GDPR – What is it and should you panic?

If you’ve noticed a flurry of emails in your inbox lately from companies informing you of updates to their terms of use and privacy policies, or a slew of fear-mongering articles and blog posts about what to do now that email marketing is dead, you may be wondering just what the GDPR is.

In short, the GDPR – General Data Protection Regulation – is a law passed by the European Union in April 2016 that restricts how companies can gather, keep, and process personal data (including names and email addresses). The regulation becomes enforceable as of May 25, 2018.

Who is affected by the GDPR?

Because the regulation was passed by the European Union, it applies to any company that has (or may potentially have in the future) personal data for anyone in the EU. Since the EU counts in their membership 28 different countries, that’s a significant number of people.

So, does the GDPR affect you? If you have contacts, customers, or prospects from any of these countries, it’s time to pay attention. If you have personal data about citizens from any of the countries listed above (and remember, personal data can be as simple as name and email address!), or you plan to do business with people from any EU country, you’ll need to comply with the GDPR.

Why was the GDPR passed?

The GDPR updates and replaces a piece of legislation that is twenty years old – the Data Protection Act of 1998. And if you’ve paid attention to anything in the last couple of decades, you should be well aware that a lot has changed with regards to technology, privacy, and data collection.

There is a lot of fear mongering out there about the GDPR having huge repercussions for businesses. And if you’re running a very large business, a Facebook or Amazon, you’ll certainly need to put a lot of work into ensuring that you’re in compliance with the new regulations.

But small and medium businesses who have been using email marketing in an ethical way won’t see a tremendous impact from the regulation. That’s because, at its core, there is a very simple principle behind the GDPR: don’t be a jerk.

If you’re sending marketing emails to every person you’ve ever met at a networking event, even if the extent of your interaction was simply passing business cards around a table, you’re being a jerk.

If you’re buying lists of email addresses off the internet to send your newsletter to people who’ve never even heard of your business, you’re being a jerk.

If you’re making people opt-out of your marketing through a check box with tiny text at the end of a long download page for a free report, you’re being a jerk.

And if you’re not actually unsubscribing people when they click the “unsubscribe” link in your marketing emails, you’re being a big enough jerk that you may actually get hit with some fines.

How does the GDPR affect me?

The sanctions that the GDPR can put in place for companies that ignore its rules are significant: fines of 2-4% of annual worldwide turnover, or 10-20 million euros. But despite the sensational articles that make it seem like every mom-and-pop shop in the world is suddenly going to owe thousands of euros in fines, the reality of the situation is that most companies will be able to make minor changes and be just fine.

After all, the goal of the GDPR is not to put thousands of people out of business – it’s to help citizens of the EU deal with the inundation of spam and junk mail, and prevent companies from keeping tons of personal data that they don’t actually need (and can’t reasonably secure from hackers). Even if you don’t yet do business in the EU, it’s worthwhile to start considering changes to your privacy and data retention policies, as the US and Canada are likely to impose similar restrictions in the coming decade.

Wondering what you need to do about the GDPR in your business? Here are a couple of steps you should take now:

