Disclaimer: I am not a legal expert and this post does not constitute legal advice.
So. GDPR. Is your head spinning yet? I don’t even know why I care so much about this. While I am an EU citizen I no longer live there and the majority of data processed through my business is from non-EU peeps. Plus, I am just a one-woman business and it’s easy to shrug our shoulders and say I’m too small to care about this.
Alas, GDPR effects anyone who collects and processes data of EU citizens, regardless of where your business is located or how big your business is. And I do have some lovely EU clients and subscribers so I took it upon myself to browse dozens of articles and educate myself on GDPR. Here are the highlights that jump out at me, read my previous blog post for further details.
The General Data Protection Regulation (GDPR) is a new law that regulates how businesses are collecting, using and processing data from EU citizens. It comes into effect on May 25, 2018. Click here for more info.
You need a lawful basis for collecting and using personal data. There are six lawful bases and in my case I am using explicit consent at data collection point as well as contract for purchases.
Data Processing Agreement
If you use third party data processors (Stripe, PayPal etc.) you need a contract with them that addresses the nature and purpose of the processing and everyone's responsibilities and liabilities. This contract is generally referred to as the Data Processing Agreement (DPA).
Non-compliance can result in high fees, even for small companies and even if your company is based outside the EU. As long as you process data of EU citizens you are liable. My question: How is this enforced? According to this article "EU regulators can fine U.S. companies for violating GDPR, and they can do it with the help of U.S. authorities." While I don't think that small one-person businesses are high on the authorities' radar this doesn't mean that we should be complacent about any of this.
Anyone Can Report You
I have not been able to find a written English back-up for this statement. I heard about this in a German law forum that specialises in GDPR. According to them anyone can report you for perceived non-compliance, even if they are not a victim of your alleged non-compliance. So if anyone knows more about this and can point me to a realiable source I'd be grateful. I'm mentioning it here because it's just one more thing to be aware of.
My 3 Steps to Compliance
Step 1: Create a Lawful Basis
You need a lawful basis for data collection and Explicit Consent and Contract are the ones I am using for my mailing list subscriptions and product purchases respectively.
1. Get Consent
1.1 Bye Bye Lead Magnets, Hello Free Resources
Under GDPR you cannot offer an opt-in or lead magnet and automatically add subscribers to your mailing list! Neither are you allowed to make the mailing list subscription a condition of receiving a freebie. I can't even tell you how much I object to this! In my mind offering freebies in exchange for an email address for my mailing list is a business decision and should not be regulated by a legal mandate. Here is what the GDPR says about explicit consent:
- Consent means offering individuals genuine choice and control.
- Don’t use pre-ticked boxes or any other method of consent by default.
- Avoid making consent a precondition of a service.
This caused me some frustration as I had only recently introduced free opt-ins to grow my mailing list and it was working! I tried making the consent mandatory for freebies but after speaking to a couple of fellow designers I had to concede that this is not legal under GDPR. Sigh. So I decided to put the horse back in front of the cart and rather than leading people in via an opt-in I made my newsletter the main attraction and am offering my freebies as optional resources that subscribers can freely choose or not.
1.2 Mailchimp form for all subscriptions
I stopped using the Squarespace newsletter and form blocks and opted for the Mailchimp GDPR enabled sign-up form instead, which has the right kind of language for the required permission, data transfer and the consent check box. By using the Mailchimp form I don't have to display all of this in my newsletter sections which would be really ugly. Plus, using the Mailchimp form also makes it very easy for subscribers to select and receive their optional resources. As and when Squarespace update their forms to make them compliant I may go back with them. But until then I am very happy with the Mailchimp solution. ↑ The link above also explains my Mailchimp sign-up sequence in more detail.
1.3 No Automatic Mailing List Subscription at Checkout
I unchecked Check Subscribe by default on the Squarespace checkout page as that is a big NO now under GDPR rules. Customers can still subscribe to my newsletter at checkout but they have to explicitely choose to do so, and I also turned on the double opt-in for this one.
1.4 Double Opt-In Marketing Pop-Up
You cannot add a consent checkbox on the marketing pop-up so I enabled the Mailchimp double opt-in for this one, too.
1.5 Re-Consenting Existing Lists
There is also the question about getting new consent from existing subscriber lists under GDPR. The ICO Consent Guidance says that "you are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard."
According to this article you have two options:
1. Get fresh consent
As of writing this there is no straightforward process for this, Mailchimp suggests to export your list, delete it and then email a new subscriber link to the exported contacts via your own email program.
2. Review your existing process and decide reconsent is not needed
At first I thought that I could get away with this option. I did use double opt-in for most of my subscribers, however I did change that to single opt-in when Mailchimp introduced that as the standard feature so not every subscriber is covered under the double opt-in.
After much back and forth agonising over this I decided to make a fresh start and ask for reconsent.
This pains me a lot as I only recently got to over 1,000 subscribers and I estimate that I will lose at least half of those, if not more. Because that's the nature of the beast called email marketing, many people subscribe to get a freebie but are not interested in further content. And that's exactly why I decided to do this: I only want to send my Studio Notes to those who genuinely want to receive them because they are interested in Squarespace news and tips as well my popular deeper musings on running a heart-centered online business.
