Disclaimer: The contents of this web page do not constitute legal advice. This page is for informational purposes only, and we strongly encourage you to seek independent legal counsel to understand how your organization needs to comply with the GDPR (we even recommend a lawyer at the end of this article).

If you’re at all involved in marketing, subscribe to apps or software programs you have no doubt been exposed to information referring to the GDPR. A heightened awareness of online privacy with the recent congressional hearings with Mark Zuckerberg, have contributed to the focus on this new set of privacy laws that are being implemented at the end of the month.

What many people aren’t aware of, is because the laws refer to individuals in the European Union (EU), they don’t think it applies to them if they’re located outside of that jurisdiction. In fact, these laws apply to any business that processes data from individuals in the EU, regardless of where that business is located.

To help you prepare, we’ve compiled this handy resource guide that presents the information we’ve compiled about the GDPR and new Facebook policies and how it affects businesses that market online, particularly on Facebook. We still recommend seeking legal counsel to ensure you’re business complies with the GDPR regulations.

Oil is no longer the most valuable commodity, data is. - The Economist

We’ve broken it down into five main areas:

1. What is it?
2. Key definitions
3. How it affects your marketing
4. Steps to prepare
5. Resources, Tools & Common Questions

What is it?

The General Data Protection Regulation (GDPR) is a new set of data requirements that have been implemented to give consumers more control over the information they provide online.

The GDPR will come into effect on May 25 and businesses that will be affected, have until that date to comply with the new regulations.

The regulation states, data shall be processed “lawfully, fairly, and in a transparent manner.”

The laws have come about because trying to process different privacy laws across 28 different jurisdictions was difficult and expensive. Bringing them all under the one umbrella makes it easier for everyone and sets a new standard for online privacy around the world.

There are 9 key points to the GDPR. The terminology is taken directly from the European Commission.

1.Communication: Use plain language. Tell them who you are when you request the data. Say why you are processing their data, how long it will be stored and who receives it.

2. Consent: Get their clear consent to process the data.

3. Access & portability: Let people access their data and give it to another company.

4. Warnings: inform people if there has been a breach.

5. Erase data: Give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research.

6.Profiling: If you use profiling to process applications for legally-binding agreements like loans you must:

• Inform your customers;
• Make sure you have a person, not a machine, checking the process
• If the application ends in a refusal;
• Offer the applicant the right to contest the decision.

7. Marketing: Give people the right to opt out of direct marketing that uses their data.

8. Extra safeguards: Use extra safeguards for information on health, race, sexual orientation,
religion and political beliefs.

9. Data transfer outside the EU: Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.

Definitions

There are some key terms we’ll refer to throughout this article so before you get too confused as to what each means, here is a handy glossary on each.

‘Data Controllers’

They determine the purpose for which data is processed. They are generally the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling right to access, etc.

For most businesses, YOU are the Data Controller as you initiate the first contact with the customer to gather details from them to be able to be stored and processed elsewhere.

‘Data Processors’

These companies process the data on behalf of the data controller. These might be software programs such as Mailchimp or ActiveCampaign. Payment processors like Stripe or course delivery programs like Kajabi.

Data Processors are also subject to the new GDPR regulations to ensure they are processing data appropriately. It is also the Data Controller’s responsibility to use programs and apps that are GDPR compliant.

EG – You collect email address to be able to send a free download to users and send relevant communication afterward. Your company uses an email service provider (eg Mailchimp, Infusionsoft or ActiveCampaign) to send the relevant download and ongoing communication. In this case, your company is the Data Controller, the email service provider is the Data Processor.

‘Legitimate Interest’

This refers to whether the individual would reasonably expect their data to be processed at the time and context when it is collected and to be honest, it’s still a pretty big grey area that a lot of people are getting their head around.

EG – If you offered a free download via email about ‘sales funnels’ for instance There are often follow up emails regarding this topic that explore it further and adds to the value of the initial download. These emails would come under Legitimate Interest. BUT if you were to then email those same people about dog training for instance, then the individual would be right to question whether they have had their data processed according to their expectations.

It’s obviously a delicate balance between company’s interest and the right of the individual. If there is a relevant and appropriate relationship and there must be minimal privacy impact meaning processing must be necessary. If you can reasonably achieve the same result in another less intrusive way – then you can’t rely on Legitimate Interest.

If you decide to rely on Legitimate Interest, you assume the risk when you take that action.

How it impacts your marketing

I’m going to focus on two key topics that I know most people will be processing data of users – on your website and your Facebook advertising.

Your website

Basically, to make your website GDPR compliant, it boils down to making sure you’re transparent with people. Let them know what you’re doing, don’t ask for extraneous information, and let them opt-in to giving it to you, rather than you taking it by default.

Examples of data processed on your website:

• Personal data via forms, registrations, comments and payments.
• Online identifiers that track users without them knowing such as Google analytics and the Facebook pixel.

