***DISCLAIMER*** Please note I am not a legal professional and this article should not be taken as legal advice. That could lead to unsavory outcomes and neither of us would like that very much.
You may not be of the certain age necessary to appreciate Douglas Adams’ impeccable series, The Hitchhiker’s Guide to the Galaxy. And no, I’m afraid the movie adaptation simply doesn’t count; after all those years of waiting after the rights were purchased, and Mr Adams’ letters enquiring as to when it would be made, it was a relief he’d moved on from this planet with a towel in his hand before that became a reality.
But if you care to do a little research you will discover the Guide had inscribed, in friendly letters on the cover, the words: ‘Don’t Panic’.
It’s to this simple instruction I’d like to refer you as we take a walk through the principals of the EU’s General Data Protection Regulation (GDPR) that takes effect on May 25.
Shall we begin?
The GDPR’s purpose is to give people a little more power over their privacy.
There are a few difficulties with the execution of the legislation, which we will look at in a minute. But the first point that requests your attention is the Rights of the User. If you are a Data Controller (yes, it means exactly that – you have control over user data on your site) you will be required to explain in very clear terms to a user what you would like their details for, how you will use those details, and you will need to have systems in place that allow a user to access their data or have it removed.
The GDPR legislation relates to the European Union – people living in the EU who are on your email list, access your website, and use your apps. Additionally, Facebook has adopted the standards of the legislation across the board.
And if you fail to comply? Organizations can be fined up to €20 million or 4 percent of annual global revenue, whichever is higher.
What are we to do?
See paragraph 2.
The reality of a small business getting smacked with these fines on 26th May or anytime soon, is remote. Where you may have a concern is if you get that one person who genuinely has nothing better to do and, for reasons that amuse only themselves, may report you.
As I see it, the key is to take basic steps to protect yourself.
Your site will need to send an immediate, prominent message to a new user that appears on whatever page the user first lands on, detailing that the site tracks data, what data it tracks and why it tracks that data.
Tracking information includes, for instance, IP address, name, email, phone, address, and pages/items engaged with. I imagine you are beginning to see the problem with compliance. How does one maintain a record of who opted in and who declined if one cannot track the IP session? An anonymous bridging page?
Best to stick with best practice.
Here is a list of the minimum you’re required to state:
- who your company/organization is
- why your company/organization will be using their personal data;
- the categories of personal data concerned;
- the legal justification for processing their data;
- for how long the data will be kept;
- who else might receive it;
- whether their personal data will be transferred to a recipient outside the EU;
- that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);
- the website user’s right to lodge a complaint with a Data Protection Authority (DPA);
- the website user’s right to withdraw consent at any time;
- and, where applicable, the existence of automated decision-making and the logic involved, including the consequences of that.
Your Email List
The GDPR requires you to send your Privacy Notice to your subscribers to confirm, amongst other things, how you collect and process their personal data.
If you do not have compliant consent (that is, you can’t prove how you have collected people’s data with their consent) you are required to contact each person and ask for fresh consent to be given.
Before you do this, I suggest you send an email series that builds fresh engagement with your list, then send the invitation to opt-in under the new legislation. That way you’ll have a more active list (and you know you want it) resulting in a higher open rate for the big invitation.
Email Service Providers
Most likely, your Email Service Provider will have you sign an addendum to their terms that you previously agreed to. It is likely the Addendum will have you confirm you are responsible to maintaining the privacy of the data you collect and that you are responsible for acquiring the data in a legal manner.
Advertising on Facebook? Of course you are. Here are links to the official terms and provisions.
My non-legal opinion summary is that you are responsible for the custom audiences you create, for the manner in which your users’ data is used on apps, and for tracking via other platforms (for example, Eventbrite).
Facebook Business Tools Terms
Custom Audiences Terms
This one will provide ongoing entertainment: email lists will need to dynamically update so that when people unsubscribe they will be removed from your Facebook retargeting campaigns.
When you work out how to implement that, please let me know.
By uploading user data to Facebook, you are liable for that data. Therefore, if you are doing this for clients it’s a very sensible idea to update your contract and have the client sign as confirmation they have adhered to updated privacy legislation.
Wrapping it up
Make a cup of tea and see paragraph 2 (or this time, inscribe it friendly letters on the cover of your laptop).
Take every step to comply with the legislation, and let your customers know you are doing so.
Then get back to business and take over the galaxy.