How to get your online business GDPR ready?

Or, in other words, making GDPR sexy again

Last week, my entrepreneur friend Jodi Hoffman and I hopped on a Facebook Live Interview and talked about EVERYTHING GDPR.

When I first heard about this term a few months ago, I was so confused.

GDPR or, General Data Protection Regulation?

I was also confused what this would mean for my business.

As a result, we decided to shed some light on this inside my Facebook Groups Community, Social Media Funnel Hacks, as well because I knew that I couldn’t be the only one feeling this way.

Here is the interview and all the things that we talked about.

Enjoy!

Cornelia: Jodi, thanks for being here!

Can share your story with us and why you’re so passionate about this?

Jodi: Of course!

I’m Jodi Daniels.

I’m based in Atlanta, Georgia in the United States, and I spent a nineteen-year corporate career across four big multi-national companies.

Most recently, I was senior vice president at Bank of America as their digital privacy expert. I left last summer to go out on my own and join the online entrepreneur world where I started my own privacy consulting business.

Since then, I have been knee-deep in GDPR. I feel like I eat, breathe, sleep all things GDPR. I’m getting companies from one person to huge multinational companies ready for GDPR.

Why am I passionate? Because I see so much opportunity, and there’s so much confusion that I really help bring everything I’m doing in my everyday world to the mass online audience.

Cornelia: How about we start with the basics?

GDPR might be completely new to someone. How would you explain it in one to three words?

Jodi: GDPR is all about protecting the EU residents’ personal data.

In a conference a couple weeks ago, I heard from the original drafter of the GDPR, and she said that GDPR is all about giving back the rights to and EU resident over their digital data.

Cornelia: I’m curious. What conference was that?

Jodi: The Global Privacy Summit.

3,500 privacy professionals from around the world congregate in Washington D.C. every year to talk about the latest that is happening in privacy, and as you can imagine, it was GDPR, GDPR, and more GDPR.

Cornelia: So many Europeans are very freaked out about it because it does have an effect on your business—if you’re not becoming GDPR compliant.

Jodi: It really does.

I think it’s important to talk about who this affects.

We define it as protecting an EU resident’s personal data, but what if I’m in the US?

Why should I be focused on GDPR?

And that’s because any company around the world that’s processing that data or targeting that person has to comply.

If I have a website and I use my Facebook pixel set to global, and I lure you to set up for my freebie, I just embarked on GDPR world.

Cornelia: Can you tell us more when it comes to online businesses and what the next best step someone has to do right now to prepare for GDPR?

Jodi: Great question.

The first things that you need to know is what kind of data you have and how you are using it. You can’t write a privacy policy if you don’t know those basics.

And to do that, you have to know the definition of personal data because under GDPR, it’s a little different.

It’s not what a lot of people think: name, email, address, financial information.

It’s also online identifiers.

It’s the Facebook pixel, Google analytics pixel, or any other pixel in cookies that you have on your site like IP address.

All of that is included in the definition of personal data.

Based on that, figure out what you are collecting and who you are using it with, such as an email service provider, an agency, vendors, etc.

Once you have that inventory, then you have to work on communicating what it is you’re doing to the person you have coming to your sites and services.

And that’s where the privacy notice comes in.

A privacy notice is a legal document.

It’s the document that is your communication to the user of what you’re collecting, how you’re using the data, who you’re sharing it with, how you’re protecting it, and how long you’re keeping it for.

GDPR has a number of very specific requirements you’re supposed to have in it.

And other companies have requirements too, such as Facebook and Google.

So, you have to get your privacy notice in order, and you can’t do that until you know what it is you have.

Cornelia: We’ve talked about segmenting your list so you can have a list for your European citizens and have a list for the rest of the world.

Is this something that is recommended right now?

Jodi: The other important part of GDPR is how you use the data.

You can’t just collect it and use it however you want.

You have to have what they call a legal basis to use it. One of the very common ones online is consent to be emailed.

The way we’ve been collecting consent is going to change under GDPR.

