3 Steps to GDPR Compliance for Small Businesses and Squarespace Websites

 3-Step Guide to GDPR Guidance for Small Businesses and your Squarespace website・Kerstin Martin Squarespace Studio

Disclaimer: I am not a legal expert and this post does not constitute legal advice.

So. GDPR. Is your head spinning yet? I don’t even know why I care so much about this. While I am an EU citizen I no longer live there and the majority of data processed through my business is from non-EU peeps. Plus, I am just a one-woman business and it’s easy to shrug our shoulders and say I’m too small to care about this. 

Alas, GDPR effects anyone who collects and processes data of EU citizens, regardless of where your business is located or how big your business is. And I do have some lovely EU clients and subscribers so I took it upon myself to browse dozens of articles and educate myself on GDPR. Here are the highlights that jump out at me, read my previous blog post for further details.


The General Data Protection Regulation (GDPR) is a new law that regulates how businesses are collecting, using and processing data from EU citizens. It comes into effect on May 25, 2018. Click here for more info.


GDPR Highlights

Lawful Basis
You need a lawful basis for collecting and using personal data. There are six lawful bases and in my case I am using explicit consent at data collection point as well as contract for purchases.

Privacy Policy
Your Privacy Policy needs to explain in clear and simple language how you are collecting and using the personal data of EU citizens, and who they can contact if they wish to review, change or delete their data.

Data Processing Agreement
If you use third party data processors (Stripe, PayPal etc.) you need a contract with them that addresses the nature and purpose of the processing and everyone's responsibilities and liabilities. This contract is generally referred to as the Data Processing Agreement (DPA).

Non-Compliance
Non-compliance can result in high fees, even for small companies and even if your company is based outside the EU. As long as you process data of EU citizens you are liable. My question: How is this enforced? According to this article "EU regulators can fine U.S. companies for violating GDPR, and they can do it with the help of U.S. authorities."  While I don't think that small one-person businesses are high on the authorities' radar this doesn't mean that we should be complacent about any of this. 

Anyone Can Report You
I have not been able to find a written English back-up for this statement. I heard about this in a German law forum that specialises in GDPR. According to them anyone can report you for perceived non-compliance, even if they are not a victim of your alleged non-compliance. So if anyone knows more about this and can point me to a realiable source I'd be grateful. I'm mentioning it here because it's just one more thing to be aware of. 


My 3 Steps to Compliance

 3-Step Guide to GDPR Guidance for Small Businesses and your Squarespace website・Kerstin Martin Squarespace Studio

Step 1: Create a Lawful Basis

You need a lawful basis for data collection and Explicit Consent and Contract are the ones I am using for my mailing list subscriptions and product purchases respectively.

1. Get Consent

1.1 Bye Bye Lead Magnets, Hello Free Resources

Under GDPR you cannot offer an opt-in or lead magnet and automatically add subscribers to your mailing list! Neither are you allowed to make the mailing list subscription a condition of receiving a freebie. I can't even tell you how much I object to this! In my mind offering freebies in exchange for an email address for my mailing list is a business decision and should not be regulated by a legal mandate. Here is what the GDPR says about explicit consent:

  • Consent means offering individuals genuine choice and control.
  • Don’t use pre-ticked boxes or any other method of consent by default.
  • Avoid making consent a precondition of a service.

This caused me some frustration as I had only recently introduced free opt-ins to grow my mailing list and it was working! I tried making the consent mandatory for freebies but after speaking to a couple of fellow designers I had to concede that this is not legal under GDPR. Sigh. So I decided to put the horse back in front of the cart and rather than leading people in via an opt-in I made my newsletter the main attraction and am offering my freebies as optional resources that subscribers can freely choose or not.

→ I wrote a separate post on Lead Magnets and GDPR compliant sign-up forms. It has a free GDPR checklist as well.

1.2 Mailchimp form for all subscriptions

I stopped using the Squarespace newsletter and form blocks and opted for the Mailchimp GDPR enabled sign-up form instead, which has the right kind of language for the required permission, data transfer and the consent check box. By using the Mailchimp form I don't have to display all of this in my newsletter sections which would be really ugly. Plus, using the Mailchimp form also makes it very easy for subscribers to select and receive their optional resources. As and when Squarespace update their forms to make them compliant I may go back with them. But until then I am very happy with the Mailchimp solution. ↑ The link above also explains my Mailchimp sign-up sequence in more detail.

