A clear guide to complying with GDPR consent
With GDPR laws coming into effect in May, we’re seeing the biggest change to privacy laws since the 1990’s.
A lot has changes since then, including the digital revolution – so here’s how the change in data protection law affects bloggers and entrepreneurs and what you need to do to make sure you’re treating data the right way.
If you take nothing else away, GDPR is about being open, honest and safe with personal data. Read on to find out more.
Sounds like serious stuff, but why should I care?
GDPR relates to the protection of the privacy of people’s data. That’s email addresses, names, telephone numbers – even photos and social media updates! It’s anything that can be regarded as personal data that could be used to identify a person against their will.
If you collect, store, or use any form of personal data, you’ll need to make sure that your data is up to scratch and that you add new processes to make sure you’re compliant.
How long do I have?
You have until 25th May 2018 to get your data and processes in order, to make sure you’re complying with GDPR.
But we’re going through Brexit, are you sure I have to comply?
The quick answer here is yes. You do need to comply. The government has confirmed that Brexit will not affect the GDPR start date in the UK. If you want to get into semantics, then the UK will be creating its own law which will mirror GDPR… here’s hoping they call it something catchy.
What is GDPR?
GDPR stands for General Data Protection Regulation. It’s an EU law but will be applicable in the UK both during and post Brexit.
Here’s a quick bulleted summary of what the GDPR changes to consent are, with what they mean for you below:
- People must clearly consent to be contacted by you by any means
- Consent must be freely given – not with the ruse of any offers or gated content
- People must be able to clearly withdraw consent at any time
- You need to be able to clearly state when and where the person consented and what they consented to
- People’s data has a time limit – you cannot store their behavioural data for more than 2 years.
What do these changes in GDPR mean for my blog/website?
1. People must clearly consent to be contacted by you by any means
This means bye-bye to auto opt ins. No more automatically ticked boxes on sign up forms, or sneaky sign ups of people who comment on your blog. No.
When people are signing up to receive updates from you, you need to make sure there is a clear box for them to tick to say something along the lines of “Yes, I want to receive emails from you about X, Y, Z”. If you do not CLEARLY, EXPLICITLY and in PLAIN LANGUAGE state what you’re going to do with that data?
You’re not compliant.
Once they’ve clicked that button, you’ll then need to send them an opt-in email where they need to make a positive action to confirm their subscription or preferences. This makes sure that people can’t accidentally (or maliciously) add anybody to email distribution lists, or contact lists against their will.
This also means that any data you are currently contacting (or wish to contact), needs to undergo the same treatment. If they haven’t explicitly signed up to receive your marketing emails? You won’t be able to contact them after May. Call it a data detox if you will.
By May, you’ll need to make sure that anybody who will receive an email from you has explicitly opted in to keep on receiving emails from you.
2. Consent must be freely given – not with the ruse of any offers or gated content
Quite a lot of bloggers and entrepreneurs currently lure in new email sign ups with gated content – that is, something that you’re providing that they can only access if they give you their data.
Sign up to receive this download…
Get an exclusive 10% off when you sign up…
With the new law? You can’t do this, it’ll be seen as not giving free consent. You’re holding something behind a wall that they can’t otherwise give you without providing their data.
To provide their data to you, there must be no win/lose scenario. Just think… if you can liken what you’re doing to the child-catcher with his lollypops in Chitty Chitty Bang Bang… you’re doing it wrong *shudder*.
3. People must be able to clearly withdraw consent at any time
As well as making sure that you have unsubscribe buttons clearly visible in all of your emails, this also means that people should be able to withdraw consent of you contacting them by any means at any time.
4. You need to be able to clearly state when and where the person consented and what they consented to
This one is a toughy. You’ll need to make sure that you can account for EVERYBODY that you contact from May onwards to say that this is how they consented (and what they consented to).
That means you’ll need to store opt in information on the location of sign up (website etc) as well as the date that they signed up. There needs to be a chain to show that they explicitly signed up to receive updates from you.
Of course, with number 3 in mind, you also need to have a way that they can withdraw their consent at any time too.
5. People’s data has a time limit – you cannot store their behavioural data for more than 2 years
If you’re storing data on people from over 2 years ago? It may need to go. Email providers have already started to make these amendments by deleting behavioural information from contacts over this time. That means that if you are storing any of that data externally? You need to make sure it’s gone.
Don’t be that weirdo that they haven’t heard from in ages. If in doubt, don’t use it.
Other changes to be aware of…
As well as the changes to consent, there are also changes to processing of data, that I’d suggest knowing more about.
- Secure all personal data that you keep – encryption etc
- Work out a way that data can have a ‘right be forgotten’ – removing it entirely
- This doesn’t affect the ability to send process-based emails – such as order confirmations. But it does mean that they cannot contain any marketing messages.
If you’ve found this useful, please make sure you share it and pop a comment below (don’t worry, I won’t store your email address).
The GDPR deadline is 25 May 2018
More info: Official EUGDPR website.