(What I've done to get my GDPR ducks in a row)

 
arvin-febry-167435-unsplash.jpg
 

Not another GDPR article!

Come 25 May 2018, if you collect even the teeniest smudge of personal data about any human who exists within the European Union, you must put safeguards in place to protect their deets. (But you were doing that already, right?)

If you don't, you could face some rather eye-watering fines, not to mention serious side-eye from your online community.

I'm not going into detail about the rollercoaster ride that is GDPR, because about 2093480934728 other folk have written about it and you're probably sick to death of reading about it.

This is an entirely self-interested post, to force me to do a wee GDPR check-up on my own biz. Scroll down if you want to see what I've done. I promise it's not as bad as it seems.

I actually think it's great for consumers AND businesses. Here's why.

Why I think GDPR is a Good Thing

Don't we all want to know that organisations are being careful with our data? This is about being transparent and ethical, which hopefully we are all trying our best to do anyway.

The ever-wise Seth Godin says 'GDPR is a net positive for people with something to say, something to sell or something to change. Because the noise will go down and trust will go up.'

By putting the brakes on some shadier marketing practices, those of us who genuinely want to be of service can communicate with a willing audience without being lumped in with the spammers.

Admittedly, getting GDPR-ready is a bit of a hassle. As a former civil servant, a little extra admin doesn't scare me, but no one relishes extra work or expenses. It's also not clear how it will be enforced, which leaves the door open for scaremongering (especially from people who just so happen to sell audits and insurance). And what about our precious email lists?!

But here's the thing. You’ll be marketing to people who want to hear from you.

It's that trust-based marketing thing again.

GDPR gives you a great opportunity to clean up your databases. Sure, subscriber numbers might go down, but the ones that opt-in are saying 'yes, I want to hear about your work!'. They're not passively receiving your emails because they downloaded an e-book from you three years ago and never got around to unsubscribing. They're interested. Those who don't choose to stay on your list were probably never going to be great leads.

Spam is in the eye of the beholder.

(I was going to say something about trimming the deadwood from your list, but then I discovered that deadwood is actually home to many thriving woodland creatures, which sounds rather nice.)

Trust-based marketing means building a community of people who want to hear from you.

So this is a good time to take stock of your inbound marketing strategy - how are you using your website, blog and social media presence to attract the right people?

With great content and great customer experiences, you'll earn your contacts.

And while most folk are blissfully unaware of all this (save for the sudden influx of privacy policy emails flooding their inboxes in the last few weeks), 90% of European consumers surveyed by HubSpot were enthusiastic about having more control over their data. You probably don’t want to be overheard complaining about it too much.

Being seen to care about your customers' privacy and online safety is a great way to signal your brand values.

What I'm doing to get GDPR-ready

Let's be honest, positive or not, this still isn't something I find super exciting. As I said, I only started writing this post so I'd be forced to figure out what I need to do myself.

My thought process went something like this:

Do I process any personal data?

Why yes, I do. Most of the personal data I handle falls under email marketing and client relationship management.

And how am I processing the data?

For email marketing, people click on lead magnets and sign-up forms to receive The Copy Prescription newsletter. The list is held by MailChimp. I can see the first name and email address of everyone who signed up, where they signed up, when they've opened emails and clicked on links, and if they've unsubscribed.

For client relationship management, I have names and email addresses from people who've contacted me via the contact form on my Hire Me page, and I keep a spreadsheet of client contact information.

Do I have a legal basis to process the data?

Good question. Maybe I'll get coffee and come back to that later.

Ok. There are 6 legal bases for processing data, and the two relevant to me are 'consent' (i.e. the person explicitly confirmed that they want to be contacted) and 'legitimate interests' (i.e. it would be reasonable for them to assume that I might contact them).

I need to check that everyone who gets the newsletter actively consented to be on the list, and was given all the appropriate information about how their data would be handled. Most signed up after downloading a copy of my free 'Copy Health Check' guide, and while I did my best to make everything clear, I'm not 100% sure it met the 'unbundled' requirements of GDPR, and I've deleted the old landing page now so I can't prove it either way (WHY, DAMMIT! WHY?), so I'm going to ask subscribers to update their prefs.

I've also checked MailChimp's policies on data protection, and emailed them to clarify how data can be deleted if someone asks for it, as this wasn't clear. They've said they'll have measures in place by the end of the month. I've also signed Mailchimp’s data processing agreement which confirms they have an EU ‘privacy shield’ (doesn't that sound like something you'd wear in the shower at the gym?).

With the client contact information, I believe I have legitimate interests to keep their data while we're working together. I've deleted any old contacts from my database and made sure it's secure.

I've also revised my privacy policy to make clear that the lovely folks at Squarespace may see data provided via the contact form on my website, and added a cookie consent doo-dah.

Whew. So do I need to do anything differently?

Although I haven't had to do a huge amount to get GDPR-ready, I want to make sure I'm being as transparent as possible. I'm changing my sign-up forms for new subscribers so it's super clear how the data will be used and looked after. I'm also adding a double opt-in, even though that's not strictly necessary.

I've also written a doc that explains all these actions, should the ICO come a-snooping.

OK. Sounds like we're organised. What do I need to tell people?

I'll be telling my email list about these changes, reminding them of all the amazing value I hope to provide, and giving them an easy out if they’re not interested.

Other than that, I'll be continuing to be as clear as possible about how I run my business.

So, what have you been doing to GDPR-ify your biz?

If you’d like help to write or refresh your own privacy policies, data protection statements and disclaimers in Plain English, holla at me!

(📷: @arkeyphoto via Unsplash.)


Previous
Previous

Harness the power of bold copy for your health brand

Next
Next

How I use video to surprise and delight my copywriting clients