1.3 No Automatic Mailing List Subscription at Checkout

I unchecked Check Subscribe by default on the Squarespace checkout page as that is a big NO now under GDPR rules. Customers can still subscribe to my newsletter at checkout but they have to explicitely choose to do so, and I also turned on the double opt-in for this one.

New! You can now add custom text next to the checkbox, make sure to include that people can unsubscribe any time and add a link to your Privacy Policy - both are required under GDPR. To add this go to > Settings > Checkout > Select a Mailing List

1.4 Double Opt-In Marketing Pop-Up

You cannot add a consent checkbox on the marketing pop-up so I enabled the Mailchimp double opt-in for this one, too. 

1.5 Re-Consenting Existing Lists

There is also the question about getting new consent from existing subscriber lists under GDPR. The ICO Consent Guidance says that "you are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard."  

According to this article you have two options: 

1. Get fresh consent

As of writing this there is no straightforward process for this, Mailchimp suggests to export your list, delete it and then email a new subscriber link to the exported contacts via your own email program.

2. Review your existing process and decide reconsent is not needed

At first I thought that I could get away with this option. I did use double opt-in for most of my subscribers, however I did change that to single opt-in when Mailchimp introduced that as the standard feature so not every subscriber is covered under the double opt-in.

After much back and forth agonising over this I decided to make a fresh start and ask for reconsent.

This pains me a lot as I only recently got to over 1,000 subscribers and I estimate that I will lose at least half of those, if not more. Because that's the nature of the beast called email marketing, many people subscribe to get a freebie but are not interested in further content. And that's exactly why I decided to do this: I only want to send my Studio Notes to those who genuinely want to receive them because they are interested in my humble musings and generous offers.

Here is how I am doing this:

  1. Until May 25 I will add a paragraph at the bottom of every Studio Notes letter asking subscribers to update their settings. A lot have already done this with the last letter I sent out, thank you!
  2. I will send a few more newsletters like this and also a couple of emails just asking to update the settings and nothing else. 
  3. On May 25 everyone who has not changed their settings to "I agree" will be deleted from my list. I am using segmentation to do this. 

Mailchimp offers a template for the reconsent. When you create a new campaign and get to the template selection go to > Themes > Subscriber Alerts and select the one for GDPR. I adapted Mailchimp's provided text for my own needs, click here so see a copy of my reconsent letter. 


2. Selling products? Get a Contract.

When selling products I use the lawful basis of a Contract and as such I want customers to agree to my Terms & Conditions (also known as Terms of Service) at checkout which is basically a contract.

Note: the Privacy Policy forms a part of the Terms & Conditions agreement.

In Squarespace, while you can list links to your policies at checkout, there is no explicit verbiage saying that you agree to the terms when you hit the purchase button. There is no option for a consent checkbox, either, and you cannot add one to the custom checkout form because the consent box has to be shown after the links to your policies and the custom form is completed before you get to the policies.

I have contacted Squarespace about this and waiting for their reply. I am confident that they will address this appropriately.

I also use Moonclerk for payment plans and they have a consent checkbox.


Boulevard-SanJuans.jpg

Step 2: Update Your Privacy Notice

First of all: According to James Chiodo from www.DisclaimerTemplate.com we should NOT call it a Privacy Policy but rather Privacy Notice. Apparently that is the correct legal term. Good to know!

This one also caused me a good amount of agony. I already had a pretty tight Privacy Notice and at first tried to just update that myself. But who am I kidding? I am not a lawyer and even though the GDPR - rightfully - demands that our policies are written in a clear and plain language this was more than I wanted to bite off myself.

In my previous post on the subject I mentioned a service offered by Marbral Advisory called GDPR Playbook and if you're looking for something super comprehensive (their playbook goes way beyond just the Privacy Notice) and personal support this could be just what you need. Alas, at £1,500 for the basic package this is too expensive for my one-person business. 

