What Every Online Marketer Needs to Know About GDPR
What you need to know about GDPR – If you have not fully read up on what the GDPR (General Data Protection Regulation) really means to you as an online marketer then I strongly suggest you take a few minutes to read this article. There is a lot of information floating around the internet, but it reads like a text book, and most online marketers aren’t fully understanding what exactly it means and how it directly impacts them through their activities.
For those that know me, I am a very straight to the point person, and extremely transparent. Not only does GDPR affect me, but it also impacts all of our clients at SerpLogic, my SEO agency. It officially went live in May, but the majority of online businesses still haven’t taken appropriate measures yet. Let’s dive into it and explain what it really means and what you need to do to protect yourself and your business from potential fines and penalties down the road.
Before I begin though, I want to make it very clear that I am not a lawyer and what I am saying is not to be taken as legal advice. I’m simply breaking down GDPR in a way that is easy to understand from an online marketer point of view. It’s a good idea to always consult a legal professional for expert advice and direction.
So, what is GDPR and why do online marketers need to fully understand it?
There have been so many data breaches and misuse of consumer’s personal data online in recent time, so it’s no surprise something like GDPR was put into place. It officially went into law on May 25, 2018 and it’s being enforced throughout the EU.
To make it as simple as possible to grasp, GDPR impacts how we, as marketers, collect and store consumer data. There are things you will need to change and follow moving forward, in order to stay compliant.
With everything moving online, and requiring some sort of personal information, from movie reservations to full-on e-commerce purchases, almost every website collects some personal data. While it’s not something us as online marketers want to deal with, it is something that was needed to be done.
To fully understand why this needed to be put into place it’s best to think of consumer data like o form of currency. Think about it from a marketing point of view for a minute. When you build an email list, it’s valuable, right? How about a remarketing list on Facebook? That has enormous value.
Internet marketing as a whole has been almost like the wild west, with zero regard for safety and protection when it comes to personal information and security. Look back to the early days of e-commerce, and you will see that websites that were accepting credit card payments were not even running on secure connections. Today, no merchant provider will issue an account to a website that isn’t using SSL and HTTPS.
The simplest definition of GDPR: Using and storing consumer data safely and responsibly. That is what it all comes down to when you remove all the gibberish.
What GDPR really means.
It all boils down to transparency with customers, and that is something you should strive for, even if GDPR wasn’t being enforced. When you build trust it creates customers that are loyal and become repeat buyers.
It’s much easier (and cheaper) to sell to your existing customer base than it is to attract new customers, so don’t think of GDPR as a nightmare and inconvenience. Truthfully, any online business that has an issue with GDPR is probably not to be trusted anyway or has something to hide. You can even use this as an opportunity to strengthen your relationship with your customers. Something as sending out an email explaining that you are 100 percent compliant shows them that you take their security and privacy seriously.
GDPR non-compliance penalties.
You need to take GDPR seriously, because if you don’t there are some hefty penalties involved. If you are hit with a penalty it could be up to €20 million or 4 percent of the annual income, whatever is the larger number.
They are making the penalties very steep in an effort to force companies to be compliant. A company will receive warnings first, but it’s really unclear how that works or how many warnings can be issued, so I would suggest not relying on that and act as if the large fines are for the first offense. You are going to need to comply regardless, so do it now rather than risk it.
GDPR has been long in the making.
Many online marketers are just now hearing about GDPR and assuming that it was something that happened overnight, but that isn’t the case at all. It’s something that has been in the works since early 2016, and it’s simply making the old data protection regulation modernized, as the entire online ecosystem has changed drastically since the internet was first born.
This isn’t a blind attack on online e-commerce and web-based companies. it’s just something to help protect consumers. We tend to always think from a marketing point of view, but in order to fully grasp GDPR take a step back and put yourself in the consumers’ shoes. Don’t you want to know what your personal information will be used for and have full control over it? I know I do, and I am sure you do as well.
How GDPR relates to online marketers that are not located in the EU.
GDPR applies to any company or websites that handles and stores data of EU citizens, regardless of their location. So, if you are located in the United States, but have EU customers, then GDPR applies to you. With the power of the internet, almost every single website had EU citizen data, or will in the future, so I highly recommend that every single online marketer assure that they are GDPR compliant immediately.
GDPR impacts the following data that online marketers collect and store.
The EU constantly refers to “personal data” and many question what that truly means. It means any data or information that can be used to identify someone online. The basic information includes:
• Email Address
• IP Address
• Profile Pictures
Must-understand areas the GDPR legislation covers.
