GDPR is here.
It’s not often that new regulations make such waves.
But everyone’s talking about this one, and if you’re subscribed to even the odd email newsletter, chances are you’ve recently received a deluge of emails with updated privacy policies.
If you’re anything like me, you’ve been straight up ignoring these – regulations, privacy policies, acronyms… They aren’t exactly the most exciting of topics.
But as a freelancer, you’re running a business – which means this new regulation might affect you and there are certain things you’ll need to do to comply.
Don’t worry – I’ll make it quick and (relatively) painless…
What’s this GDPR thing all about?
The EU General Data Protection Regulation (GDPR), which came into effect on May 25th, 2018, is designed to standardise data privacy laws across Europe and protect individual’s data privacy.
And while your business may not be operating in the EU, if you handle personal or sensitive data of EU citizens (like contact information, IP addresses, or credit card numbers), you’ll need to comply with the new rules.
It’s a pretty complex law, but it these are the main concepts:
- Transparency: Be explicit about how you’ll use data.
- Limited use: Don’t use data for any purposes other than what you’ve said you will.
- Minimization: Try to only collect the information you need for what you’re doing (so don’t ask for a phone number if you’ve already stated you’ll be using their information for email marketing).
- Accuracy: Keep accurate and up-to-date records of personal data.
- Storage limitation: Only keep data for as long as you need it for the purpose you specified when it was collected.
- Confidentiality: Keep data secure, and report data breaches quickly (in most cases within 72 hours).
- Accountability: Organizations need to have someone who is responsible for compliance and data protection… that’s you!
Businesses who don’t comply with the laws could be subject to large fines. In fact, despite spending 18 months preparing for GDPR, Facebook was pummelled with a $4.5B lawsuit on day 1, and complaints have been filed against Google, Instagram and WhatsApp too.
Time to make sure you’re safe!
The steps you should take to ensure you’re compliant
Let me start by saying I am definitely not a lawyer, so please don’t take this as legal advice and talk to your lawyer to discuss how the new laws will apply to you specifically.
Keep in mind that you only need to comply with these laws for users from the European Union, so you could separate out users from within the EU and deliver a GDPR-compliant experience for them if you think these actions would limit your marketing to people from other countries.
Review your email marketing practices
If you do any kind of email marketing or collect email addresses for a newsletter, you’ll need to review how you’re gathering, using and storing that data.
Review your methods of consent
Under GDPR, you must use a tick box for people to give their consent for you to keep their data, and it can’t be pre-ticked. It must be a positive opt-in too – so you can’t ask people to ‘tick here if you don’t want to be on the email list’.
Setup double opt-in for your newsletter
Especially if you might not have a checkbox somewhere, make sure to have double-opt in active for your newsletter. This means people who subscribe to your list receive a confirmation email, where they’ll need to click a link to verify their email address. Consent is a big part of the regulation, and this is the best way to prove that people on your mailing list gave their permission to be on it.
If you use Mailchimp, this is likely already setup, as they make double-opt in standard now. They also offer GDPR-friendly forms. If you use a different mailing software, it’s worth checking their specific advice too.
Communicate to your subscribers how their information is used
Under the new regulations, you need to make sure it’s clear to users what they are signing up for. Be specific about what communication they’ll receive from you.
Give people a way to delete themselves from your email list
All of your emails should have a clear unsubscribe button, and you must be able to delete all of a user’s personal information on request.
Make sure your data is secure
Once you’ve collected people’s emails or other data, it’s then essential that you store it in a secure way. There are some general precautions you should take to keep your data secure (like protecting against viruses), as well as some more extreme steps you can take if you want to be doubly sure.
Protect against viruses and malware
Security of data needs to be a top priority; this means ensuring you have adequate protection from malware and viruses.
Use a private VPN when working in public
The beauty of being a freelancer is that often, you can work from anywhere. But if you’re working from public WiFi in your local Starbucks, you’re much more susceptible to data being intercepted. Make sure you use a private, encrypted network.
Backup data securely
There’s nothing worse than losing your laptop or memory stick – especially when it’s full of your life’s work. Secure backups are just good practice for a freelancer, but they’re also crucial if you hope to comply with data breach reporting and notification requirements of the GDPR. You are required to notify anyone whose data may have been compromised as part of a breach – something which would be pretty difficult without a backup.
Encrypt your devices
While we’re on the subject, if your device is lost or stolen, you need to make sure any data on there is secure. Password protecting your devices is not enough – the data could easily be transferred to another machine and read. Conduct a complete audit of all devices used to store client information and ensure they’re secure and encrypted – typically your computer, phone, or hard drive. It’s also a good time to securely delete any documents you no longer need to keep.
Review and accept the new Google Analytics Data Retention terms of service
If you use Google Analytics to track traffic to your site, you may have already seen a notice pop up in the header bar at the top of your analytics account. Make sure you check your settings and accept the terms of service.
Keep data that’s essential for your business
It’s also good to know that under GDPR you’re allowed to keep data if you need it for legal or accounting reasons. This means that things like contracts, signed proposals and invoices can be kept for multiple years if necessary (and required by your local laws for audits on financial or other records), even if your client asks you to delete their data.
These laws are already in affect, so get straight on to ensuring you’re compliant. You’ll feel better once it’s done… and then you can get back to doing the fun stuff.