The email service providers are getting ready to help everyone to be able to do this from a technological standpoint.  But we have to do our jobs as the users to know how to use these tools.

Everyone is getting geared up to update the tools.

And what that means is— if I have a user from the US, I fall under the US laws, which means I can consent to anything, and I have to be able to let you opt out.

Under GDPR, I also have to let you opt out but you have to opt in.

And the opt in has to meet a bunch specific rules, and one of the very first rules is— it has to be specific, and I can’t have a prechecked box.

So, I can’t just give you my freebie and poof you’re automatically on my list.

As for the segmenting lists, the email service providers are starting to help you figure that out, depending on where your subscribers are from.

And it really depends on your business.

If you think you can separate your global customers like that, you can, but it’s just a lot to think about.

It’s a matter of how sophisticated your business is and how easy or not easy you want to make it.

I think it will be interesting to see how this will influence other areas.

If people get used to the GDPR way, will everyone get used to it and sort of come up stream with it, even if you don’t have to?

Cornelia: The opt-in checkbox is necessary?

Jodi: It’s absolutely necessary!

That’s what the emails service providers are working on.

You have to have that opt-in box.

The email service providers are giving you the tools, but you have to make sure you have the right language in place.

You have to have your privacy notice there, making sure it’s updated properly.

The other thing I think is important to know is that consent is not forever.

If five years from now, I have not opened anything from you, I should not be on your list.

Cornelia: About that consent, we get so many emails anymore that we forget what we signed up for and it usually goes straight into the spam folder.

So, I see this is as a good thing, like tidying out your closet.

Jodi: I agree! I think a lot of people talk about having a really big list, but other people are more into quality lists that are small but convert well and have high engagement.

It’s not always about quantity.

Cornelia: I couldn’t agree more.

Do you have templates with the correct verbiage?

Jodi: Yeah, I have some checklists that you can get from my GDPR Secret Weapon Compliance Kit right here.

I also have a Facebook group, called GDPR 101, where we talk a lot about this.

Cornelia: Can you give us some background on why this whole GDPR thing came about?

Jodi: It’s really interesting.

There’s actually a pre-existing privacy directive in place called the Data Protection Directive from 1995.

But times have changed a little bit as the digital era came around.

They realized that after 20 plus years it was time to update how personal data is being used.

I think a significant amount came from the digital world with advertising, tracking, and everything around email (stalking or not stalking, depending on who you ask).

As I mentioned, the original drafter is all about GDPR giving people back their rights to their digital data.

There are 28 different states in the EU, and they all had their different versions of the Data Protection Directive. And now there is one GDPR.

Each state can enforce it a little different.

And that was one big part, to try and level the playing field.

Fundamentally, if you take away all of the crazy rules and check-boxes, it’s about protecting the rights and freedom of an EU resident.

And this really goes back to WWI and WWII.

Some of those sensitive information areas of data, such as race, ethnicity, sexual orientation, etc. could have some really negative impacts if people were profiled according to that information.

So, they’re trying to protect that privacy as a fundamental right.

When someone signs up for a freebie, it doesn’t always mean they want thirty more emails from your business.

And from a business prospective, it’s different than if you look at it from that person’s perspective; it helps to see what GDPR is all about.

Cornelia: It is really important to put yourself into the shoes of your customers.

There’s a human being behind every email you send, so just a little bit of sensitivity is really important.

Jodi: Exactly.

There’s a person behind that cookie, and that’s why they added that line about personal identifiers.

If you really use all of the technology and tools available, you can tell who “cookie 123” is, and that’s where GDPR is going.

Cornelia: Are there any loopholes?

Jodi: I’m sure there are some loopholes that are going to get figured out.

A lot of this is going to be in how you interpret it.

So, I mentioned you have to have a lawful basis.

The one part where I think you might find some is in “legitimate interest.”

It’s about how a business has to market to get business.

So, a company will say, “I can do all sorts of things to get business,” while the GDPR is saying, “no, that’s not quite what we had in mind.”

That’s where a lot of the gray areas are.

Cornelia: When someone opts in for our freebie, we automatically send them our newsletters, right?