There are several areas that the GDPR covers, so I will break them down and explain them in simple terms. This should give you a pretty solid understanding of what it covers and why these are focus points for the new changes.
Privacy by Design: This basically means that you need to take data protection and compliance into consideration when building something new online. This could be anything from a new landing page or a full-on e-commerce storefront. Every data collection point and storage needs to comply with GDPR.
Data Portability: Your customers (or subscribers) can now request their information at any time, and you need to be able to deliver it to them electronically.
Right to Access: You need to be able to provide the data you collect and store to anyone when and if they request access to it. You need to be able to show them what data you have on them, how it’s stored and why you need it. You also cannot charge them for this. All information needs to be provided to them free of charge.
Data Protection Officers: This isn’t really going to apply to 99.9% of online marketers, as it relates to large corporations that specialize in data collection and processing. If that is their main business focus (like a lead generation company or an email data provider) they are now required to appoint an employee as a dedicated Data Protection Officer. Look for DPO to become a household title, just like CMO and CEO.
Data Breach Notification: This is simple, and something everyone should have done long before GDPR came into play, and that is notify customers of a data breach within 72 hours. It’s simply good business practice, and now it’s the law.
Right to Erasure: Think of this like an unsubscribe opt-out, but for all data, not just an email address. If a customer requests this, you must delete all personal information and data that was collected on them.
Main points that online marketers need to understand regarding GDPR.
There are a few main points that I want to touch on that will apply to almost anyone that markets online, from email list building and affiliate offers to owning online stores or doing drop shipping.
Email opt-in and opt-out.
You can no longer have a pre-checked box on contact forms that automatically puts that person on your email list. You need a dedicated opt-in for every list. You also need to be able to show proof that someone gave you permission to add them to your list. It’s also a good idea to require a double-opt-in or a “click to confirm” that makes the subscriber go through an additional step. Then, if asked you can provide undeniable proof that they requested and gave permission to be added to the list.
Data collection forms.
Any form linked to an opt-in must be compliant as well. To help build trust, I would even suggest adding a little text along the lines of “We are GDPR compliant. Your information is safe.” It’s a simple thing that can help increase your opt-in rate.
CRM data management.
Above, I explained the Right to Erasure, where a customer can request that all information and data about them is erased. This applies to your CRM as well, so you can’t simply mark them as a dead lead or non-customer. You must now completely and permanently delete them from your CRM.
No more adding data to lists without opt-in.
A lot of marketers will combine lists and that is a big no-no now. To be added to a list, someone needs to give you permission for that specific list. Even if it’s data from the same company, each list must have undeniable proof that the contact gave you specific permission.
Be careful buying data — strongly advise against it.
Remember the old days of online marketing when you would buy an email list, load it up into an email provider and blast away, without any care in the world for anti-spam regulations? Well, now that every list needs to have explicit permission, buying data is not a wise move. Third-party data brokers don’t care, because you take on the liability once you send the mail. Build lists correctly rather than risk getting slapped with a GDPR penalty.
Online marketers rely heavily on third-party software and tools, so it’s important to know whether or not the tools and services you use are GDPR compliant. If not, stop using them right away. Most providers, like Mailchimp, for example, have been very diligent and have informed customers that they are indeed GDPR compliant. If you stop using a particular tool or service, make sure that all of the data is purged and permanently deleted to eliminate the chance of being liable in the future.
Final suggestions related to GDPR compliance.
GDPR is here and it’s not something to consider in the future like it once was. It’s now something that you need to ensure is implemented as quickly as possible.
It’s a good idea to do a full audit of your entire online business model, from prospecting to how your active customer data is stored and accessed. If you are a larger company with multiple team members and employees, it’s wide to create company training and documentation regarding GDPR and require everyone to read and sign it.
If you operate websites, then they should already have privacy policies, so it’s a good idea to update them and then email your entire database to let them know it’s been updated, that you are 100 percent GDPR compliant, and where they can go to read your updated policy. Little things like this help, and while they might not all read it, just seeing that email come over helps to build a stronger trust-bond with your customers.
Like you, I am not a fan of jumping through hoops, but times are changing. In order to thrive online these days you need to create an environment that instills confidence and trust, and GDPR is something that needs to be looked at like something that will benefit your online success, and not as an inconvenience.
What have you done to prepare your online business for GDPR? Drop a comment below and let’s get a discussion brewing that will benefit all of the readers.
To read more about GDPR check out The Essential Guide to GDPR