My exact steps to get GDPR ready

blog image.PNG

Did you have Enough of GDPR Yet?

Or maybe you haven't heard what this GDPR fuss is all about? (Where have you been hiding? ;)

Here's a really good definition from MailChimp.

“The General Data Protection Regulation (GDPR) is a new law that regulates how the personal data of EU citizens can be collected, used, and processed by businesses. It takes effect on May 25, 2018, and while it’s being implemented by the European Union, it applies not only to organizations based in the EU but also to those that have customers and contacts in the EU. So it’s going to have an impact on businesses all around the world.”

If you want to go deeper, here's a direct link to ICO's website (Information Commissioner's Office). There's also a list of 12 Steps to prepare for the GDPR.

Underline long medium.PNG

After 3 weeks of intense GDPR research and information overload. Chatting on Skype, not once but TWICE, with the very helpful James (Jim) Chiodo, a Certified Information Privacy Professional AND owner of Disclaimer Template™, asking him TONS of questions (he very patiently answered).

I'm finally GDPR ready.

In this Blog and YouTube tutorial I'm sharing with you the exact (four) steps I took to be GDPR compliant. I wanted to keep it simple and (hopefully) succeeded. I also wanted to provide you with the same resources and links I found helpful, easy to follow and understand. 

Disclaimer: I am not a legal person Or lawyer. The info I'm sharing are not intended to be a Substitute for legal advice and should not be relied upon as such.

Underline long medium.PNG

The YouTube tutorial

Like the video? Check out my YouTube channel here. >>

Underline long medium.PNG

And here the written version, to make it easier for you to follow the steps. Make sure to take it one step at the time. A little bit every day. I promise you, it's not as hard as it looks. You can do this.  👊

Okay, let's get STARTED...

Step 1

Find out if you're affected

Before you do anything, find out if you and your business are affected by the new GDPR guidelines. Here is a free GDPR checklist from Suzanne Dibble, Small Business Law Expert™ and Data Protection Lawyer.  

IF you collect email addresses FROM your website via opt-ins and Freebies, chances are, people who live in the European Union may have signed up (without you even knowing). This means, you'll have to comply with the new data protection regulation.

So, check the GDPR checklist to stop the guessing game.

Underline long medium.PNG

Step 2

Renew, update or write your Privacy Notice and Terms & Conditions

First of all, why Privacy Notice as opposed to Privacy Policy? Privacy POLICY indicates your INTERNALLY focused policies/regulations. The word NOTICE refers to EXTERNALLY focused regulations to inform your customers, website visitors and subscribers what your business does with personal information.

Before I even knew what I was doing (or supposed to be doing), I bought a package including a new Privacy Notice. But it wasn't the right one. Not for me anyway. It was just too complicated to implement. Too much legal jargon. And any of my questions were being ignored.

So, I kept searching...

And came across  a much more readable and implementable GDPR package from Disclaimer Template™ that my fellow (German) web designer and online friend, Kerstin Martin, had recommended. (I had asked Kerstin if she minded if I bought it too. Of course she didn't.) And now I'm passing it on to YOU.

The package even included the Terms & Conditions AND a website disclaimer, both of which I've been meaning to update, but never got around to doing. PLUS, I could also use it for my brick & water (local) business over here in Oz. #BONUS. It was perfect! 

So, that GDPR package was from Disclaimer Template™. I contacted the owner, James (Jim) Chiodo, a Certified Information Privacy Professional. We had a Skype call and he answered all my questions. Then we had another Skype call. Because that's the kinda guy he is. 

And because I worked with him to get my site GDPR ready, he even created a very special GDPR-package just for me to pass on to YOU. And this package is even more valuable than the one I initially went for. It even includes a professional review of your privacy notice, after you've implemented it. And SO much more. It's unreal! 

I felt like I hit the (GDPR expert) jackpot with this guy and this special package. With my name on it. Literally!

The reason why I was so picky about my legal templates was because I wanted it to be easy to implement and the language to be understandable to anyone. Including me. Especially since it's all about data protection. It was too important to me to settle for second best.

So, even though I "wasted" my money on the first package (before I came across Disclaimer Template™), it brought me to James Chiodo, a Privacy Professional. And that can only be a good thing. Because, hands down, after all my research, his GDPR-package is the best package out there to get you GDPR ready.

James also pointed out to me that the Privacy Notice and Terms & Conditions need to be made visible above the fold of your website. Otherwise, it'll leave you with little or no legal protection. This was totally new to me. Click here to learn what that's all about.

Underline long medium.PNG

Step 3

Get "positive, genuine and freely given" consent from new subscribers

After going through every option inside Squarespace, from opt-in form to newsletter sign up form to marketing pop-up, I realised, Squarespace hasn't made the forms GDPR friendly just yet. Either the tick-box is missing. Or I can't link my Privacy Notice and Terms & Conditions right at the "point of sign-up", which I'm obliged to do according to the new GDPR guidelines on consent.

