In preparation for the upcoming May 25, 2018 General Data Protection Regulation (GDPR) compliance deadline, I’ve compiled a list of FAQs on the application and scope of the updated GDPR to help you understand how GDPR applies to your business and what steps you need to take right now to ensure that your business is GDPR compliant. The GDPR coming into effect on May 25 replaces the Data Protection Directive, officially Directive 95/46/EC, which came into force in 1995. This means that GDPR is the first major change to data protection and privacy laws in Europe in over two decades. Considering how much the Internet has changed in the last 20 years, it is no wonder that GDPR comes with many changes and updates to past privacy laws that we’ve grown so accustomed to over the last two decades (which for some of us is an entire lifetime). Learn more about what you need to do to stay compliant through these frequently asked questions about GDPR and how it applies to you.

Frequently Asked Questions About GDPR and How it Applies to You

What is GDPR and what’s all the buzz about?

The General Data Protection Regulation (GDPR) is a new European Union (EU) regulation on data protection and privacy for individuals within the EU. Its purpose is to give more control to EU citizens and residents over their personal data collected over the internet. It was adopted on April 27, 2016 with a two year transition period, and becomes effective on May 25, 2018.

Since GDPR is the first update to data protection and privacy law in over two decades, it understandably introduces many new changes and updates to current privacy laws that we have grown so accustomed to over time. This has sparked fear and anxiety in online business owners, but its intent is not to intimidate but rather to give consumers an extra layer of protection over their personal data.

Although born in the EU and designed to protect EU residents’ and citizens’ privacy, GDPR has caught the attention of internet marketers, online entrepreneurs, bloggers, and anyone else with an online presence from all over the world because the scope of GDPR actually extends beyond only those individuals located in the EU. In fact, GDPR applies to anyone from anywhere in the world who stores or processes personal data from any individual in the EU. With the wide reaching nature of the internet these days, it is nearly impossible to limit the use of your website to only those outside of the EU (unless you apply specific geo-blocking features and risk losing a big chunk of your customer base), and for that reason, GDPR in practice applies to just about everyone around the world with an online presence.

What is personal data, and what constitutes storing or processing?

Great question. Let’s break down the rule a bit further. Personal data refers to any data that can be used to identify an individual. For example, an email address would be sufficient in most instances to identify an individual, as would a phone number, physical address, social security number,… you get the idea. Storing and processing also have pretty broad meanings and basically refer to any data you collect on your site, whether via a pop up box, questionnaire, or any other way, and store inside your database.

In order to process personal data, you must have what is called a “legal ground for the lawful processing of personal data.” There are six legal grounds for lawful processing of personal data as provided by the GDPR guidelines, and #1, 2, 3, and 6 will be relevant to you:

1. Consent. The user must give clear affirmative consent for you to process their personal data. This means they must have entered their personal data into your system, or checked a box consenting for their personal data to be processed. You cannot simply take an email address you had from a user 10 years ago, put it in your current email list, and include an “unsubscribe” button in your email. You have to get affirmative consent from your users to have their personal information in the first place.

2. Contractual necessity. You’ve already entered into a contract with your user and are required to process their personal data as part of the contract. For example, if someone fills out an application to become one of your coaching clients for your online coaching business, you do not need to obtain separate permission to process the personal data they sent you in their application form.

3. Legal obligations. You’re required by law to process their personal information. For example, when you hire an employee, you’re required by law to obtain personal data from them, such as their social security number, so you can prepare a W-2 form for them at the end of the year for purposes of filing their taxes.

4. Vital interests. You are required to process your user’s data as a matter of life and death. This is more applicable to hospitable systems, for example, and will likely not be applicable to any of you reading this.

5. Public interest. You are required to process your user’s data as a matter of public interest. This also will likely not apply to any of you reading this post.

