This is probably the most un-sexy blog post I’m ever going to write. It’s important stuff though, so it needs to be said even if just typing the word “compliance” makes me want to run from the room and dive head first into a bowl of buttercream.
In case you haven’t heard, the EU is instituting new rules with regards to digital privacy, personal information and the storage and sharing of information. It’s called the General Data Protection Regulation, or as I like to refer to it, the “good common sense wrapped in a bunch of long words” policy. Businesses have until May 25 to comply with these regulations, and by “businesses” they are including those who are outside of the EU and who have EU based customers.
So if you’re working in our industry and you teach overt here, or sell online tutorials there, or have ever had an EU customer, this stuff covers you. Chances are you have collected personal information in the course of those activities – names, email addresses and so on. Because the official pages of the GDPR are really confusing and hard to read, a lot of us are super scared about running afoul of the regulations. They did provide a “Preparing for the GDPR” document but not surprisingly, it’s not terribly clear about the actual steps you need to take. You’ll need to read all that official stuff for yourself. The gist of it is, as a small business owner, we are the data controllers of our businesses. As the controllers, there’s some stuff we have to do to make sure we comply.
Here’s how I understood compliance, from the point of view of a small business owner:
- You need to be VERY clear what people are signing up for. Define why you need that info from them. So if you’ve got a mailing list of some kind, at the time of sign up, you need to let people know what they are agreeing to get, and how often they will hear from you. You can add this text to the bottom of your pop up, or the bottom of your “contact me” page, or just somewhere obvious in all the places you gather email addresses. “By signing up here you are agreeing to receive a free ebook, our monthly newsletter, and emails about our products and sales.”
- For those of you with online learning options (video classes etc) – it’s important to note that users can ask that their information be totally removed from your system. BUT, let them know that along with that request, they will lose access to online stuff they bought because duh, to login to online classes, you will need info to provide info like an email address. Anyone can ask for you to remove their information totally, but it will affect those purchasers most and they need to know that.
- Follow the digital info trail – as a business, you really need to be aware of the flow of information. So how do you now gather data, where do you store it, where do you put it once you’re done with it etc. If you use any 3rd parties (Dropbox, PayPal, Mailchimp etc!) all those guys need to be GDPR compliant too, so check with them and find out what they are doing about it. You need to know how you get info and where you store it so that if people ask for their info, you can easily provide it. If they ask you to delete it, you can easily find and remove it.
- You can contact all the people on your list currently and get them to re opt-in to your list – this way you know everyone who is signed up is really there because they want to be there. Honestly, this kind of list cleaning is something you should do every once in a while anyway. No point in sending emails to people who don’t want them.