use and store personal data from people in the EU. You are also responsible for choosing third-party entities that comply with the GDPR.
Basically, you are responsible for picking software, tools and third-party resources that also comply with the GDPR principles. Meaning, whatever you use to store data (e.g. MailChimp), or process payments information (e.g. Thrive Cart, PayPal), must comply with this principle.
If you choose to use a tool that does not comply with the GDPR and you do have subscribers from the EU, then you legally accountable and may face fines.
7. Data accuracy
The principle of data accuracy states that you must take all necessary steps to keep stored and gathered data up-to-date.
Now, this is not as important for online entrepreneurs like you and me and more to do with big players like Google and Facebook and some other companies alike.
What are the consequences for not complying?
Okay, before I scare you with the crazy numbers…
Keep in mind that fines and regulations are not ‘one size fits all’. The GDPR does take into consideration that small businesses and solopreneurs are not the same as big, global companies like Facebook, for instance.
That being said…
The fines for not complying with the GDPR in part or in full, range between 2-4% of your global annual revenue, or €10M and €20M, depending on which articles of the law are violated. Plus, they’ll enforce whichever appropriate fine is the greatest!
Again, I’m pretty sure they won’t be asking for €20M from someone who is not making that much in a year, but they are still pretty hefty fines to me!
So, if you didn’t get anything else from this, just remember the cost of not complying! I think that’s a pretty good motivation to do it! You’re better for it anyways.
There you go! That’s my understanding of the GDPR, based on all the reading I’ve been doing lately.
Keep in mind I am not a lawyer and you should still do your due diligence on the topic. To help you with that, here are some more resources for you to read up on it a bit more…
Reading List on the GDPR:
- Oberlo’s article on GDPR
- GDPR: 10 Examples of best practice UX for obtaining marketing consent
- What is GDPR and how it affects Bloggers
- What you should know about the GDPR — This one explains really well what a GDPR compliant opt-in form looks like and what you need to do regarding your e-mail list.
Resources for GDPR:
Are you GDPR compliant? How do you feel about it and how will you be affected by it? Leave your thoughts in the comment section. This is a great discussion point for both established and aspiring online entrepreneurs!