Did you have Enough of GDPR Yet?
Or maybe you haven't heard what this GDPR fuss is all about?
Here's a really good definition from MailChimp.
If you want to go deeper, here's a direct link to ICO's website (Information Commissioner's Office). There's also a list of 12 Steps to prepare for the GDPR.
After 3 weeks of intense GDPR research and information overload. Chatting on Skype, not once but TWICE, with the very helpful James (Jim) Chiodo, a Certified Information Privacy Professional AND owner of Disclaimer Template™, asking him TONS of questions (he very patiently answered).
I'm finally GDPR ready.
In this Blog and YouTube tutorial I'm sharing with you the exact (four) steps I took to be GDPR compliant. I wanted to keep it simple and (hopefully) succeeded. I also wanted to provide you with the same resources and links I found helpful, easy to follow and understand.
Disclaimer: I am not a legal person Or lawyer. The info I'm sharing are not intended to be a Substitute for legal advice and should not be relied upon as such.
And here the written version, to make it easier for you to follow the steps. Make sure to take it one step at the time. A little bit every day. I promise you, it's not as hard as it looks. You can do this. 👊
Okay, let's get STARTED...
Step 1
Find out if you're affected
Before you do anything, find out if you and your business are affected by the new GDPR guidelines. Here is a free GDPR checklist from Suzanne Dibble, Small Business Law Expert™ and Data Protection Lawyer.
IF you collect email addresses FROM your website via opt-ins and Freebies, chances are, people who live in the European Union may have signed up (without you even knowing). This means, you'll have to comply with the new data protection regulation.
So, check the GDPR checklist to stop the guessing game.
Step 2
Renew, update or write your Privacy Notice and Terms & Conditions
First of all, why Privacy Notice as opposed to Privacy Policy? Privacy POLICY indicates your INTERNALLY focused policies/regulations. The word NOTICE refers to EXTERNALLY focused regulations to inform your customers, website visitors and subscribers what your business does with personal information.
Before I even knew what I was doing (or supposed to be doing), I bought a package including a new Privacy Notice. But it wasn't the right one. Not for me anyway. It was just too complicated to implement. Too much legal jargon. And any of my questions were being ignored.
So, I kept searching...
And came across a much more readable and implementable GDPR package from Disclaimer Template™.
The package even included the Terms & Conditions AND a website disclaimer, both of which I've been meaning to update, but never got around to doing. PLUS, I could also use it for my brick & water (local) business over here in Oz. #BONUS. It was perfect!
So, that GDPR package was from Disclaimer Template™. I contacted the owner, James (Jim) Chiodo, a Certified Information Privacy Professional. We had a Skype call and he answered all my questions.
I felt like I hit the (GDPR expert) jackpot with this package.
The reason why I was so picky about my legal templates was because I wanted it to be easy to implement and the language to be understandable to anyone. Including me. Especially since it's all about data protection. It was too important to me to settle for second best.
So, even though I "wasted" my money on the first package (before I came across Disclaimer Template™), it brought me to James Chiodo, a Privacy Professional. And that can only be a good thing. Because, hands down, after all my research, his GDPR-package is the best package out there to get you GDPR ready.
Bonus Tip:
James also pointed out to me that the Privacy Notice and Terms & Conditions need to be made visible above the fold of your website. Otherwise, it'll leave you with little or no legal protection. This was totally new to me. Click here to learn what that's all about.
Step 3
Get "positive, genuine and freely given" consent from new subscribers
After going through every option inside Squarespace, from opt-in form to newsletter sign up form to marketing pop-up, I realised, Squarespace hasn't made the forms GDPR friendly just yet. Either the tick-box is missing. Or I can't link my Privacy Notice and Terms & Conditions right at the "point of sign-up", which I'm obliged to do according to the new GDPR guidelines on consent.
So, until Squarespace gets that sorted, I'm back to using MailChimp forms. Thankfully, MailChimp has made that process as easy as possible for us with their GDPR-friendly forms. And they’re explaining everything step-by-step right here.
The set-up below is inspired by MailChimp Guru Robin Adams. I joined his Facebook group, MailChimp and GDPR. And I'm SO glad I did. (If you're using MailChimp, make sure to join his group.)