When you process personal data via forms or registrations, your #1 goal is to take nothing by default and honestly, ask for the bare minimum of information when you do get explicit permission.

There is no more asking for info “just in case” or “for future, undetermined projects.” You need to be transparent about WHY you’re asking for the details they’re submitting. For example:

• If you’re asking for their first and last name, tell them why.
• If you ask their birthdays, make it clear that you send out coupons as birthday gifts
• If you have a field for phone numbers, have a blurb that says “We ask for your phone number so our team can expedite the process to confirm the information you’re looking for.”

You must give them the option of explicitly choosing to share their information with you. You can no longer have tick boxes pre-ticked [x] by default to force them to ‘sign up for our awesome newsletter’. If you’re only giving them the chance to opt-out before they have opted-in, you’re at fault. They must say explicitly choose to share their information with you.

Facebook Advertising

If you use the Facebook pixel on your website, you need to be transparent about that to your browsers and what data you are tracking. See above for information about website transparency.

Facebook terms of use outline that to use Data Custom Audiences, that is, upload your own data to a custom audience to advertise to – then you must have permission from them. Under the new GDPR regulations, if a person chooses they no longer want you to store their data then you no longer have permission to include them in any existing Data Custom Audiences that they are part of.

This means you need to have a process in place to sync or manually remove those people from the data custom audiences when they ask to be removed from your existing list (we’ll talk about that shortly)

Steps to prepare for it

1.Update your Privacy Policy on your website

If you have European Union users browsers your website, regardless of where your business is based, then your privacy policy needs to comply with the GDPR.

Adding your privacy policy to your website is such a simple step and it’s a smart business move.

A screenshot of our new privacy policy

This article from Elegant Themes includes 3 key areas your Privacy Policy should cover. These are also key points to comply with the GDPR.

1. How and What Type of Information You Collect – This clause is the bread and butter of privacy policies. It details the exact information you collect, and how. You need to mention if you collect personal data and data that the user might not be aware of such as tracking script from Google Analytics and the Facebook pixel.
2. What You Do With the Information You Collect – As the Data Controller, it’s your responsibility to ensure that data is processed by Data Processors that comply with the GDPR, as well as taking steps to store data securely.
3. Your Use of Cookies – Cookies are files on your computer that contain personal settings for specific websites. Websites use cookies to track what you do within them. For example, cookies enable you to stay logged in even if you leave the website or track behaviours such as browsing and purchasing on websites. Sites need to inform visitors about their use of cookies and provide an option to disable them.

Tools to use:

1. iubenda: A module-based privacy policy generator that supports dozens of third-party services. I got the $27 per year option to include Facebook pixel and other regular services I use.
2. TermsFeed: This simple service enables you to create a basic policy through a questionnaire. It cost approximately $112 by the time I added all the relevant additional sections and services I use.
3. Shopify’s Privacy Policy Generator: This generator is tailor-made for Shopify stores.
4. Cookie Bot: Provides several choices for the user to decide which data they would like you to process

2. Install a Cookie notice on your site

If you use cookies to track users, you need to be transparent with this to give them the opportunity to opt-out before they are implemented.

If you use the Facebook Pixel, you are also required under Facebook’s new terms to provide a notice that you use the pixel.

Given that most tracking scripts and cookies load as soon as the browser visits your site, GDPR requires you to implement steps to get permission from them first. Facebook does not require you to prevent the pixel from loading before tracking, just to notify them of the fact.

The Cookie notice on our site

Using a service such as iubenda solves both regulations by allowing you to install a notice that prevents scripts from loading, until the user wishes to progress. The browser’s agreement is implied when they perform actions such as remove the notice, continue scrolling or browsing the website. Once this occurs, iubenda allows the tracking scripts to then load appropriately.

The cookie policy on our site

3. Sync Data Custom Audiences

As part of customer’s ‘right to be forgotten’, if you market to or use Lookalike audiences using Facebook’s data custom audiences, you need to make sure that the data on Facebook matches the permission of the user’s on your existing system.

This means, that each time someone unsubscribes or asked to be removed, you should remove them from that corresponding data custom audience.

For some people, this manual task could get very laborious VERY quickly. So here are a few solutions to automate the process for you:

– Mailchimp: Mailchimp is the only email service provider that has a direct connection to Facebook Data Custom Audiences. When you go to setup a new data custom audience, choose the ‘Import from Mailchimp’ option to login to your account and choose the list you want to sync.
– ActiveCampaign: ActiveCampaign have recently introduced a solution that allows you to sync your lists and update contacts that trigger certain behaviours. A more robust solution, this allows you to use some advanced tactics – all while resting assured you’re complying with the GDPR.
– ConnectAudience – Connect.io have built their own solution from the ground up that allows you to integrate with over 50 other CRM solutions. They automatically update contacts on your CRM to match them to your data custom audiences for you.