So, until Squarespace gets that sorted, I'm back to using MailChimp forms. Thankfully, MailChimp has made that process as easy as possible for us. They've introduced amazingly helpful MailChimp GDPR tools* helping you step by step (literally) to get your opt-in forms GDPR ready.

Plus, the set-up below is inspired by a guy called Robin Adams (aka The MailChimp Guy). I joined his Facebook group, MailChimp and GDPR, a few weeks ago. And I'm SO glad I did. (If you're using MailChimp, make sure to join his group.)

Below I'll also show you how to automatically bring your people back to your site after they sign up on your MailChimp form. So, nothing's lost. ;) But we'll get to that later. 

According to the new law, to receive "freely given consent" from your new subscribers, there needs to be a check-box along with GDPR compliant copy with every opt-in (Freebie or Newsletter) explaining explicitly, what your subscribers sign up for and that they can unsubscribe at any time. Plus, that checkbox cannot be pre-ticked and/or made required. 

If your platform doesn't have a checkbox feature for opt-ins or pop-ups, enable the double-opt-in. It may be sufficient but it is not 100% confirmed. The checkbox option is always preferable. But who knows, the new law MAY evolve into something a liiittle more online-biz user-friendly. ;)

Here's the link to what the ICO says at a glance

The bits that jumped out at me are...

  • Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.

  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.

  • Make it easy for people to withdraw consent and tell them how.

  • Keep evidence of consent – who, when, how, and what you told people.

  • Avoid making consent to processing a precondition of a service.

  • Be clear and concise.

I liked the last one. With all the information needed to create a GDPR compliant consent form, it was a bit of a challenge to keep it "concise". But I gave it my best shot in my new MailChimp opt-in form. (It's Privacy-Professional-Approved. ;)

Here's how I did that... 

(And I'm showing you ALL of it in much more details in the YouTube tutorial above.) 

1. Followed ALL the steps in MailChimp's post on collecting consent with GDPR forms. Incl. collecting re-consent from my existing list with the GDPR Subscriber Alert. (MailChimp thought of everything!)

2. Created groups for my three Freebies that I offer as a THANK YOU for people hopping on my Email list...

Yet, making it optional for them to"Agree" to me sending them further emails after they receive my Freebie.

3. By creating the List Groups, I could now create an Email Automation for each respective (Freebie) group. One for the Welcome Email. One for EACH Freebie. 

4. Once I created my four Email Automations, I linked each List Group to the right group within my main list. I did this by changing the trigger in the Edit Workflow Settings. (See images below. You can click them to have a closer look.)

Click into your Email Automation by clicking Campaign > Ongoing > Click Pause & Edit (to be able to change the trigger and connect the relevant group list) > Click Edit trigger > Choose the right group in the drop-down menu (so the right automation is sent) > Click Change trigger > Click tab List management > Click Joins list group > Update Trigger at the top right.

trigger update.PNG

5. Created my MailChimp GDPR Sign Up Form > Click into the list you are working with > Click Sign Up Forms > Select Form Builder > Start building and designing your form.

6. Created a Thank You page inside Squarespace > In the Main Menu click on PAGES > Click on the plus (+) symbol (in the NOT LINKED section) to create a new page > Click on Page (as opposed to Cover Page, as you want them to be able to explore your site using your navigation bar) > Name your thank you page > Click on START EDITING


7. Linked my thank you page to my MailChimp GDPR Sign Up Form > In the Form builder click on the drop-down menu > Choose Confirmation thank you page > Paste the URL of your thank you page into the relevant field > Click Save

So now, when you "leave" my site to hop on my VIP Email list (via my MailChimp form) and grab your (thank you) Freebie, you'll be automatically sent back to my website and can keep exploring. ;)

8. Set up my re-engagement/re-consent campaign with my existing subscribers. I'm doing it because I'm using GDPR to give my email list a good tidy up. Anyone who hasn't opened my emails in 3 months is not likely to EVER open them. So, I might as well delete them. 

But first I'm sending a re-engagement email. To bring back the LOVE and, well, re-engage. No promo. No marketing. Just valuable pure content. And at the bottom of each email (BEFORE 25th May), I'm adding a GDPR Subscriber Alert

MailChimp has made a template for that too. So, people can click a button, update their settings, re-consent and update their info. AS WELL AS choose their Freebies in my new sign up form. If you don't have any Freebies, they'll just confirm/update their consent. 

Here's a test form so you can see, what it would look like for people to change their preference. Obviously, you can change the look to your heart's content. (See YouTube tutorial.)

*UPDATE (16th May): MailChimp has also just released a new Blog: GDPR Forms And More Tools, which might be handy to have in your back-pocket too.

