There’s no doubt that the Internet has dramatically changed the way we communicate and how we handle everyday tasks—we send emails, we share documents, we pay bills and we purchase goods by entering our personal details all online without a second thought.
But have you ever stopped to wonder how much personal data you have shared online, or what companies do with that information? Everything you do online—we’re talking about banking information, contacts, addresses, social media posts, and even your IP address and the sites that you’ve visited—are all stored digitally.
Companies tell you that they collect this type of information so that they can serve you better with more targeted and relevant communications and a better customer experience. But is that true?
GDPR: What is it and who does it affect?
On May 28th 2018, the European Union, or EU, passed the General Data Protection Regulation or GDPR. If you’ve never heard of it before, you’re not alone, as one survey found that 80% of businesses know few details or nothing about GDPR.
But you better study up, because GDPR has permanently changed the way you, as a business are allowed to collect, store, and use customer data.
And it doesn’t just affect the EU. If you’re in the United States or work from home, this new law still affects you and your business, and businesses of all sizes worldwide. The ruling essentially states that if you have customers of any sort in Europe, then you need to follow the law.
That could include a customer in the EU purchasing your online course if you are a digital marketer, or a website visitor signing up for your newsletter.
So GDPR applies to all companies collecting or storing personal information—which can include any information relating to a person, such as a name, email address, location details, medical information, or an IP address—about citizens in Europe, including companies on other continents.
Business Implications and Customer Engagement
The ruling will have a real impact on how your business collects and stores personal information and the way you interact with your customers.
There are two major things you need from your customers:
- Consent: the customer must give permission to collect, store and use their personal data, and have to be informed about what data you collect, why you are collecting it, and how you intend to use it.
- Age Restrictions: companies will need to verify age and obtain parental consent when dealing with customers under 16 years of age.
Email Address Collection/Email Marketing
If part of your marketing strategy is to collect emails through online forms on your website, online courses, or the products or services, then you will have to make some changes.
We started this blog talking about the emails you’ve been getting, and this is the crux of the issue: you have to obtain consent for each purpose of the data collection.
This means that one check box must ask customers if they want to be added to your mailing list, and another check box is required to have them consent to having personal data stored for communication about purchases. Your prospects need to actively ‘opt-in’ or choose to join a specific email list before you can start sending them marketing messages.
Also, if you go to networking events and exchange business cards, you are not allowed to use their information without written consent.
Essentially, you can no longer assume that you have permission to send mass email campaigns just because you have a person’s email address.
One way to ensure you follow the ruling is to use a subscription management tool, and to include removal requests in your communications. A removal request means that if a customer have no given permission or gave permission but later chooses to opt out, then you must remove all of their information from your CRM or database within 30 days. Customers must be given this option.
If you own a business, then your business most likely has a website—and it’s not unaffected by these rulings either.
Additionally, if you use remarketing ads such as Google Adwords or the Facebook Pixel, you must inform website visitors immediately when they visit your site and obtain informed consent. If you use affiliate links, you need to get consent for cookie usage. For affiliate links, you can gain consent on an individual post or as an overlay, though consent must occur prior to the visitor clicking the affiliate link, as a cookie will be placed on their browser at that point to track sales activity.
For Contact and Subscription forms, you must also have users consent by providing two checkboxes, as one box asking for permission is no longer acceptable.
Social Media Marketing
If you use social media to promote your business heavily, there is some good news for you. Platforms like Facebook and LinkedIn have already updated their privacy policies and are now compliant with GDPR.
While this doesn’t mean you should immediately bombard your followers with posts, it does mean that you are covered when you use these platforms correctly.
What No to Do: You cannot export emails from social medial platforms like Facebook and LinkedIn to your CRM. Chrome extensions that generate a business email from a LinkedIn profile that you then send an email to through your business account are non-compliant.
What You Can Do: Continue to use social media to build an engaging and authoritative brand online. You can still use social media to create and post engaging content without worry about compliance. For instance, Facebook posts are compliant as they do not collect personal information for your followers. Paid ads are also compliant, and can be a huge benefit to your social media marketing strategy. To really make the most of social media, I recommend investing time in creating a real community by creating Facebook groups, events, or other areas where you can engage with your niche community and followers.
Though GDPR might sound confusing, remember that we’re all in this together. Many companies are still grappling with the new regulations and learning what exactly its affect on business in the US will be. In the meantime, your business, no matter its size, must make sure you have the proper systems in place when it comes to retrieving, storing, and using your customers’ personal information. If you don’t, there are real consequences you may have to face—a fine of up to 4% of your annual revenue may be handed down for major infringements. However, the EU understands that some companies may not have met the May 28th deadline and they are willing to work with those businesses, though they must see that attempts to move toward compliance have been made to avoid starting an investigation.
In parting, we’ll tell you to follow these steps to help you become compliant:
5 Things You Should do to Become GDPR Compliant:
- Audit your Customer Data
- Examine your Consent Process
- Develop a strategy for a data breach
- Define a process on how to handle Customer Information Access Requests
If you’re eager to learn more about how to successfully run a business, then follow Cereal Entrepreneur on our blog, and check us out on Facebook, YouTube, and Instagram for more helpful information daily.