Thankfully one of my BizBox participants (thank you Shea!) recommended an online service that specializes in attourney-drafted website and compliance documents and their privacy policy is GDPR compliant. Bingo! I purchased their Big-3 Package which contains a Privacy Notice, Terms and Conditions and Disclaimer. I went with the $129.90 option because I like the idea of getting yearly updates to my policies. But you can purchase just the Privacy Policy for $59.95. So now my Privacy Notice and Terms & Conditions are up-to-date and I can sleep again at night ;-)

I am not affiliated with James' service but can definitely recommend it:


Boulevard-Woods.jpg

Step 3: Get Your Data Processing Agreements (DPA)

"Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place." –– ICO GDPR Guidelines

This is someting I am still working on. I currently have a direct agreement in place with Mailchimp and with Stripe. Mailchimp lets you do this online and with Stripe I contacted their customer service department at privacy@stripe.com and they emailed me the DPA to sign online.

If you have Google Analytics you need to accept the Data Processing Amendment in your Analytics Account settings, click here for more info.

The GDPR also requires companies to document their data processes but thankfully this is not mandatory for companies with less than 250 employees. Nonetheless, I took this opportunity to look at my own set-up and made a list of all the third party services my business uses who process my customer's data, it feels good to have an overview:

3rd PartyReason for Data CollectionData CollectedDPA
17hatsPurchasing web design servicesFull Name, Email Address, Billing Address, Phone Number, Credit CardIn Progress
Acuity SchedulingMaking AppointmentsFull Name, Email Address, Billing Address, Phone Number, Credit CardIn Progress
Google AnalyticsWebsite Traffic AnalysisOnline identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers. More info here.✔︎
MailchimpMailing List SubscriptionsEmail Address✔︎
MoonclerkOnline PurchasesFull Name, Email Address, Billing Address, Phone Number, Credit CardIn Progress
PayPalOnline PurchasesFull Name, Email Address, Billing Address, Phone Number, Credit CardIn Progress
SquarespaceMailing List Subscriptions, Online PurchasesFull Name, Email Address, Billing Address, Phone Number, Credit CardIn Progress
StripeOnline PurchasesFull Name, Email Address, Billing Address, Phone Number, Credit Card✔︎
ZapierOnline Purchases, Opt-InsEmail Address, City, CountryIn Progress

 GDPR Compliance in 3 Steps・Kerstin Martin Squarespace Studio

Conclusion

While the GDPR can feel intimidating and overwhelming for us small businesses I think it's important to remember the basis for all of this: the protection of our personal data.

Given all the data breaches over recent years I am ok with companies having to do their due diligence and even being governed when it comes to the collection and use of my personal data. As a business owner who processes personal data I want my customers and subscribers to feel assured that I am being responsible when it comes to my use of their data.

This is also one of the reasons why I am ultra careful when it comes to third party services I use. There are so many companies out there these days who offer cheap services for processing data –– online payment platforms, membership plugins, marketing tools etc –– but often times, when I try to find out who is behind them, the information provided is sketchy at best. A good example of this is GoPaywall.com, a service I researched when I was looking for membership systems for my e-courses. Their privacy policy looks amateurish and lists no company name or address, there is no About page and an overall lack of transparancy. I remember doing some digging around at the time (their prices were very reasonable and I would have liked to use them) and eventually found a parent company who looked equally dodgy. When I reached out to their customer service through an online form I received a reply from a Gmail address. Why would I trust a company like that with the confidential data of my customers?

I stayed well clear off them and that kind of diligence and care is my approach with any service I consider embedding into my business processes, especially when it comes to handling my customers' personal data.

Overall I feel a lot more confident now with regards to my GDPR compliance as a small business. I think I have put good measures into place to ensure my compliance. And I am still working on getting the remaining DPA's (including Squarespace!) and I also hope that Squarespace will step up and adjust some of their forms so that we can add a consent box. 


Are you on Pinterest?

If you enjoyed this post I'd be thrilled if you shared it, thank you!

 
 3 Steps to GDPR Compliance for Small Businesses and Squarespace Websites・Kerstin Martin Squarespace Studio
 

Squarespace BizBox 

Learn from an experienced & successful web designer how to make a great living designing Squarespace websites!

Ask Me Anything!

You can literally ask me anything about Squarespace, your website, SEO, e-courses, or your own web design business. 


More GDPR Posts