If you are steadily gathering leads, adding clients or contacts to your mailing list and are communicating with them in any way, then, as a business owner, you need to know about the EU’s new General Data Protection Regulation, otherwise known as the GDPR. This is a new regulation that goes into effect on May 25, 2018.
This is in response to people who are concerned about how their personal data is being handled in various organizations. The EU has taken a stand to help solidify what can/cannot happen with someone’s personal data.
Many people have a lot of questions (we know it can feel overwhelming). We’ve been researching this extensively for a period of time and want to support you in making sure your business is compliant.
Here’s an overview of the GDPR and what The Coaches Console is doing to make sure our products will be compliant for you, your business and your customers.
What is GDPR?
GDPR stands for “The General Data Protection Regulation” which is a privacy law from the European Union that goes into effect May 25, 2018. Its goal is to protect the data privacy and security of all EU persons by setting a new data protection standard for business and governments.
GDPR requires data controllers and processors to implement both organizational and technical safeguards to ensure the rights and freedoms of data subjects are not compromised.
If you’re interested in the full GDPR regulation (88 pages) it’s available here.
What Information Does the GDPR Apply to?
Personal Data: The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Sensitive Personal Data: The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
What Does the GDPR Do?
The GDPR gives EU persons more rights and protections for their personal data. These include:
- The right to be informed – Companies must provide certain information, like a privacy notice, and emphasize transparency over how personal data is used.
- The right of access – Individuals will have the right to ask and receive an answer if an organization is processing their data.
- The right to rectify – If a person’s data is incorrect or incomplete, he or she has the right to have it corrected.
- The right to be forgotten – A person may request the removal of his or her personal data.
- The right to restrict processing – Under certain circumstances an individual can block the processing of his or her personal data.
- The right to data portability – A person can get their data for their own use.
- The right to object – A person can object to the use of their personal data for most purposes.
Your Role in the GDPR
There are basic definitions you need to be aware of:
Data Controller: “the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data”.
So the determining factor here is control, rather than possession. In plain English, the data controller is the person (or organization) that decides why and how personal data is processed. They control the data but don’t necessarily store or process it, although they are responsible for how it’s used, stored and deleted. YOU are a Data Controller for the clients and contacts on your mailing list.
Data Processor: the “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
This could include something as simple as storing the data on a third party’s server, but also includes for example payroll companies, accountants and market research businesses. The Coaches Console is one of your Data Processors. Other common Data Processors used by entrepreneurs might include Aweber, Constant Contact, Infusionsoft to name a few.
As a Data Controller, you must:
- Comply with data laws regarding the fair and lawful processing of personal data for specific and legitimate purposes.
- Protect personal data against compromise or loss through implementing technical and organizational measures.
- Have a contract with your Data Processors that require them to act only on your instructions and comply with data protection laws – the GDPR.
The 6 Data Protection Principles
Data shall be processed “lawfully, fairly and in a transparent manner.”
Data shall be “collected for specified, explicit and legitimate purposes.”
You should only collect data for specific purposes and only collect data for as long as necessary to complete that purpose. And you must acquire explicit consent from the person before they submit their personal data.
Data processing shall be “limited to what is necessary” for the purpose.
You must only process the personal data you need to achieve its processing purpose. You can’t collect all kinds of data on a person if all you need is their email address (like for a lead magnet). You can then only use this data for its intended purpose.
Data shall be accurate, kept up to date and corrected.
The accuracy of your data is integral to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
Data shall be kept so it identifies a person “no longer than is necessary.”
It’s simple – you need to delete personal data when it’s no longer necessary.
Data shall be “processed in a manner that ensures appropriate security.”
This is the only principle that deals explicitly with security. Best practices should be in place to protect and/or encrypt personal data wherever possible. You have to take reasonable actions to protect the data (using SSL certificates, username/password protections as examples).
Some of the Ways GDPR Impacts Your Business
You may need to change the way you collect email addresses from potential leads in your online marketing.
The only lawful basis for adding someone to your email list under the GDPR would be consent (but this isn’t anything new to the way you do business… hopefully!). The GDPR requires that consent be freely given, specific, explicit and unambiguous.
This means you can’t automatically add everyone who opts in to one of your lead magnets to your general marketing list to send emails related to other topics. You must get separate consent to add them to different segments of your list.
Ultimately, to be added to your email list, a prospect must specifically and affirmatively agree to be added to your list.
When you offer a lead magnet, for example, in addition to someone requesting that lead magnet, they must ALSO consent to be added to your mailing list within the funnel (on a Thank You Page, within a follow up email, as part of a Double-Opt In process).