settle in with a

  • Instagram
  • Facebook
  • Pinterest


How to Risk-Proof Your Business from GDPR

So, what the hell is GDPR and why should I care?

This is a question you may be asking yourself after hearing whispers of the new General Data Protection Regulations going into effect on May 25th, 2018. As you know, we’re always doing what we can to look out for our main squeeze, our awesome tribe!

So here are some things you’ll need to know about the GDPR and how to risk-proof your business so you can continue to grow your email list and spread the word about your awesomeness without putting your company in harm’s way {unless you’re eagerly awaiting the day you get subpoenaed, in which case, more power to ya}.


What is GDPR?

GDPR stands for General Data Protection Regulations, and is new legislation that changes the way businesses are able to interact with data collection from the European Economic Area (EEA).

Who does GDPR affect?

European AND non-European businesses that collect personal data from users in the EEA. This means, even if you are a U.S. based business, if there’s EVER a chance that you’re collecting personal data (such as an email address via an opt-in form on your website) from any European resident, this applies to you.

What if I mostly deal with clients/customers in the U.S.?

You may be a low-risk company if this is the case but be warned: If your website, landing page or any internet-based source collects personal data to deliver a product, a monthly newsletter, an automated update, a lead magnet/deliverable or anything that would require someone to share personal data like an email address or phone number, you’ll likely want to implement some strategies to protect yourself, as it can be very difficult to tell exactly where your opt-in’s are coming from geologically. {We think the "better safe than sorry" approach is a good one here.}

What are examples of low-risk companies?

  • Brick & mortars that deal with or deliver only to their immediate area, such as pizza delivery companies or local flower shops.

  • Companies with websites or landing pages that have no opportunities to collect personal information (no email opt-ins, no order process, no contact forms, etc).

What happens if I fail to comply?

Violators could be fined up to a maximum of €20 million or 4% of annual revenue. The severity of the fine depends on the severity of the violation but, let’s be real...#NotWorthIt.

What do I need to do to comply?

1) Update your opt-in forms: In any location on your website or landing page in which personal data is requested, you must include EXPLICIT information on how that data will be used (i.e. you are no longer able to use a lead magnet/deliverable opt-in as a means of collecting email addresses and then auto-enroll that person into your email marketing list. They must know EXPLICITLY that they will receive the deliverable AND be added to your email list.)

2) Obtain active consent: You need to obtain ACTIVE consent before collecting data from users, to do this, you can choose one of the following options:

- A double opt-in for your email list.

- A checkbox (not pre-checked) that they agree to receive future marketing contact from you (along with any immediate deliverable you’re sending them, if applicable).

- A clear explanation that by opting in to the form, they will be added to your marketing list.

3) Confirm consent with your existing list: Sadly, this regulation is not null and void for emails collected before the “effective” date; meaning, if you slipped someone into your email list on the sly after they provided info for a deliverable of some kind, you need to go back and confirm that they consent to be on your email marketing list or provide them with the opportunity to opt-out. If you have a reliable way to track where people are located, it's only necessary to confirm consent with existing email subscribes from the EU or UK areas. If you don't have a reliable way to decipher this, your best bet is to confirm with your whole list.

4) Update your privacy policy: Privacy policies now must include information on how you collect data, why you collect, how long you keep the data, how the data is stored and more. In addition, your privacy policy MUST be linked in every location in which you collect personal data on your website or landing page. For a more comprehensive list of the updates your privacy policy needs to contain, along with a link to download a pre-written privacy policy for service-based businesses, check out this GDPR checklist from Autumn Witt Boyd’s law firm here.

5) Implement a cookie notification: If you use Facebook pixel or Google Analytics on your site or landing page to track information, you can no longer do this without explicitly notifying visitors. To make sure site visitors know you’re tracking this information, you can choose one of the following options:

- Visitors must navigate past a banner, notice or pop-up that informs them that you use these tracking systems and for what reasons, with a link to your full privacy policy.

- Visitors must dismiss a banner, notice or pop-up with the above information and a link to your privacy policy.

- Visitors must click on an “I agree” button with the above information and a link to your privacy policy as they enter your site.

6) Assess your vendors for GDPR compliance: Your company can be held responsible if you share data with any non-compliant vendors (i.e. your email automation provider, partner apps & widget on your site such as “booker", etc) so make sure to check in with all your sources to confirm compliance, if applicable.

Important side note: If you have a website built through Wix or use Mailchimp as your email automation tool, you can rest assured that these companies are in compliance.


To learn more about the General Data Protection Regulations going into effect on May 25th, 2018, we found this list to be helpful and not impossible to follow.

Happy marketing!


DISCLAIMER: I am not a bonafide lawyer, nor do I claim to have a complete knowledge of all the nuances of the GDPR. This blog post is meant to help you implement the strategies I know of to protect your business, but is in no way a substitute for legit-status legal advice. If you are a high-risk business or simply want to make sure you're extra squeaky-clean safe, we recommend consulting a professional that is fully educated in the GDPR.


Want more entrepreneurial advice, tips and tricks to accelerate your business?

Sign up for our email list here.

{We only send the good stuff.}