Hmm... GDPR? What is that?
The General Data Protection Regulation (GDPR) is a new law that regulates how businesses are collecting, using and processing data from EU citizens. Even if your business is located outside of the EU you are affected if you have EU customers who give you personal data, such as a name and email address.
GDPR comes into affect on May 25, 2018.
Many small businesses owners are quite confused as to what they need to do. Much of the GDPR language is aimed at large corporations but don't be fooled - even if you are a single person business you need to comply.
Some of the GDPR highlights:
- Explicit Consent
You will need to get explicit consent from your customer to collect and use their data. This could be updated language at data collection point and/or double opt-in.
- Use and Transfer of Data
You need to make it very clear to your EU customers how you are going to use their data. For instance, if you are transferring their data to a 3rd party (e.g. Mailchimp) you need to get their permission for this.
- Data Processing Agreement (DPA)
It is highly recommended to sign a Data Processing Agreement (DPA) with any 3rd party data processors you are working with. In my case this would be Squarespace, Stripe, PayPal, Mailchimp and 17hats. I already did this for Mailchimp and have requested DPA's from the others by writing to their customer support.
- Data Access
You must make information about their data easily available to your customers if they ask for it. And delete it if they request that.
Non-compliance can result in very high fees, like up to EUR 20 million! This is clearly aimed at large businesses but even as a small business you can get fined. Now how this would be enforced for non-EU businesses I don't know. And I don't worry about this too much, either. The main point of the GDPR is to protect private citizen data and there are already a lot of measures in place for this (like the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks), the GDPR just takes it up a notch.
- Anyone can Report you for perceived Non-Compliance
Regardless of whether someone is the victim of your alleged non-compliance or just a by-stander (for instance a competitor!), apparently anyone can report you if they think that you are not compliant.
What about Squarespace?
They are working on it as we speak! A few points I am aware of:
- Consent at Check-Out
If you sell products through Squarespace there is an option at check-out where your customer can subscribe to your newsletter. You can currently turn this option on so that it's already checked by default, and the customer can just uncheck it again when they check out a product. This will no longer be considered compliant under GDPR. Until I know what Squarespace is doing about this, I will turn this option off.
- Consent at Data Collection Point
As for newsletter forms and general forms there is room for respective verbiage and I will update these as soon as I figure out what exactly to say. Hopefully Squarespace will offer some guidance here, too, and I know that Mailchimp is already working on this so I will be watching out for that as well.
- Data Processing Agreement
Squarespace does have a European Economic Area Data Processing Addendum which you can find here. They are still working on all of this with regards to GDPR specifically and I will update this post accordingly as and when new information comes out.
At this point I am gathering as much information and understanding about GDPR as I can and as such I have collected some useful links:
- Best article I've read on the subject
- GDPR Quiz - how ready are you?
- Mailchimp: Tools to help with GDPR
- Mailchimp: Getting ready for GDPR
- Mailchimp: Data Processing Agreement (DPA)
- Mailchimp: General GDPR info (PDF with clear language and very helpful)
- What does GDPR mean for Small Businesses?
- Information Commissioner's Office (ICO): GDPR Checklist for Data Controllers
- GDPR Implications for Growth Hackers, Marketeers, Product Owners and Lead Generators
What to Do next?
Ideally I just want an expert to look at my business and tell me what to do!
However, it is actually illegal to hire someone to do this FOR you but you can hire an expert to advise you on what to do where. This is why larger companies now have to hire a dedicated Data Protection Officer. As for my own small business, I would just appreciate some hand-holding through the process! After much deliberation I will probably go with this service:
At this point I must give a big shout-out to Jo Buchanan who is the Head of Communications at Marbral Advisory and who has been most helpful and informative on this subject in the Squarespace Circle Forum. I've requested a quote from Marbral and hopefully this is an affordable service and I can just implement what's needed and then get on with my life! :)
P.S. Just in case you're wondering about the photo, that's the city's main courthouse in my hometown Cologne in Germany :)
Disclaimer: I am NOT a legal expert and this post does not constitute legal advice.
Are you on Pinterest?
If you enjoyed this post I'd love it if you shared it. Thank you!
An exclusive glimpse inside my design studio and how to become a successful & profitable Squarespace web designer.
Ask Me Anything!
You can literally ask me anything about your Squarespace website or – if you're a web designer – about your business.