Here is how I am doing this:
- Until May 25 I will add a paragraph at the bottom of every Studio Notes letter asking subscribers to update their settings. A lot have already done this with the last letter I sent out, thank you!
- I will send a few more newsletters like this and also a couple of emails just asking to update the settings and nothing else.
- On May 25 everyone who has not changed their settings to "I agree" will be deleted from my list. I am using segmentation to do this.
Mailchimp offers a template for the reconsent. When you create a new campaign and get to the template selection go to > Themes > Subscriber Alerts and select the one for GDPR. I adapted Mailchimp's provided text for my own needs, click here so see a copy of my reconsent letter.
2. Selling products? Get a Contract.
When selling products I use the lawful basis of a Contract and as such I want customers to agree to my Terms & Conditions (also known as Terms of Service) at checkout which is basically a contract.
In Squarespace, while you can list links to your policies at checkout, there is no explicit verbiage saying that you agree to the terms when you hit the purchase button. There is no option for a consent checkbox, either, and you cannot add one to the custom checkout form because the consent box has to be shown after the links to your policies and the custom form is completed before you get to the policies.
I have contacted Squarespace about this and waiting for their reply. I am confident that they will address this appropriately.
I also use Moonclerk for payment plans and they have a consent checkbox.
Step 2: Update Your Privacy Notice
This one also caused me a good amount of agony. I already had a pretty tight Privacy Notice and at first tried to just update that myself. But who am I kidding? I am not a lawyer and even though the GDPR - rightfully - demands that our policies are written in a clear and plain language this was more than I wanted to bite off myself.
In my previous post on the subject I mentioned a service offered by Marbral Advisory called GDPR Playbook and if you're looking for something super comprehensive (their playbook goes way beyond just the Privacy Notice) and personal support this could be just what you need. Alas, at £1,500 for the basic package this is too expensive for my one-person business.
I am not affiliated with James' service but can definitely recommend it:
Step 3: Get Your Data Processing Agreements (DPA)
"Whenever a controller uses a processor (a third party who processes personal data on behalf of the controller) it needs to have a written contract in place." –– ICO GDPR Guidelines
This is someting I am still working on. I currently have a direct agreement in place with Mailchimp and with Stripe. Mailchimp lets you do this online and with Stripe I contacted their customer service department at email@example.com and they emailed me the DPA to sign online.
If you have Google Analytics you need to accept the Data Processing Amendment in your Analytics Account settings, click here for more info.
The GDPR also requires companies to document their data processes but thankfully this is not mandatory for companies with less than 250 employees. Nonetheless, I took this opportunity to look at my own set-up and made a list of all the third party services my business uses who process my customer's data, it feels good to have an overview:
|3rd Party||Reason for Data Collection||Data Collected||DPA|
|17hats||Purchasing web design services||Full Name, Email Address, Billing Address, Phone Number, Credit Card||✔︎|
|Acuity Scheduling||Making Appointments||Full Name, Email Address, Billing Address, Phone Number, Credit Card||✔︎|
|Disqus||Blog Post Commenting||Email Address (optional), Name (optional)||✔︎|
|Google Analytics||Website Traffic Analysis||Online identifiers, including cookie identifiers, internet protocol addresses and device identifiers; client identifiers. More info here.||✔︎|
|Mailchimp||Mailing List Subscriptions||Email Address||✔︎|
|Moonclerk||Online Purchases||Full Name, Email Address, Billing Address, Phone Number, Credit Card||In Progress|
|PayPal||Online Purchases||Full Name, Email Address, Billing Address, Phone Number, Credit Card||In Progress|
|Squarespace||Mailing List Subscriptions, Online Purchases||Full Name, Email Address, Billing Address, Phone Number, Credit Card||In Progress|
|Stripe||Online Purchases||Full Name, Email Address, Billing Address, Phone Number, Credit Card||✔︎|
|Zapier||Online Purchases, Opt-Ins||Email Address, City, Country||✔︎|
While the GDPR can feel intimidating and overwhelming for us small businesses I think it's important to remember the basis for all of this: the protection of our personal data.
Given all the data breaches over recent years I am ok with companies having to do their due diligence and even being governed when it comes to the collection and use of my personal data. As a business owner who processes personal data I want my customers and subscribers to feel assured that I am being responsible when it comes to my use of their data.
I stayed well clear off them and that kind of diligence and care is my approach with any service I consider embedding into my business processes, especially when it comes to handling my customers' personal data.
Overall I feel a lot more confident now with regards to my GDPR compliance as a small business. I think I have put good measures into place to ensure my compliance. And I am still working on getting the remaining DPA's (including Squarespace!) and I also hope that Squarespace will step up and adjust some of their forms so that we can add a consent box.
Are you on Pinterest?
If you enjoyed this post I'd be thrilled if you shared it, thank you!
Learn from an experienced & successful web designer how to make a great living designing Squarespace websites!
Ask Me Anything!
You can literally ask me anything about Squarespace, your website, SEO, e-courses, or your own web design business.