6 Steps to Ensure You’re GDPR Compliant

[Note: This material has been prepared for informational purposes only, and is not intended to provide and should not be relied on for legal advice or GDPR compliance. If you have further questions about compliance, consult your legal counsel.]

For the longest time, the internet has been the Wild West when it comes to online data. You could take it, hoard it, and even sell it without users ever knowing.

But there’s a new sheriff in town.

Well, more specifically, there’s a new sheriff in Europe.

By now, you’ve heard all about General Data Protection Regulation (or GDPR), the new legislation that went into effect last month and gives citizens in the European Union (EU) much more control over how their personal data is obtained, retained, and used.

But have you taken action with your business or website yet?

If any of your subscribers or customers live in the EU, you must ensure you’re in compliance with the new regulations. If you don’t, you could be subject to incredibly heavy fines of up to €20 million or 4% of the annual worldwide turnover of the previous financial year.

But even if you’re found to be in violation of GDPR and you aren’t fined, your company could still take a substantial hit to its reputation and your clients will undoubtedly lose trust.

The good news is that if you’ve always been transparent about your data collection and you’ve never been shady about your methods, there’s probably no need to panic.

But you still definitely need to take action. We’ve got six steps you can take right now to make sure you’re in compliance.

1. Audit Your Existing Contacts

Before you get started on safeguarding for the future, it’s vital that you take a look at your current list of contacts and find out which ones are based in the EU.

1. Find out where your contacts are based through their IP addresses and determine which ones are in the EU.
2. Send email that’ll ask the contact to confirm their consent to receive emails from you.

2. Remove Unengaged Contacts From Your List

Keeping your email list is clean is imperative. Email platforms like Infusionsoft have policies to suspend any account with too many bounces or spam complaints, and keeping a clean email list will keep you in good standing with your email marketing service provider while improving your deliverability with your contacts’ internet service providers.

Check out the basics below or click here for our guide to the essentials of email list health.

• Identify contacts who have engaged with your emails in the past six months.
• Launch a re-engagement campaign in an attempt to get any unengaged contacts back.
• Remove unengaged contacts from your campaigns.
• Evaluate the language you’re using on your opt-in form to ensure contacts know what type of communication you plan to send them.

3. Segment Your Contacts Based on Location

Once you’ve geolocated your contacts, it’s time to take action for those who live in the EU. Add segmentation and, if you do have customers in the EU, do a top level EU email extension segmentation. Here’s how you do that:

• Segment and re-engage the contacts in the EU and ask for their consent to continue to email them.
• Identify contacts with an unknown location who are highly engaged and matched them to determine their location and determine if they’re still marketable.
• Consider retaining a EU representative through Verasafe.
• Sign a Data Protection Agreement.

4. Update Your Privacy Policy

The cornerstone of GDPR is that you must have a privacy policy that is in clear language and transparent about your intentions with user data. Implement a new GDPR-compliant privacy policy and make sure it’s in the footer of all web pages and on every opt-in and order form. Here’s what you should be changing:

• New rights. State that you’ve incorporated users’ additional rights and outline what data you’ll hold and how you’ll use it.
• Transparency. Express that you’ve made it easier for users to understand how you collect your data, process it, and keep it secure.
• Control. Outline how users can access, manage, and make requests to change their data.
• Right to be forgotten, object, rectification, portability, and access. Explain that any EU contact can email your support team to request their data be accessed, deleted, changed or transferred.

5. Update Opt-In Forms for Consent

Another big change of GDPR is that users must now give explicit consent to provide their data, and they have the right to know exactly what they’re agreeing to. It’s imperative that you implement a new procedure for consent in all areas where data is collected, like newsletter signups, opt-in pages, and order forms.

Based on user location, display a checkbox for consent on all opt-in locations. If an EU contact doesn’t check the box, don’t send them promotional emails. Your privacy policy must clearly state what data is collected, why it’s needed, and how it will be used.

• If a contact is from an EU location: An unchecked checkbox should be presented with this wording: “I agree to your Terms of Service and Privacy Policy.”
• If a contact is not from an EU location: Include wording like “By clicking on the button below you agree to our terms of conditions and privacy policy.”

Add a small pop-up notifying new visitors to your website about the use of cookies and asking them to confirm whether they agree, and include a link to the privacy policy at the bottom of the page.

• If a contact is from an EU location: Viewers should see a small notice “cookie announcement bar” confirming the use of cookies and a link to the privacy policy at the bottom of the page. Example: “This website makes use of cookies to enhance browsing experience and provide additional functionality” with links.

• If a contact is not from an EU location: Viewers will not see the cookie announcement bar.

6. Create New Contacts Procedures

When you’re caught up with your existing contacts, the next step is to establish new procedures so that you’re set up for GDPR compliance when you obtain new ones.

Here’s a suggested plan if you’re using Infusionsoft:

• Process new contacts as they come in and tag them based on location. Rework signup forms to dynamically change based on geolocation. Basically, you need to check everyone as they visit the page. If they’re from Europe or maybe just outside of the U.S. and Canada, show a different form with more consent options. With this in place, you shouldn’t really need the first, but we encourage you to include it as a failsafe for forms that haven’t been updated or for users with JavaScript issues that prevent it from working.

The bottom line is that data protection regulation like GDPR is all about giving users more control over their personal information, and frankly, it’s overdue. As the landscape continues to change, it’ll be up to businesses and websites to respond and adapt to new requirements. Making sure that you’re in compliance with GDPR will give you a headstart when more legislation starts to roll in.

We at Full Cycle Marketing are here to help you take appropriate action. But the most important thing you can do is stay informed. Take a look at more sources below to ensure you’re doing all you can to prepare for the future.

• AWeber: Your GDPR + Email Marketing Playbook
• Create If Writing: GDPR FAQs
• Mailchimp: Collect Consent with GDPR Forms

Still feeling overwhelmed? We’re here to help. Contact us and schedule a free consultation.