  • If you’re collecting email addresses, whether it’s for a lead magnet or an “event” like a webinar or live video, you need to make your privacy policy clear up front. That means available to prospects before they subscribe, ideally linked right from the opt-in form. You’ll need to spell out exactly what data you’re collecting and why, as well as what you’ll be doing with it and whether you’ll be transmitting it to third parties (and if so, who they are and what they’ll be doing with the data). The GDPR requires you to send your Privacy Notice to your subscribers to confirm with them how you collect and process their personal data, for what purposes you use their data, how you keep their data secure, and their rights in relation to such data.
  • Collect only the data that you need and can use now. If all you’re sending out is a downloadable PDF, you probably don’t need DOB, physical address, industry, income, etc. Far too many businesses in the past have made a habit of collecting as much information as they were able to, with no clear plan for how to store, safeguard, or even use that data. New GDPR regulations make it clear that you need to have a reasoning behind everything you’re asking for on your opt-in form, and if you’re just data-gathering for the sake of data-gathering, you will not be in compliance with the new regulations. If there is data that you would like (and don’t need), make that clear: e.g. “Answering the following questions is optional, but will help us better tailor our marketing messages to your needs.”
  • Keep your data accurate and up to date. Have a lot of emails bouncing or returning as undeliverable? Time to purge them from your list. Similarly, if you haven’t sent out any email marketing in a long while, or you’ve started up a whole new product line, you can no longer assume that people who received your old emails automatically want to receive the new ones.
  • Only send marketing emails to people who actually want them. You can no longer have people automatically opted-in to receive emails whenever they fill out a contact form on your website, nor can you send messages to anyone who you’ve ever done business with (outside of transactional messages) if they haven’t opted in to receive marketing communications.
  • Make it easy to stop receiving your emails. Most companies use automated email systems like MailChimp and MarketVolt to take care of this automatically. But if you’re still using a manual system to send out your emails, you need to be very on the ball about removing unsubscribe requests from your list as soon as they come in. Many of the significant fines issued by the Information Commissioner’s Office (ICO) under the Data Protection Regulation in the past several years have been due to improper handling of people who wish to unsubscribe from marketing emails.
  • Use Facebook wisely. If you use Facebook Pixels to retarget advertising, you must have a cookie policy that spells out what cookies are being used on your website. And if you use, or plan to use, your contact list emails to create a target audience for a Facebook ad, you must include that disclosure in your privacy policy.
  • Check to make sure your data processors are GDPR compliant. These could include your email automation programs (like MailChimp, Aweber, Constant Contact), as well as your CRMs (think Infusionsoft, Ontraport), your payment processors (, Stripe, PayPal, etc.)… essentially any system that processes your customer data should comply with the new regulations.

Does the GDPR spell disaster – or opportunity?

For all the uproar over the new regulations, many of the requirements of the GDPR make a whole lot of sense from a consumer perspective. And while many smaller businesses may have to tighten up their data use and retention policies a bit, there is an upside as well: with the GDPR in place, the playing field between ethical and unethical businesses becomes a little bit more even.

If you’ve been relying on spamming as many people as possible with offers for your business, the GDPR will certainly have a negative impact on what you’re doing (as it should!). But if you’ve been cultivating real relationships with your prospects, creating content that your mailing list will value, and ensuring that you’re marketing to people who are excited to learn more about your business, you don’t have to worry – you’re already doing business right.

Want more details about what the GDPR means for your business, or a little reassurance that you’re handling everything correctly? At WPBlogsites, we don’t just create amazing websites for our clients – we help them ensure that they have the technical expertise and effective marketing in place for long term success. To learn more about what we can do to help your business grow, schedule a consultation today.

(Note: This article does not contain legal advice. To ensure that your business is in full compliance with any regulations, please seek the advice of your legal counsel.)

Click an icon below to share and recommend this post:
  • Twitter
  • Facebook
  • LinkedIn
  • Reddit
  • Digg
  • StumbleUpon
  • Google Bookmarks
  • RSS


  1. Thanks for this great info, Sandra — very clear! Question: is there a template somewhere that I could adapt for my own website? Like a “plug-and-play” kind of thing where I alter my specific details but the basics are already there?

  2. Great overview Sandra! As I’m based in Europe and have couple of businesses, I’m dealing a lot with GDPR. One of the most important aspects (and still very few people know it) is that it’s also valid for existing leads/customers. So if a biz owner had a sign up form about a freebie where people signed up and it was not mentioned explicitly that this would also involve marketing emails, NOT only the delivery of the freebie, that’s NOT GDPR-compliant, so they need to get re-consent from all those leads.

    And – this one is also important – the re-consent cannot be a pre-checked button, people have to click on that option themselves.

    While this whole GDPR-thing is a real pain for business owners to go through, especially if it’s coupled with losing hundreds or thousands of subscribers, just imagine, you’ll end up with a more streamlined and more interested list.

    For those biz owners who decide so, they can also exclude European traffic, but make sure that your marketing is congruent. I was recently lurked in to a 14-day trial via a Facebook ad and so much liked the service that I wanted to buy the service. Until I found out that European clients were not accepted. No probs, it’s just that they could have better targeted their Facebook ad campaign, to exclude Europeans…

Leave a Reply

Warning: A non-numeric value encountered in /home/customer/www/ on line 505