Edit (2020) Robin’s main hangout is his Facebook Group Mailchimp Answers (since the GDPR frenzy has ceased since I wrote this Blog and people are compliant at this stage).
Below I'll also show you how to automatically bring your people back to your site after they sign up on your MailChimp form. So, nothing's lost. ;) But we'll get to that later.
According to the new law, to receive "freely given consent" from your new subscribers, there needs to be a check-box along with GDPR compliant copy with every opt-in (Freebie or Newsletter) explaining explicitly, what your subscribers sign up for and that they can unsubscribe at any time. Plus, that checkbox cannot be pre-ticked and/or made required.
If your platform doesn't have a checkbox feature for opt-ins or pop-ups, enable the double-opt-in. It may be sufficient but it is not 100% confirmed. The checkbox option is always preferable. But who knows, the new law MAY evolve into something a liiittle more online-biz user-friendly. ;)
Here's the link to what the ICO says at a glance.
The bits that jumped out at me are...
Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
Make it easy for people to withdraw consent and tell them how.
Keep evidence of consent – who, when, how, and what you told people.
Avoid making consent to processing a precondition of a service.
Be clear and concise.
I liked the last one. With all the information needed to create a GDPR compliant consent form, it was a bit of a challenge to keep it "concise". But I gave it my best shot in my new MailChimp opt-in form. (It's Privacy-Professional-Approved. ;)
Here's how I did that...
1. I followed ALL the steps in MailChimp's post on collecting consent with GDPR forms. Incl. collecting re-consent from my existing list with the GDPR Subscriber Alert. (MailChimp thought of everything!)
2. Created groups for my three Freebies I offered as a THANK YOU for people hopping on my Email list…
Yet, making it optional for them to "Agree" to me sending them further emails after they receive my Freebie.
3. By creating the List Groups, I could now create an Email Automation for each respective (Freebie) group. One for the Welcome Email. One for EACH Freebie.
4. Once I created my four Email Automations, I linked each List Group to the right group within my main list. I did this by changing the trigger in the Edit Workflow Settings. (See images below. You can click them to have a closer look.)
Click into your Email Automation by clicking Campaign > Ongoing > Click Pause & Edit (to be able to change the trigger and connect the relevant group list) > Click Edit trigger > Choose the right group in the drop-down menu (so the right automation is sent) > Click Change trigger > Click tab List management > Click Joins list group > Update Trigger at the top right.
5. Created my MailChimp GDPR Sign Up Form > Click into the list you are working with > Click Sign Up Forms > Select Form Builder > Start building and designing your form.
6. Created a Thank You page inside Squarespace > In the Main Menu click on PAGES > Click on the plus (+) symbol (in the NOT LINKED section) to create a new page > Click on Page (as opposed to Cover Page, as you want them to be able to explore your site using your navigation bar) > Name your thank you page > Click on START EDITING
7. Linked my thank you page to my MailChimp GDPR Sign Up Form > In the Form builder click on the drop-down menu > Choose Confirmation thank you page > Paste the URL of your thank you page into the relevant field > Click Save
So now, when you "leave" my site to hop on my VIP Email list (via my MailChimp form) and grab your (thank you) Freebie, you'll be automatically sent back to my website and can keep exploring. ;)
8. Set up my re-engagement/re-consent campaign with my existing subscribers. I'm doing it because I'm using GDPR to give my email list a good tidy up. Anyone who hasn't opened my emails in 3 months is not likely to EVER open them. So, I might as well delete them.
But first I'm sending a re-engagement email. To bring back the LOVE and, well, re-engage. No promo. No marketing. Just valuable pure content. And at the bottom of each email (BEFORE 25th May 2018), I'm adding a GDPR Subscriber Alert.
MailChimp has made a template for that too. So, people can click a button, update their settings, re-consent and update their info. AS WELL AS choose their Freebies in my new sign up form. If you don't have any Freebies, they'll just confirm/update their consent.
Here's a test form so you can see, what it would look like for people to change their preference. Obviously, you can change the look to your heart's content. (See YouTube tutorial.)