Jodi: You have to add the verbiage so that they understand this.

You have, “Sign up for my freebie,” on your website, and you need that opt-in checkbox there.

It can’t be the way it used to be.

Just like in Facebook groups.

You can’t be asking for people’s email addresses to join groups because you need proof of that consent.

Consent is very complicated.

There are multiple pieces and it’s more than just this one simple form.

One of the pieces is that you can’t condition.

So, the freebie has value and you shouldn’t have to get the marketing to get the freebie.

Cornelia: What about existing subscribers?

Jodi: It applies retroactively. 

If you have met GDPR requirements with your existing list, then you’re okay. Keep emailing.

If you haven’t, then people are doing some re-permission campaigns.

But be careful with that.

Do not email people who have opted-out.

Big companies have gotten in trouble with that. GDPR is in effect now but will be enforced on May 25.

Cornelia: What would be some of the verbiage for that?

Jodi: You can say, “Hey, you’ve been a member, and we’re working on our compliance in GDPR, and we still want you to be part of our community. If you do want to be part of our community, click here.”

You have to get that consent.

They need to take some type of action.

But you have to be careful not to put conditions on that consent or you’re back in the same circle.

It’s a great relationship builder.

Yes, people are likely not to click and your list will get smaller, but the people who do click will be loyal followers who have found values in what you’re doing.

Cornelia: Thank you for sharing that.

It’s a great point.

You have to be careful with compliance partners.

Jodi: If you collect with an email service provider, you’re responsible as a business that who you are working is GDPR compliant.

If the vendor doesn’t figure it out, then you can’t use them.

Cornelia: When you have to confirm an opt-in, you have to click a link, and a lot of people don’t like to do that.

Jodi: The part of getting consent is on you as a business.

And people like the double opt-in because it confirms that it’s from the right person.

GDPR does not require the double opt-in, though Germany does.

It’s an industry best practice and it serves a great purpose because the burden of proof is on you.

Cornelia: Do you have a list of providers who have that double opt-in?

Jodi: All of the main ones that I can think of do: MailChimp, Convertkit, etc.

There’s one other part of GDPR that we haven’t touched on, and it’s called individual rights.

You’ve heard me say that GDPR is about the individual’s right to control their digital footprint, and a part of that is the right to be forgotten and the right to port data.

If I ask you to delete my data, that means to actually delete, not just unsubscribe or opt-out. Delete.

The idea for porting is more for e-commerce or a community where you have machine imported data.

That idea is that your data is yours and you should be able to have it, like a medical record or a Netflix movie record.

The opt-outs become a gray area for people who ask if they can market to people who have opted out on another platform, such as Facebook ad targeting.

Some people will say that opting out of an email doesn’t mean they have opted out on Facebook, while others will say that opting out is opting out, period.

I would say not to do that, that people who opt out don’t want to hear from you and that you should move on.

Cornelia: Have there been any talks about how strong the enforcement is going to be?

Jodi: I think you’ll find May 28, some well-known brands will be in the news again and made an example.

It’s a real law, and people need to take it seriously.

Cornelia: This was very helpful and easy to understand, so thank you!

Jodi: Don’t forget you can get a GDPR checklist from my GDPR Secret Weapon Compliancy Kit.

Also, be sure to check out the GDPR workshop if you’re in for some more in-depth knowledge. It helps businesses become compliant with GDPR without all of the confusing legal jargon. It’s very step-by-step. Limited spots available for that one and you can sign up here: https://corneliapauline–redcloveradvisors.thrivecart.com/gdpr-secret-weapon-workshop/

P.s. You might also enjoy: https://corneliapauline.com/2018/02/09/17-hats-review-powerful-business-app-small-businesses-like/

Posted by

Hi! I'm Cornelia Pauline, the author of this pretty badass blog. My team and I have been running a full-time, international digital marketing agency for the past 3 years. We've helped many of our clients scale up to multiple 6-and-7 figures. Throughout this blog, I hope to provide kickass value by sharing my knowledge with you ;).

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.