Underline long medium.PNG


Get your Data Processing Agreement (DPA) from all the third party tools you're using to collect data with.

The essentials...

  • Whenever a controller (you) uses a processor (i.e. MailChimp) it needs to have a written contract in place.

  • The contract is important so that both parties understand their responsibilities and liabilities.

In my case, this looks like this...

I'm sharing this table* here (#fulltransparency) to get my own head around it and to make sure I'm ticking them off the list as I go along. And don't worry about the length of the table. If you use less tools than I do, yours will be way shorter. Plus, each DPA is really just an email (or a click) away. 

Processor Why What DPA processed Resources
Google Analytics Analyse traffic, remarket our products and services to users, improve our marketing, advertising, and to improve our website Information such as age, gender, interests, demographics, how many website visits, what pages, what other websites used before coming to our website. For more info click here. Amendment accepted, 09/05/2018 Google Analytics DPA
MailChimp VIP Mailing List Suscriptions Email address Agreement accepted, 27/04/2018 MailChimp DPA
Stripe For customers to make payments for online purchases Cardholder name, email address, credit card/payment card details, card expiration date, CVC code, date/time/amount of transaction, merchant name/ID, location, billing address, phone number Agreement accepted 09/05/2018
PayPal For customers to make payments for online purchases Cardholder name, email address, credit card/payment card details, card expiration date, CVC code, date/time/amount of transaction merchant name/ID, location, billing address, phone number Email sent 14/05/2018 Log into PayPal > Contact > Send email
Calendly To schedule appointments, consultations First name, last name, email address Addendum accepted 15/05/2018
Squarespace Email collection (newsletter subscription), online purchases Email address, cardholder name, credit card/payment card details, card expiration date, CVC code, date/time/amount of transaction merchant name/ID, location, billing address, phone number Email sent 14/05/2018 GDPR & Squarespace
Zapier Add subscribers to MailChimp, Online purchase confirmation email trigger Email address DPA signed 23/05/2018 Find Typeform link under their EU Standard Clauses section
Drift Website Live Chat First name, Email address Agreement accepted 12/05/2018 If you use Drift, you'll have received an email from Tori. Reply to it & ask for the DPA. GDPR & Drift

*This table was inspired by my fellow (German) web designer and online friend, Kerstin Martin. Thanks again, Kerstin ;).

Underline long medium.PNG

Wait, there's one more thing...

Since writing this Blog, I had numerous people ask me what Cookie plugin I'm using for my Cookie Banner to pop up like that... 

It's not a Plug-In. I've enabled Squarespace's inbuilt Cookie Banner. 

And I wrote a separate Blog about it to show you HOW I did it. (And so I'm not torturing you more by making this Blog even longer!) 

It also explains, why Squarespace's Cookie Banner may not be GDPR sufficient (just yet). And I'll give you other options. 

So, check out my Cookie Banner blog right here

Underline long medium.PNG


I know, it's a lot to take in. But if you take it one step at at time, you'll be fine. I gave you ALL the links to get set up and GDPR ready. And MailChimp is explaining it REALLY well, so no need for me to re-invent the wheel.

If you'd like to go even deeper, James (Jim) Chiodo (Disclaimer Template™) had also emailed me a few documents for some "light reading" (listed below), which I can share with you, if you like.

Just email me at and I'll send them to you:

  • Guide to to the General Data Protection Regulation (GDPR) - PDF, 153 pages(!)

  • Guide to the Privacy and Electronic Communications Regulations (PECR) - PDF, 52 pages

  • Email Authorisation Sample (with instructions) - WordDoc, 2 pages

And here's the link one more time to check out the special GDPR-package my privacy professional specially created for me to pass on to you. 

I hope this Blog helped you. Let me know in the comments below.

Signature w. smiley face.JPG

Your Website Creation Coach & Click By Click Tech Guide 🤓

Underline long medium.PNG

7 Steps To A Website.

Wanna build your own website but you've no idea where to even begin?

Click the button below and download my FREE step-by-step guide to start your site, take (website) control and never have to pay a web designer again.

Includes click-by-click video tutorials... Something I wish I had when I started!

It's so easy-peasy, you can do it in bed, PJ's on. (Over coffee and chocolate... yum.)

Kerstin - laptop video screenshot - smallest.png
Underline long medium.PNG

Your turn

  1. I spent many hours (ok, an entire WEEK), creating this Blog and making the video. So, if it helped you at all, I'd be FOREVER thankful if you shared it with your Facebook (biz) friends or whichever platform you hang out on. In fact, share it with WHOEVER you think this might help, so we can help each other get over this GDPR hurdle.

  2. In the comments below, tell me your number ONE struggle when it comes to MailChimp, website creation (Squarespace or Weebly), in fact, ANY kind of tech-hurdles you're facing. I'm always here to help. (And I seem to be taking a liking to the word hurdle.)