The Last Minute GDPR Scramble – and Does it Really Apply to You and Your Coaching Website?

So…GDPR…am I right?

Over the past month, there’s been such a tizzy over it.

I imagine you would have had a hard time not hearing about GDPR, especially with the flurry of Privacy Policy update emails most of the big internet sites and service providers have been sending out.

But in case you haven’t come up against it yet, I thought I’d share my perspective just to catch you up.

Does GDPR Apply to Your Coaching Website?

Here’s the whole “Darn it, Jim – I’m a web designer, not a lawyer” caveat…

GDPR is a set of regulations designed to protect the privacy of citizens of the European Union and give them more control over their personal information. I, being decidedly not a lawyer (nor a citizen of the EU), am not in a position to advise you on what to or not to do in legal matters. If you have a lawyer, I’d definitely check in with them about how this applies to your own business.

Thus, I’m going to write this from the perspective of how I’m choosing to implement it for “N” Powered Websites and things I’m taking into consideration (and you can take it or leave it for whatever it’s worth to you).

So what is GDPR?

GDPR stand for General Data Protection Regulation, and as I mentioned, it is specifically designed to give residents of the EU more control over their personal information and privacy.

I’d hazard a guess that it’s pretty well aimed at the likes of Google and Facebook who are sort of known to play fast and loose with what information they gather about you and what they do with that information. But it turns out that it does have implications for us (really) little guys as well.

GDPR is supposed to give EU citizens the right to more easily understand what companies are doing with their personal information, understand exactly what information is being collected about them, and way more easily be able to update it or have it removed from that company’s database all together.

The reason GDPR has been so prominent on social media and in your inbox lately is that these regulations, that have been on the books for nigh two years now, are set to actually take effect, meaning they will be enforceable by the EU, as of today, Friday, 5/25/18.

So it was super generous for the EU to give everyone two years to get their you-know-what together. But like most folks, I’m a master procrastinator when it comes to this stuff and am just now figuring out what, if anything, I might have to do about it.

So let’s start with the big question…

Does GDPR apply to me – as a small, solopreneur business based in the United States?

Last week, I listened to a fantastic webinar put on by Lisa Fraley and Gena Shingle Jaffe of Damsel Goes BareTM where they broke down the ins and outs of GDPR and shared some insight into how it might apply to small businesses like mine.

I must have been living under a rock these past few years because this is the first time I’ve encountered these ladies, but it turns out they’re everywhere, and they’re fabulous. They’re both lawyers, but Gena calls herself Sparkly and Lisa bandies about terms like “legal love” and “soulful” (not words you typically associate with lawyers), so they’re highly relatable, fun, and easy to listen to.

(At the time of this writing, it looks like you can still sign up to watch the replay of their webinar at http://www.damselgoesbare.com/gdpr/. It’s about 90 minutes long including all the Q&A and would be well worth it if you’re at all concerned about how GDPR might apply to you.)

But back to GDPR and me…

Like I said, GDPR is coming out of the European Union, so if I were an EU citizen and/or running my business based out of somewhere in the EU, then the short answer is, “Yes – this absolutely applies to me, and I’d darn tootin’ better do something about it quick.”

But I’m neither an EU citizen nor based anywhere in the EU, so why am I even wound up about this at all?

Even though I’m based in the US, I do have clients that reside in the EU, and I also know I have folks in the EU on my email marketing list. This is the clincher for me – having folks that I send emails to via my email marketing service.

Now that I’ve determined that yes – I think there is some level of applicability to me…

What should I do to be GDPR compliant?

Really – there’s 2 places that I intend to take some action:

#1 – On my website

The first big piece of the puzzle is making sure all new people who get added to my email list somehow or other are able to give explicit consent that I can communicate with them along with a link to my privacy policy so they don’t have to go searching for it.

Explicit consent means that person very specifically gave permission for me to add them to my general email marketing list.

Where most folks who do list building are going to get sideways with explicit consent is how they entice people to sign up.

Very often, email marketers use lead magnets (or freebie offers, or giveaways, or whatever you may call them) to encourage folks to sign up for their list – offering them something of value in return for their email address. (I know most of my optin forms are structured this way, so I’m going to be taking some steps for sure to adjust that.)