4. Check if you need fresh consent BEFORE May 25

This is probably the most urgent step out of the four we have mentioned. This applies to existing databases and customer information you are storing. It’s one of the most common questions people have had in the lead up to the implementation of the GDPR on May 25.

Because GDPR has a higher level of consent required, it’s likely that information you have processed for existing users was not at a level that complies with the GDPR. If this is the case, and you’re planning on still communicating with them, then you need to contact them before May 25 to request their permission to the new levels required.

If your business is inside the EU, you need to get fresh consent from people you have identified that didn’t give you their data under GDPR standards. If your business is outside the EU, you only need to get consent from people inside the EU that haven’t met the same standards.

Obviously, with current email open and click rates, this means that you might lose some users from your existing list. That’s an ok thing! If they don’t want to hear from you, you shouldn’t keep emailing them and they’re bringing down the overall health of your list. So at the end of the day, it might be a good way to reconnect with people and to say goodbye to others.

Tools, Resources & Common Questions

I certainly won’t cover all questions or resources here and I still recommend you receive legal counsel (see below) to cover all bases for your company, but here are some places to find more information.

Resources

• Official legal counsel advice from an actual lawyer (not a marketer). We recommend Pod Legal – podlegal.com.au
• European Union infographic summary of the GDPR 
• Official Facebook Resources and pages about GDPR
  • Product terms 
  • Privacy Principles 
  • GDPR Resources
• Office of Australia Information Comissioner, information regarding the GDPR (pdf) 
• GDPR for online entrepreneurs Facebook Group – this group from Suzanne Dibble has been such a gift. There are nearly 20,000 people in there asking questions just like you and me. She also has a paid solution and checklist if you want to cover all bases.
• Podcast episodes – I’ve listened to the below episodes that have bought some more clarification to common questions:
  • Amy Porterfield with Bobby Klinck 
  • Chris Ducker with Suzanne Dibble 
  • Rick Mulready with Suzanne Dibble 

Tools

Websites to help you create and install a privacy and cookie policy

1. iubenda: A module-based privacy policy generator that supports dozens of third-party services. I got the $27 per year option to include Facebook pixel and other regular services I use.
2. TermsFeed: This simple service enables you to create a basic policy through a questionnaire. It cost approximately $112 by the time I added all the relevant additional sections and services I use.
3. Shopify’s Privacy Policy Generator: This generator is tailor-made for Shopify stores.
4. Cookie Bot: Provides several choices for the user to decide which data they would like you to process

Commonly Asked Questions

Does it apply to people in the UK as well?

Yes. Even though Brexit happened in 2016, the UK is technically still part of the European Union till March 2019. By this date though, they will have a policy that mirrors the GDPR implemented when they leave the EU.

What are the penalties for not abiding by it?

There has been plenty of coverage about the $20 Million Euro fine for not complying with the GDPR. It makes a good headline, but there are plenty of steps before then. If your company is found not to comply with the GDPR, this is the penalty process:

1. Warning
2. Reprimand
3. Suspension of ability to collect data
4. Fines of $20M Euro or 4% of global revenue – whichever is higher

So it’s likely that most businesses will get the hint after 1 or 2 warnings and reprimand, but should it come to that point, there are some serious fines in place.

What is the likelihood of me being caught?

We certainly won’t speculate and we won’t give advice to not do abide by it. Rather, we’ll give you the information to make an educated decision. For starters, there aren’t necessarily a GDPR police force roaming the internet to check if people abide by the regulations. Most of the investigations will come as part of people reporting businesses.

This is the key to the GDPR, giving the consumer more control over their online data. It’s not only the law that has the power, but it’s the customers

When there is such a focus on personal data and protecting personal data...it’s actually a competitive advantage over those that don’t care and stick their head in the sand - Suzanne Dibble

The more savvy people get, the more questions they’re going to ask. So you not only have a duty to protect the data of the individuals, but also a duty to your business to potentially gain a competitive edge over your competitors and reduce the risk of them leaving you for more secure, private and respectful businesses.

Does it apply to me if majority of my customers are outside EU?

Yes. But there are two parts to this answer.

• What the law says: It applies if you’re processing the record of anyone in the EU
• What’s the commercial risk: Practically, there is no GDPR police checking every single website. They will generally be notified by complaints from the general public or sneaky competitors.

Can people choose not to see ads from my business on Facebook and Instagram?

As part of Facebook’s new product terms, they have introduced a setting that allows users to be removed from any custom audiences that they are currently part of. Similar to clearing your cache on your browser, it will force the user to remove any existing cookies or data stored in their browser.

BUT this doesn’t meant that the user will not see any ads on Facebook. It just means that they won’t be useful or relevant to them as they were before they removed their data.

I’m sure (in fact I’m positive) I’ve missed something. So feel free to leave a comment, email me or send me a message on Facebook here to let me know. If I need to updated information, I’ll put a notification about any edits at the end of the post.