HSH 095: GDPR - What You Need to Know with Gena Shingle Jaffe

If you’re in the online space there’s a good chance you’ve heard about GDPR, but what exactly is it and what do we have to do to comply to the new regulations? In this episode, My friend Gena Shingle Jaffe is going to give us her expertise as a lawyer to break it all down for us.  Please note that today’s episode is legal information, not legal advice, but GDPR is something that we need to be aware of and take action on, and this episode will help you do just that!  

GDPR stands for “General Data Protection Regulation”, and it is a new privacy law brought forth by the European Union to protect people in their 28 member states. GDPR is all about how you collect and process personal data, which can be as simple as a name and email address.  

There are a few main things you’ll need to do before May 25th, 2018, the date when the new law goes into effect. You’ll have to update your privacy policy, as well as update how you are getting consent from people to access their data.  

GDPR applies to anybody who’s in the European Union, or anyone who markets to or sells anything to anyone in the EU.  

Personal data is defined as anything that can identify a person, and under GDPR you have to have a lawful basis to process somebody’s data. Consent will be the biggest change, as you’ll need to get unambiguous affirmative action, by offering an unchecked box on your opt-in that people will need to select to give consent. People now can also request your freebie, but to not be added to your mailing list, and you have to provide it to them. As Gena shares though, there are some workarounds for online marketers here that can be implemented.  

She notes that a lot of what steps you take, or don’t take, around GDPR will be determined by how risk adverse you are. One area where you won’t need additional consent is to fulfil a contract.  

You should already have a privacy policy in place, and by updating it you’ll be improving the quality of your marketing and your list.  Although you’ll be updating your privacy policy, you cannot just copy someone else’s privacy policy.  

One grey area of data processing involves legitimate interest. You are still able to email someone if you can determine they’ll have a legitimate interest in what you are sending to them, but this determination will require a balancing test of three different parts: purpose, necessity and the individual’s interest. 

Going forward, if you have existing people on your list based in the EU, you’ll need to run a re-engagement campaign to get their consent to remain on your list. Even storing data after May 25th is considered processing their data. If you don’t receive consent from them by this date, you are required to delete them off of your mailing list.  

There are penalties that can be imposed for not complying to GDPR, but the intent of the regulations aren’t to go after small business owners.  

Gena gives us options and examples of what you can to grow your email list, including changes to your opt-in page as well as things you can do to segment your list based on IP addresses.  

You’ll also need to make sure third-parties that you work with, like email providers and payment processors, are GDPR-compliant.  

She adds that if you have more than occasional contact with people in the EU, you need to have a GDPR Representative (based in the EU) that can receive notifications such as complaints on your behalf.  

I know there’s a lot of info to consider with GDPR, but it is very much worth looking into and understanding. It can be overwhelming, but Gena has broken it down into the action steps we’ll need to take to become compliant!  


Gena’s Privacy Policy resource (affiliate)  

Gena’s Privacy Policy resource (non-affiliate)