6. Legitimate interests. You have to have a legitimate interest in processing the user’s data. There isn’t much guidance out there about what exactly constitutes a legitimate interest, so at least for the time being it can be interpreted pretty broadly. The key here is to make sure that whatever legitimate interest you claim to have in processing your user’s data is not outweighed by the importance of protecting that user’s data privacy. So as long as you can justify having some reason to process your user’s data for a particular purpose and that purpose isn’t overshadowed by some bigger purpose to keep the user’s data private, you have a legitimate interest in processing their data.

If, after going through this list, you’re still unsure as to whether you have a legal ground for processing a user’s data, think about it from a more practical standpoint: put yourself in your user’s shoes and ask if you would feel comfortable with having your data processed through your site. Would you expect to receive email communications from your business? If yes, continue. If no, stop.

I’m not in the EU. Does GDPR apply to me?

Yes, it very well could. Anyone who processes any personal data online from EU residents and citizens is subject to the GDPR. Personal data can include a name and email address, cookie information, or IP addresses. The most common ways I have seen personal data collected online is through pop up email collection boxes, or through third party providers like Google Analytics or MailChimp that track users’ cookies on third party websites. That means if you use Google Analytics to monitor visitor statistics for your website or blog, and even one of your website visitors is in the EU, you are subject to GDPR because your users are subject to having their cookies (i.e. personal data) tracked when they visit your website.

At this point, you may wondering, what if I don’t actively promote my website to users in the EU, but one of them happens across my site by no doing on my part? GDPR would still apply. That’s why I recommend everyone with an online presence to ensure they are GDPR compliant because the wide reaching nature of the internet these days makes it nearly impossible to ensure that users from a certain region are categorically barred from entry onto your site. Of course, if you wish to apply a geo-block to the entire EU region, you can do so and not have to deal with GDPR at all, but most business owners would probably not choose to go that route as it could substantially limit their customer base.

I don’t want EU customers, so I’m going to geo-block the entire EU region. Does that mean I can forget about GDPR?

Not so fast. You really want to think this one through. One reason you may want to consider being GDPR compliant even if you do not plan to promote to an EU audience is that other companies/brands outside the EU may not want to work with you unless you’re GDPR compliant. For example, say you have a VA business where you help clients map out and organize their email lists. Since your client’s email lists (which contain personal data) will be transferred to your hands, if your client has any data belonging to anyone in the EU, they will want to know that you are GDPR compliant. Thus, even if your client is based in the U.S. and you have the entire EU region geo-blocked from even reaching your site, your U.S. based client may not want to work with you if they have any EU users and you are not GDPR compliant.

Frequently Asked Questions About GDPR and How it Applies to You

What’s the punishment for violating GDPR?

By failing to comply with GDPR, you may be fined up to €20 million or 4% of your worldwide turnover from the last 12 months. Since it would be impossible for EU regulators to audit every single business out there, realistically, the only way you’ll get on EU regulators’ radar is if they receive complaints about your business. But remember, all it takes is one snitch to rat you out, so it is a much better idea to be compliant with GDPR from the get go and not have to worry about what might happen to your business should it be investigated down the line.

But I’m not located in the EU. Can EU regulators really fine me?

Maybe not. However, as discussed above, not being GDPR compliant may result in your reputation being tarnished and loss of profits from clients not wanting to work with you because you’re not GDPR compliant. GDPR compliance reaches multiple levels, so simply zeroing in on your clients isn’t enough to make a decision to ignore GDPR; you need to think about your client’s clients and their clients as well.

Ok, so what should I do to be GDPR compliant?

Lots. The first thing you should do is draft a new Privacy Policy that’s GDPR compliant, or add language into your current Privacy Policy to make it GDPR compliant. Then, you need to email that Privacy Policy to your entire email list and get an affirmative response from your existing subscribers that they wish to remain on your email list. This means including a link for them to click to stay on your email list or asking them to reply with an affirmative “Yes, I’d like to stay on your email list.” Simply including an unsubscribe link and giving subscribers to your email list the option to opt out is not enough.