GDPR says that person now has the right to get my lead magnet without automatically getting added to my list and they have to take an extra, explicit step to give me permission to add them to my list.

This may take the form of a checkbox on my optin form (that can’t be pre-checked – they have to intentionally check the box themselves) or an extra step in my double-optin process where they do something to indicate they’re ok with receiving my emails.

Other places I’m combing through to check and see if I need to add a link to my privacy policy and/or explicit consent for me to gather their data:

  • landing pages
  • sales pages for webinars I might be running (not that I’m running any webinars at the moment, but if I was, I would be sure I was in compliance on those optin pages)
  • if I were running a membership site
  • places where people might be paying me online for services or products I offer
  • my contact form
  • my client intake forms

I’m also going to give my Privacy Policy a good once over to see if there are any updates or tweaks I need to make to the language to address GDPR. (Hint: there probably are.)

#2 – On my existing email marketing list

The next puzzle piece for me is making sure that people who are already on my email list who reside in the European Union have an opportunity to provide explicit consent if I don’t feel like they met the requirements for that when the originally signed up with me.

So I had to get a little bit creative here. Mailchimp, like most email service providers, does keep information about a person’s geographic location when they signed up on my list. Unfortunately, Mailchimp doesn’t have a handy “search for everyone in the EU” filter I could click to produce the list of people I needed to reach out.

What I did instead was search my list for folks not in the US, and that subset of people was small enough that I could go through them individually to determine which country they originated in.

If I had a bigger list of folks outside the US on my list, I may have to create a segment by searching for people who originated from the 28 individual EU countries. That might be a little time consuming but probably the most thorough way to attack it.

Once I created a special EU segment of my list, I was able to send a specific email to just those folks who are affected asking them to essentially re-optin to my list so that I was sure I had that explicit permission. Those who didn’t take any action have been removed from my list now.

That’s not all, but that’s the crux of it for me.

The other thing I’ll throw in here that I’m paying attention to is making sure all of the service providers I use to handle my client data are also GDPR compliant (and they are). So that’s just an extra little something to be aware of.

You should know that there’s a good deal more to GDPR than just what I’ve covered here.

It has implications for social media marketing and Google AdWords and things that really get beyond the scope of just your website. You can read the full content of the regulation here. I understand it’s something like 250 pages, so be sure to grab a cup of coffee first.

What’s the worst that can happen?

In theory, there could be fines to be handed out but only in the case that someone in the EU actually decides to lodge a complaint against me. (And I’m really small fry plus I’m a nice person and don’t ever do or send sleazy emails, so honestly, I don’t think this is going to be much of an issue for me.)

There is still the question of how enforceable this regulation is for companies in the United States. It seems like it’s up to the FTC, and with our current political climate, I wouldn’t even begin to guess which way they’ll roll.

Let’s wrap this up (because I’m running out of steam and imagine you are, too).

So despite the fact that I’ve only ever been to Europe once in my lifetime – a trip to London as a high school graduation present from my parents which was awesome, memorable, and turned me into one of those people who likes milk in my hot tea – somehow, I do seem to still be impacted at least a little bit by these new EU regulations.

Am I worried that the EU is going to come knocking down my door this weekend because I don’t have all of these things in place? Not in the slightest. But in general, I do agree with the spirit of what they’re trying to achieve, and I’d like my business to be in line with that.

I’ve taken a couple of immediate steps to make sure I’m not in blatant violation by obtaining some explicit consent from my EU list subscribers before the 5/25/18 cutoff.

And I’m going to be spending some time with my privacy policy and optin forms to get those up to snuff.

This part is going to take me a little bit longer, and honestly, I’m not going to have these pieces in place for a few weeks yet, but I’m okay with that. (I like to walk on the wild side that way sometimes.)

Further Reading and Research

You’re most likely going to want to do your own research and make your own decisions about how you address (or not) GDPR in your own business.

Here are some of the other resources that I trust and have used in my GDPR research:

Your GDPR + Email Marketing Playbook: How to Prepare for the New EU Data Law

6 Myths about the GDPR and Email Marketing Debunked

GDPR For Entrepreneurs: What You Need to Know

List-Building Is Dead! Long Live List-Building! In Praise Of The GDPR

About the General Data Protection Regulation

 

What are you going to do to prepare your website?