*UPDATE (16th May 2018): MailChimp has also just released a new Blog: GDPR Forms And More Tools, which might be handy to have.
STEP 4
Get your Data Processing Agreement (DPA) from all the third party tools you're using to collect data with.
The essentials...
Whenever a controller (you) uses a processor (i.e. MailChimp) it needs to have a written contract in place.
The contract is important so that both parties understand their responsibilities and liabilities.
In my case, it looks like this...
I'm sharing this table* here (#fulltransparency) to get my own head around it all. And don't worry about the length of the table. If you use less tools than I do, yours will be way shorter. Plus, each DPA is really just an email (or a click) away.
Processor | Why | What | DPA processed | Resources |
---|---|---|---|---|
Google Analytics | Analyse traffic, remarket our products and services to users, improve our marketing, advertising, and to improve our website | Information such as age, gender, interests, demographics, how many website visits, what pages, what other websites used before coming to our website. For more info click here. | Amendment accepted, 09/05/2018 | Google Analytics DPA |
MailChimp | VIP Mailing List Suscriptions | Email address | Agreement accepted, 27/04/2018 | MailChimp DPA |
Stripe | For customers to make payments for online purchases | Cardholder name, email address, credit card/payment card details, card expiration date, CVC code, date/time/amount of transaction, merchant name/ID, location, billing address, phone number | Agreement accepted 09/05/2018 | privacy@stripe.com |
PayPal | For customers to make payments for online purchases | Cardholder name, email address, credit card/payment card details, card expiration date, CVC code, date/time/amount of transaction merchant name/ID, location, billing address, phone number | Email sent 14/05/2018 | Log into PayPal > Contact > Send email |
Calendly | To schedule appointments, consultations | First name, last name, email address | Addendum accepted 15/05/2018 | hello@calendly.com |
Squarespace | Email collection (newsletter subscription), online purchases | Email address, cardholder name, credit card/payment card details, card expiration date, CVC code, date/time/amount of transaction merchant name/ID, location, billing address, phone number | Email sent 14/05/2018 | GDPR & Squarespace | Zapier | Add subscribers to MailChimp, Online purchase confirmation email trigger | Email address | DPA signed 23/05/2018 | Find Typeform link under their EU Standard Clauses section | Drift | Website Live Chat | First name, Email address | Agreement accepted 12/05/2018 | If you use Drift, you'll have received an email from Tori. Reply to it & ask for the DPA. GDPR & Drift |
*This table was inspired by my fellow (German) web designer, Kerstin Martin.
Wait, there's one more thing...
Since writing this Blog, I had numerous people ask me what Cookie plugin I'm using for my Cookie Banner to pop up like that...
It's not a Plug-In. I've enabled Squarespace's inbuilt Cookie Banner.
And I wrote a separate Blog about it to show you HOW I did it. (And so I'm not torturing you more by making this Blog onger than it already is!)
It also explains, why Squarespace's Cookie Banner may not be GDPR sufficient (just yet). And I'll give you other options.
So, click here to check out my Cookie Banner blog.
PHEW!
I know, it's a lot to take in. But if you take it one step at at time, you'll be fine. I gave you ALL the links to get set up and GDPR ready. And MailChimp is explaining it REALLY well, so no need for me to re-invent the wheel.
I hope this Blog helped you. Let me know in the comments below.
P.S.: Do you want me in your website corner all the time?
Hop on the waitlist to CLICK BY CLICK ACADEMY™ for more info and to get notified when I open the doors again. We’d love to welcome you. 🤗
YOUR Website Coach & Click By Click Tech Guide 🤓
Your turn
I spent many hours (ok, an entire WEEK), creating this Blog and making the video. So, if it helped you at all, I'd be FOREVER thankful if you shared it with your Facebook (biz) friends or whichever platform you hang out on. In fact, share it with WHOEVER you think this might help, so we can help each other get over this GDPR hurdle.
In the comments below, tell me your number ONE struggle when it comes to MailChimp, website creation (Squarespace or Weebly), in fact, ANY kind of tech-hurdles you're facing. I'm always here to help. (And I seem to be taking a liking to the word hurdle.)