#101 – GDPR: A Lawyer’s Perspective

What you will learn

  • Who GDPR applies to
  • Why you’re probably not going to get hit with a €20m fine
  • What conditions give you legal grounds to store and process data
  • Why you may be liable for service providers you use and how you can reduce this risk
  • How GDPR impacts link building
  • Simple steps you can take to move towards compliance

Starting May 25th, 2018, the EU will introduce GDPR or General Data Protection Regulation.

This new law will affect how data is used, stored and processed. It applies to any company that stores or processes the data of any EU citizen.

In this week’s podcast, I’m joined by Suzanne Dibble to discuss the impact GDPR will have and what we have to do to prepare for it.

Suzanne is a lawyer.

She has been practicing law for over 20 years and is a specialist in data protection.

Suzanne has worked on major data protection projects with multinational corporations (such as The Virgin Group.) She has also been heralded by The Law Society as an innovative provider of legal services to small businesses.

Suzanne manages the GDPR For Online Entrepreneurs Facebook group. This free group goes into even more detail on the subject than we will have time to go into in this podcast.

What is GDPR?

GDPR is the General Data Protection Regulation from the European Union. It replaces the current data protection laws and draws them all into one, more rigorous framework.

Due to Brexit, the UK is also drafting a UK version of the law that will fall into line with the EU regulations.

Why Are Data Protection Laws Changing?

The most recent data protection legislation in the UK was The Data Protection Act 1998.

Over the past twenty years, things have changed. According to Google’s Eric Schmidt, we now create the same amount of data every two days that it took until 2003 to create.

Data is now the world’s most valuable asset. The idea of GDPR is to introduce legislation that reflects the value and importance of data. This means the penalties associated with breaching GDPR will also reflect that.

The maximum penalty for a breach will be €20m or 4% of global turnover – whichever is higher.

At the moment, this highest possible penalty in the UK is £500k. So that maximum penalty is increasing roughly 40x.

But don’t panic. This is the worst-case scenario. It’s very unlikely any small business owner will be fined anything like this.

In fact, it is unlikely you will be fined at all if you make some basic changes and start working towards full compliance.

If someone happens to put in a complaint against your company and the regulators knock on your door, they will be lenient if you can show evidence you have been working towards becoming compliant. At least initially.

A major point to note about the new legislation is it extends the meaning of personal data. It now means ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Si, this means things such as cookies and IP addresses are now in scope.

How Does GDPR Change How We Collect and Use Data?

Say you have a lead magnet. At the moment, the process is:

  • Opt-in form to receive lead magnet
  • Collect email address
  • Send them the report
  • Promote products to them

Under GDPR, before you process any data, you have to have a legal grounds for doing so.

That legal grounds can be:

  • Consent – the person has given permission to use their data in that way.
  • Contract – you have to process a client’s data as part of a contract you have with that client.
  • Legal obligation – to comply with the law.
  • Legitimate interest – you have reason to believe they are legitimately interested in what you are offering them unless there is good reason to protect the person’s data which overrides the legitimate interest.

For the most part (as is the case with the lead magnet example above), we will be relying upon consent.

GDPR sets a higher standard for consent than currently exists. It has to be given by a clear, affirmative act, establishing a freely given specific, informed and unambiguous indication of the data subject’s agreement to the processing.

It can be done by written statement (including electronic means) or by oral statement.

This means no more pre-checked boxes and probably means multiple check boxes for different types of products or emails.

You also need to update your privacy policy and link to that policy when people are signing up.

Is Double Opt-In required To Show Consent?

No.

It’s a method of obtaining consent, but it’s not mandatory.

Two-stage verification is required if you’re collecting sensitive information such as:

  • Ethnicity
  • Sexual orientation
  • Religious beliefs
  • Genetic or biometric data

In this case, double opt-in would be a good way of obtaining that two-stage verification, but it is not the only way.

What is Legitimate Interest?

Because this is new legislation, it is not 100% percent clear what legitimate interest covers. No precedent has been set as of now.

But, legitimate interest is where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

What Data Is In Scope And What Data Is Out Of Scope?

Any information that identifies a living individual is in scope. This means email, name, cookies, IP addresses and more.

Although marketing communications are covered by PECR (Privacy and Electronic Communications Regulations), it makes sense to just treat all communications as though it comes under GDPR.

PECR is being brought into line with GDPR although this will not be completed until 2019 at the earliest.

For lead generation, it is fine to send individual emails to prospects. The issue comes if you try to add these prospects to your email system against their will or knowledge.

Privacy Shield and Using Compliant Service Providers

You can only send data outside of the EEA (European Economic Area) to countries that have ‘adequate data privacy laws’.

The US is not considered to have adequate data privacy laws. This is where the EU-US Privacy Shield comes in.

You can send your data to companies registered on the EU-US Privacy Shield as they have self-certified that they comply with the GDPR regulations.

Remember, if you send your data to a company that is outside the EU and they have a data breach, you are liable for that breach in the eyes of the EU.

If you only use companies registered on the Privacy Shield, the regulators are more likely to be lenient.

Does Consent Need To Be Refreshed Regularly?

Yes.

The ICO in the UK suggests consent should be refreshed every two years.

This should probably be via opt-in again.

How Does GDPR Affect Link Building?

The case for link building comes under the grounds of legitimate interest. For example, if you are outreaching to a site that accepts guest posts, then you can state storing their email address is in their interest.

As Suzanne mentioned earlier, prospecting or lead generation is not a problem under GDPR. You can make a case for putting link building under the same umbrella as prospecting.

When using a third-party tool (e.g. Mailshake) for outreach. You have to make sure they are compliant with GDPR otherwise you can be found liable for any breaches.

It can also be a gray area when you add the data from Hunter to Mailshake. At this point, the data is being processed and the person is not expecting to hear from you. Again, this is where the legitimate interest defense comes in.

The main thing is to be sensible, don’t be aggressive and give people an option that makes it easy for them to unsubscribe or not hear from you again.

In terms of storing an unsubscribe/ blacklist for outreach, it is in the interest of the sites who have asked not to be contacted to be stored in a blacklist. This means you can check the current sites against your blacklist before you send an outreach and not annoy people who don’t want to be annoyed.

In terms of data security, it makes sense to have this sheet with personal data password protected.

Simple Steps Towards Compliance

For internet marketers, there are few simple things you can do to get started:

  • Organize all the personal data you already have
  • Document where it came from and who you share it with
  • Assign a legal basis for the storage and processing of that data (consent, contract, legal obligation, etc.)
  • Review privacy policy and add the new, obligatory information
  • Email your list and ask for consent to GDPR level
  • Put systems in place to keep a record of consent

Suzanne can help you with:

  • A template for the data inventory
  • Legal basis for processing
  • New privacy policy template
  • Email you need to send your list notifying them of the new privacy policy
  • A new processing agreement if a third party is performing your payroll for example

You can also purchase her GDPR pack for £97 until March 30th, 2018.

Resources Mentioned In This Episode