By now, you’ve got a bunch of emails from organisations citing the General Data Protection Regulation (GDPR) as a reason they need you to opt back in to receive their sends. We know you’ve probably got some questions about what it all means and if you need to prepare for it.
It’s important for you (okay, and us too) that we let you know this article is only provided as a resource, but it’s not legal advice. If you think you might need more advice, or more legal-based information, we highly recommend you to speak to a lawyer to learn how the GDPR may affect your organisation.
The General Data Privacy Regulation (or, GDPR for short) is a European Union (EU) privacy law that will affect businesses and organisations all around the world.
The GDPR regulates how any organisation subject to the Regulation treats or uses the personal data of people located in the EU. “Personal data” is any piece of data that, used alone or with other data, could identify a person. We’re talking names, email addresses, bank details, shipping addresses, dates of birth – pretty much anything you might collect online to offer your customers your goods and services.
The GDPR replaces an older directive on data privacy, Directive 95/46/EC, and introduces a few important changes that may affect how you do business online.
The GDPR comes into effect on May 25, 2018 so, if you haven’t already, it’s time to get your skates on, and consult with a lawyer if you think this might affect you and your business.
Although this law comes from the European Union, the internet means it could potentially affect everyone around the world. In particular, anyone gathering data online from users.
If you have an email subscription on your website, take personal data for sales, or in some canses have the potential for website visitors from the EU, then this may affect yourr organisaiton.
Basically, if you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens (which, let’s face it, the internet allows anyone to come from anywhere to see your site and sign up for your emails), you’ll need to comply with the GDPR.
You need to have a verifiable legal basis, like explicit consent, to process an EU citizen’s personal data. Under the new directive, you might use another legal basis for processing personal data, but for most organisations getting explicit opt in consent is the easy way to go. This consent must be specific and verifiable, so no pre-checked boxes in your sign up forms.
Verifiable consent means you need a written record of when and how someone agreed to let you process their personal data. Consent must also be unambiguous and involve a distinct affirmative action. This means clear language and no sneaky pre-checked boxes allowing for marketing messages to be sent to your customers.
The GDPR also outlines the rights of people under the EU around their personal data. EU citizens have the right to ask for details about the way you use their personal data and can ask you to do certain things with that data. You should be prepared to support people’s requests in a timely manner. People have the right to request their personal data be corrected, provided to them, prohibited for certain uses, or removed completely.
You should also be able to tell someone among other things, how their personal data is being used. If they ask, you’re obligated to share the personal data you hold on an individual, or offer a way for them to access it.
If you use an email subscription service, or some kind of tool to collect personal data (tools like Mailchimp, AWeber, Active Campaign or millions of other options), they will probably have already told you about the changes they’re making to make sure you’re compliant with the new directive from the EU. If they haven’t, or if you’re using your own methods for email marketing or eCommerce, then you’ll need to make sense of the GDPR, what it means for your organisation, and what changes you need to make to ensure you’re not at risk of litigation. The best bet? Have a lawyer who specialised in this area take a look at your website and marketing practices and give you solid legal advice.