What is GDPR?


GDPR stands for “The General Data Protection Regulation” a privacy law from the European Union that goes into effect May 25, 2018. 


 


Some of the key privacy and data protection requirements of the GDPR include:

  • Requiring the consent of subjects for data processing
  • Anonymizing collected data to protect privacy
  • Providing data breach notifications
  • Safely handling the transfer of data across borders
  • Requiring certain companies to appoint a data protection officer to oversee GDPR compliance


Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.


Even though it’s a European Union law, all online entrepreneurs need to be paying attention because the GDPR will mean major changes for the way we operate.


  


Who does the GDPR affect?


The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.


 


What are the penalties for non-compliance?


Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.


There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an impact assessment.


It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.


 


What steps should I take to make my AMP or WKG website compliant with GDPR standards?


First, a disclaimer: 


The contents of this website are intended to convey general information only and not to provide legal advice or opinions. The contents of this website and the posting and viewing of the information on this website should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or fact situation.  The information presented on this website may not reflect the most current legal developments.  No action should be taken in reliance on the information contained on this website and we disclaim all liability in respect to actions taken or not taken based on any or all of the contents of this site to the fullest extent permitted by law.  An attorney should be contacted for advice on specific legal issues.


 


Suggestion Action Steps:


STEP 1 - Create or update your privacy policy & add it to your website


Data protection laws around the world require a Privacy Policy when you collect or use personal information from your users, so make sure your website has an updated privacy policy.


A Privacy Policy is where you let your users know:

  • What personal information you collect
  • How and why you collect it
  • How you use it
  • How you secure it
  • Any third parties with access to it
  • If you use cookies
  • How users can control aspects of this


Along with the seven standard points above, you must also include the following information in your Privacy Policy to be GDPR-compliant.


Recommended: Ask your lawyer to draft an updated privacy policy.


There are resources available online that will generate a privacy policy for free or for a low fee you could consider using like Termsfeed.com or Freeprivacypolicy.com, however, it is still your responsibility to ensure it protects you from penalties.


 


STEP 2 - Update your lead generation process so that the EU subscriber can give you clear, unambiguous affirmative consent. 


IMPORTANT: When a prospect residing in the EU downloads a lead magnet from you, that does not equate to consent to be added to your general email list! Here are 4 ways to get that consent for being added to the general email list:


 

Opt-in Page:

  • You can add a voluntary checkbox/drop-down menu on your opt-in page. This would clearly be consent if you do it right.
  • It must be voluntary and it cannot be the default. You can’t force them to agree and you can’t have the agreement as the default. If you are going to do this, try to use a drop-down menu vs a checkbox. That way they have to choose “Yes or No” – so they have to make a choice and you are not forcing the “Yes.” With a checkbox for “Yes”, they can easily miss it and skip it all together (since it can’t be forced!).


Sandwich Page:

  • Include a one-click upsell page between opt-in and thank you page that asks them to subscribe. “Hey! One more thing before we finish.” – It’s essentially a sales page for your newsletter. This gives you the chance to sell the benefits of being on your list. They are presented with this option all on its own, so it’s compliant.


Delivery Email:
  • You deliver the email as usual that gives them the lead magnet as promised. Include language in the email to sell them on joining your list and include a call to action. Depending on how your system works, either send them to a separate opt-in or use click to segment the list.


In the Lead Magnet:
  • Add a paragraph at the end of your lead magnets selling them on your list with a clickable link.
  • This is sufficient consent and it gives them a reminder if they look back at your lead magnet later.


Source: Amy Porterfield's GDPR Podcast


 


STEP 3 - Activate the GDPR plugin on your website.


Follow the step-by-step tutorial to activate the GDPR plugin in the video below.


Activating this plugin doesn't automatically make you compliant.

This plugin is meant to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.

Activating this plugin does not guarantee that an organization is successfully meeting its responsibilities and obligations of GDPR. Organizations should assess their unique duties and ensure extra measures are taken to fulfill any obligations required by law and based on a data protection impact assessment (DPIA).