Getting GDPR Ready-ish
In case you have been living under a rock, GDPR stands for General Data Protection Regulations and there are new rules coming into place that affect us all and people are starting to panic.
Reasons to Be Cheerful
GDPR is designed to stop unscrupulous companies scraping our data and flogging it to the lowest bidder who then spams us from here to kingdom come. The changes are not so scary and they are also going to benefit us all, both as consumers and business owners.
Consumers should hopefully end up with less spam in their inboxes. I hope that this will apply to cold callers too – I don’t need a new energy supplier, but thank you.
As business owners, we’ll end up with people on our mailing lists that want to be there. The lists will be smaller but the open rates will be better because of this. It’s all good.
We Mustn’t Panic
I find legal jargon terribly boring and scare-mongering very distasteful. There’s been a lot of both about in the run up to the GDPR implementation on 25th May and I think it’s time to calm down a bit.
I’m helping my clients to become as GDPR-ready as we think we need to be and I am being quite level-headed (blasé) about it or there is a risk of overwhelm, which is usually precedes inaction, then massive over-reaction. We haven’t the time or energy for that.
So whilst I cannot stress enough that I am not a lawyer and this isn’t legal advice. I’m also not an idiot and neither are you, so I think we can all get ourselves to a point where we are GDPR-Ready-ish without too much stress and panic.
Having heard from many people that have been in touch with the ICO (the guys responsible for enforcing GDPR regulations in the UK) it is very clear they aren’t gunning for small business like us who are doing the best we can can. Their initial task is going to be to protect us all from bigger and nastier beings that have unscrupulous motives for using our data. That doesn’t mean you are not obligated to conform, but there is going to be room for judgement. Basically, be a good person. Treat data with respect, have a simple method to unsubscribe, respond to data requests promptly. Don’t be a dick.
10 Steps to GDPR – My Shortcuts
With all this in mind, these are the 10 steps that I am implementing with my clients at the moment:
- Make Inventory of Where/How Data is Processed (create list of all)
- Add GDPR Compliant Privacy Notice on Website
- Send Privacy Notice to Subscribers
- Set-up Double Opt-In in Mailing List
- Record Consent on Mailing List
- Add GDPR Fields to Pop-Ups
- Add GDPR Fields to Opt-Ins (create list of all)
- Confirm Sales Gateways are GDPR Compliant
- Add Cookie Pop-Up or Link to Footer
1. Make Inventory of Where/How Data is Processed (create list of all)
Add the list of processors to the privacy notice. Then as part of step 9, try to ensure that each processor is GDPR ready (especially payment processors) so customers data is secure and compliant. This could include PayPal for transaction processing, shopify for purchasing and mailchimp for newsletter mailouts.
2. Add GDPR Compliant Privacy Notice on Website
There are templates for these all over the internet. I decided to keep mine especially short because my limited understanding of the legislation is that it is really important to make it clear to your customers what data you collect and how you handle it. So I believe less is more. But I can always add to it later if its deemed insufficient. You can view my privacy notice here.
3. Send Privacy Notice to Subscribers
A simple email containing the info above or notice that it’s been updated and a link to the privacy notice seems to do the trick. Also remind subscribers clearly that they can unsubscribe at any time. Not complicated.
5. Set-up Double Opt-In in Mailing List
I use mailchimp for almost all of the mailing lists that I manage so this is simple and has been in place for a long time (perhaps forever). Simply change the default list settings and select ‘double opt-in’. This means if someone signs up for your mailing list or an opt-in on your website, then they are only added to your mailing list if they confirm their choice via an email that is sent out after first signing up on your site. It’s pretty solid.
6. Record Consent on Mailing List
This is super easy to achieve on mailchimp as the double opt-in consent is automatically recorded. So nothing we had to do here.
7. Add GDPR Fields to Pop-Ups
You edit them in the list form builder. On my website you will see this pop-up with the edited GDPR fields implemented after a few seconds. They are not perfect but I think they are as short as they can be whilst still including the compliant text.
8. Add GDPR Fields to Opt-Ins (create list of all)
This has been a not so straight forward issue and is actually an ongoing project.
I have made a list of all pages/posts where there is an opt-in (a freebie or something that visitors can download in exchange for their email address). Each of these forms needs updating to be GDPR compliant – it needs to be clear that the freebie is part of joining the mailing list (a point that is still being debated in many different forums) or you need to offer the download without actually necessarily getting a sign up for your mailing list, which is not such an attractive prospect for business owners.
Now here’s my current problem. Mailchimp GDPR fields are not currently available on landing pages or embedded form (only on pop-up forms, see above). Balls.
I’ve figured out a really rough work around if required, which is to basically add in some check list boxes and text fields to explicitly ask for consent then will drop them into groups. But it’s messy and I think in a few months time it might be hard to track, validate and prove consent with that. So I have asked mailchimp for an update and I am hoping they are working on a cleaner more integrated solution for this. Fingers crossed!
9. Confirm Sales Gateways are GDPR Compliant
I’m contacting all of my clients sales gateways – the folks that process payments, shop sales, ticketing sales and fulfillment etc and checking their GDPR policies are up to scratch and that they have a secure process in place for handling our clients data.
In reality, we don’t have much control over this but each client is responsible for any breaches of data or violations so we have to ask the questions and be as comfortable and confident as we can be that they are on it. Beyond that, honestly I don’t know if there is more that can be done. Answers on a postcard…
10. Add Cookie Pop-Up or Link to Footer
One extra step that I might take for all clients is to start removing list members that have not opened a newsletter in a while. This is simple house-keeping and will improve the list statistics. Besides anyone who hasn’t interacted with the list in a while probably is no longer receiving the mails or no longer interested. It makes sense to make a cull. I’ll probably start with anyone that did not open the last 10 emails, but I won’t remove customers. We need to keep them on the list.
What I’m not doing for me or any of my clients is sending out re-consent campaigns. I’m pretty confident that the people on our respective lists were either customers or have opted in with suitable levels of consent. I cannot see any business case for bombarding your mailing list with begging emails asking them to let you stay in touch (you are probably already bored of getting these yourself).
If your subscribers weren’t reading your emails before, then they won’t read these ones. And if they were, then it will simply cause email fatigue to send what I consider to be low-value emails.
I feel like every email you send to your list should earn its place in their inbox by offering amazing and interesting content. Plus, there is an unsubscribe on every email that is ever sent out. I say let people opt out if they want out but I won’t be spending time and money asking them to re opt-in.
Did I mention that I am not qualified to give you any legal advice about GDPR? I think I already did so, now that we have that covered (twice) let me suggest where you can get some legal advice.
I joined this really helpful GDPR group run by a legal expert Suzanne Dibble. I paid and downloaded the pack of legal documents and supporting videos (this post is NOT a copy and paste of that content, which would violate copyright and just be downright shady).
But if you want to discover it all for yourself then I can recommend starting with this free GDPR Checklist here.
However, do remember just downloading it won’t make you any more compliant than you are now. You have to take action!
Or wing it with shortcuts like I do. 😉