What do I need to include in my GDPR compliant privacy policy?

There are a few topics you must cover in your GDPR compliant privacy policy. The key with each of these topics is to be as transparent as you can, so your users are able to make an educated decision about whether they consent to giving you their data or not. It is also important to note that your privacy policy must be written in clear and plain language, so your users can actually understand what they’re reading and consenting to.

1. Description. Your privacy policy needs to describe exactly what data you’re collecting and what you’re going to be doing with that data. If you’re working with third party providers, like an email service provider, you have to disclose that as well and describe what that third party provider is going to be doing with the data.

2. Purpose. Your privacy policy needs to specify the purpose of your data collection. You must explain why you need to collect the data you’re collecting. For example, if you have an online business that only operates online (i.e. no snail mail), then you have no justifiable reason to collect physical addresses from your users. It wouldn’t make sense. You also cannot collect data for one purpose and use it for another. For example, you cannot collect email addresses for your online coaching business and then send that email list information about your online pet shop. The users who signed up for your online coaching business emails only consented to receiving communications from you regarding your online coaching business and not your online pet shop business. Basically, you have to be very specific about why you’re collecting the data you’re collecting and what type of content you’re going to be communicating to your users with their data.

3. Accuracy. Your privacy policy needs to explain your process for ensuring the data you collect is accurate. One aspect of GDPR is that you’re required to ensure that your data is accurate. For example, if you collect users’ name, email, and phone number in your lead magnet, and one of the emails you send to a  user bounces, it is your duty to phone them at the number they provided and ask for an accurate email address. If you only have a user’s email address, and you later discover that email to be incorrect, you must delete that data from your files.

4. Timing. Your privacy policy needs to give assurance to your users that you will not retain your users’ data beyond the time period relevant to your purpose for collecting their data. For example, if you had a booming soccer business 10 years ago and collected thousands of email address for that business, you cannot now use that email list for your new digital marketing business. The time period for when you collected your soccer business users’ emails has expired, so there is no longer a relevant purpose for you to have those email addresses.

5. Security. Your privacy policy needs to explain how you plan to keep your users’ data secure. What security measures do you have in place to prevent others from hacking into your system and stealing your users’ data? This needs to be spelled out for your user in your privacy policy.

Frequently Asked Questions About GDPR and How it Applies to You

What should I do with my new privacy policy?

You should first post your new privacy policy to your website right away. Then, depending on what you’ve determined to be your legal ground for lawfully processing your users’ personal data, you may need to email your existing email list a link to your new privacy policy and obtain new consent from them to remain a part of your email list.

If your email list is only one month old and you’ve determined your original ground for lawful processing to be “legitimate interest,” then it may not be necessary for you to do anything at this point since your legitimate interest for processing your users’ data one month ago most likely has not changed from last month to now. However, if you’ve determined your original ground for lawful processing to be consent, then you will need to obtain new, affirmative consent from your EU users to remain on your email list by emailing them your new GDPR compliant privacy policy and having them either reply to your email stating that they wish to remain on your list or click a button resubscribing them to your email list by May 25, 2018.

If you’ve made it to this point, I applaud you for taking your business seriously by taking the time to try to get a better understanding of GDPR. This is the new wave of internet privacy regulations, and as online entrepreneurs, bloggers, and internet marketers, you need to have a strong understanding of GDPR so you don’t wake up one day down the line and realize how much damage has been done on your business because you decided to ignore GDPR way back when.

Hopefully my answers to some frequently asked questions about GDPR and how it applies to you gave you a better understanding of what GDPR is and what actionable next steps you need to take in your business to ensure GDPR compliance. Despite how long this post is, it is only an overview of GDPR and hasn’t even begun to dig into some of the nitty gritty nuances of GDPR. If you have any questions, please leave them below, and if you need GDPR compliant templates, send me an email at hello@dianadchen.com letting me know what you need, and I’ll be sure to send over the link when they’re ready for purchase!