How to Address the GDPR on Your Personal Website

Legal Disclaimer: I am not a lawyer. This article should NOT be considered or taken as legal advice. It's intended for informational purposes only. If possible, consult with a lawyer who understands your global online business.

The GDPR (General Data Protection Regulation) is a new EU (European Union) law that goes into affect on Friday, May 25, 2018.

It is a new privacy law meant to create and maintain trust in how personal data is being collected, handled, and processed.

Personal data may include:
Name
Email
Phone
IP Address
Shipping/Billing Addresses
Payment Information

Tony's Translation: GDPR protects anything attached to you (or your visitor's) identity online. 

Complied by Bobby Klinck (linked below), the top six principes are that data shall be...
"...processed lawfully, fairly and in a transparent manner."
"...collected for specified, explicit, and legitimate purposes."
"...limited to what is necessary for the purpose."
"...accurate, kept up-to-date, and corrected."
"...kept so it identifies... no longer than necessary."
"...processed in a manner that ensures appropriate security."

It also includes the "Right to Erasure" or "Right to be Forgotten" - the ability to completely delete your data with any company, such as Facebook. 

Tony's Translation: this is a great thing!

This law is in effect when you or your audience are living or visiting the 28 countries of the EU (European Union). 

The EU includes Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (until Brexit causes them to leave in 2019).

Tony's Translation: GDPR covers anyone with a website tracking analytics, as well as an email or audience database. Side note: If you don't have an email list, whether you consider yourself a nobody or somebody, stop what you're doing and get one ASAP. Think of it as your insurance policy. This article shares why you need one.

STEP ONE: Add or Update Privacy Policy. You may notice the new Privacy Policy and Terms of Use in our footer, as well as a new Cookie pop up to comply with an EU Cookie Law. The greatest thing? As I add or remove services (such as Google Analytics, MailChimp, Facebook Ads, etc.), this policy automatically updates via code! Here's a $25 tool I used to do this. Note that this is an affiliate link and I may earn a small commission... but $25 beats paying a lawyer $250/hour! 

STEP TWO: Notify Existing Members. While some experts are suggesting getting "reconsent" from your list (even segmenting and getting reconsent from ONLY members in the EU or TBD locations, and NOT sending a confirmation opt-in to members in the USA, for example), I'm learning this may not be necessary. I will keep updating this article but I do believe you need to email a link to your updated Privacy Policy and include a link to unsubscribe (as always) in the footer. 

STEP THREE: Get GDPR Consent from Future Members. Be sure to adjust your email sign ups and forms (including contact and checkout) on your website. Always include a link to your privacy policy. For email, I recommend implementing a double opt-in (needing to click a link in delivery email to confirm and complete sign up) as well as a checkbox or dropdown on the signup form to indicate active consent.

Legally, non-compliance can be hit with large financial penalties of up to 20 million. 

Tony's Translation: While I feel this law is intended to police large multi-national internet companies like Google, Facebook, MailChimp, Squarespace, Banks, etc... it covers everyone living or visiting the EU! Better safe than sorry!

The GDPR is 261 pages long. The first 100+ pages are a preamble, followed by approximately 150 pages of law. I haven't read it, but I have educated myself via the following sources:
Susan Dribble
Amy Porterfield
Michelle Martello
Squarespace
MailChimp