Something came into my inbox today from HubSpot, and it’s relevant to my clients who are selling online globally. Particularly, I have a client who is running webinars, and his contacts include people in Europe. He plans to sell courses internationally, so he and I both need to understand how to prepare for the GDPR.
Any data collected from citizens in the European Union will be affected by the new General Data Privacy Regulation (GDPR) standards . Beginning May 25, 2018, the GDPR comes into enforcement. Even if you’re not based in the EU, if you gather, control, or process the data of EU citizens, you need to get ready for compliance. If you don’t, you could incur fines of up to €20 million, or 4% of your global annual revenue (whichever is greater). Yikes!
If you want to read the fine details, HubSpot has created a dedicated GDPR web page .
For your convenience, I’ve summarized the key points from the HubSpot article below. This is just to get you started on awareness, and is by no means any kind of legal advice. I am a content strategist, not a lawyer!
Provide Opportunities for Informed Consent
- Communicate clearly what the data is going to be used for
- Individuals must give their consent to that specific use
- Consent MUST be clear: “informed, specific, unambiguous, and revocable“
- You must also tell people about their right to withdraw consent
- Anytime you want to use the data for a purpose other than what the person agreed to, you must ask for consent again
Limits to the Data You May Collect
- Only collect data that is adequate, relevant, and limited to what is necessary for the intended purpose
- You are not allowed to use data in any way that would be incompatible with the intended purpose for which it was collected
- If you plan to transfer or share the data with another company, you must get consent for that, as well
Make Plans and Policies for Data Security and Accuracy
- Ensure data is stored in a secure manner in accordance with the Security provisions of the GDPR
- Allow people to correct or update their data if the information is no longer accurate
- Keep records to prove compliance
- Develop policies governing the collection and use of data
- Develop vendor contracts to include the necessary provisions to protect any data being processed on your behalf
Make Plans and Policies for Retention of the Data
- You may only hold on to personal data for as long as is necessary to fulfill the intended purpose of collection
- Have a data retention policy in place which outlines how long you retain data and the business justification for holding on to the data
- Delete data on request and confirm the deletion
- Make sure of deletion compliance of any vendors’ systems who process data on your behalf
So, there you have it. Email marketing, webinars, lead forms, online purchases – if you collect data from EU citizens, be ready. Talk to your lawyer and make sure you have your policies and protocols in place before March 25, 2018.