What do you need to do for the GDPR as a small business owner?

GDPR Compliance for Small Business owners by the Society for Creative Founders

The last few weeks, you may have noticed that there has been a tremendous influx of emails to your inbox with companies telling you they are updating their Privacy Policy and Terms of Service.  This week, you are probably going to get even more of these, as this is all for GDPR Compliance, which goes into effect this upcoming Friday, May 25th.

Before I go any further, I am not a lawyer.  This is NOT legal advice, rather a reference post designed to share with you what we have found you need to do.  For your specific business, please consider consulting your business attorney to ensure you have done everything you need to do.

Last week, Kelly Parker Smith of Hello World Paper Co and the Creative Biz Rebellion and I were working through everything with this and once we realized we were both doing it, we teamed up together so that we could help each other out, sharing links to articles we found most helpful back and forth. So today, we wanted to share what we found that helped us with you, from sources we trust and ones that were written in a way we could understand.

This is a lengthy post but we hope you will find it helpful.  If you have any questions, please comment below and we will answer as we are able to.

The GDPR is short for the General Data Protection Regulation, which is a regulation created to give citizens and residents residing in the EU control over their personal data and be more aware of what personal information people and businesses are collecting when they visit their website. For an in-depth explanation, see this page here.

This also is something that needs to be addressed if you have an email list, making it clear of what people will receive if they request the free download, and you need to give them the option to be subscribed to your email list.  Gone are the days of offering a freebie on your blog or website and simply adding them to your list automatically, you now need to ask for permission to do so with an additional checkbox in an opt-in form.

The countries that are in the Eastern Union are Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.

Basically, this is something that applies to anyone who
(a) sells to the European Union, or
(b) markets to people in the EU. This includes if you accept their currency if they buy from your shop or
(c)  if your website is available for anyone in these countries to view.

That last one is the reason that every single one of us need to make changes.  Whether your website is on a stand-alone site or you have an Etsy shop, you need to have three things in place:  a privacy policy, terms of service, and a cookies notification if you use them on your site.

Now you may be reading this and thinking “I don’t have clients there, I only market to people in the US.” BUT - if your website is able to be accessed by anyone in these countries, yes, this applies to you.

You may also be reading this and thinking “I don’t sell anything to those countries, I only sell to shops in the US." But again, if your website is able to be accessed by anyone in these countries, yes, this applies to you.

A lot of people have been telling me that this is stressing them out, that they’re reading more information than they can process, and I do want to note that this is not something that needs to stress you out, it’s just simply something that needs to be done for every single business owner who has a website.  Depending on how much you have to do, I would recommend to set aside anywhere from 1-5 hours this week in order to do what you need to do.

For the remainder of this post, we are going to keep it reference-based - we hope that it helps you!

To learn more about the GDPR in general, here are two places to start:

By Friday, May 25th of 2018, you need to make sure that you have and do these things:

(a) a GDPR Compliant Privacy Policy + Terms of Service page on your website
(b) GDPR Compliant opt-in forms for people who can be added to your email list on your website
(c)  go through and segment/email those who are already on your list who live in the EU
(d) a Cookies pop-up notification on your website

Now you may be thinking, meh, "I don’t need to do this."  The fact is, that yes, yes you do. Every single person who has a website, no matter where they are located in the world, needs to have these things up.  Even if you’re just getting started, even if you don’t have an email list yet.

Think of it in the way that you are building an even stronger foundation for your business and being more transparent with people so that they know exactly what you are doing with their information when they visit your site.  Do we really need to hide that we are tracking what links are visited, what people are reading? No, we don’t. I’m not saying that we are going to keep a list going of exactly what specific people are reading, but we are keeping track of how many people read which post, and your website analytics shows you where those website visitors came from. This is what you need a privacy policy and a cookies notification in place.

Isn’t Squarespace / Wordpress / Etsy going to take care of this for me?  

In short answer, no.  You need to do this for your website because every person’s website is different with the information they collect.

Isn’t Mailchimp / ConvertKit / Leadpages going to take care of this for me?

Again, no.  You need to go into your account settings for these places and make the adaptations needed for your specific business.

Your Website

(a) create a privacy policy + terms of service page
(b) enable a Cookies Pop-up

What is a Privacy Policy?

A privacy policy simply tells visitors to your site what you collect and what you do with it.  It is required by law that you have one on your website (so if you don’t have one, that needs to change immediately!) and if you don’t have one that is GDPR Compliant by Friday, May 25th, it is required by international law.  I don’t know about you, but I don’t want to think that my website is breaking laws.

It doesn’t matter what you do - whether you are a shop owner or a photographer or a hair stylist or even a dog walker.  If you are collecting information from people on your website, you need to have a Privacy Policy in place.

The information you collect includes anywhere from their name, email, location, etc depending on items you collect. For example, if you have a shop, you collect their name, address, payment information, sometimes their phone number, etc.  Even though people give this to you at checkout, it needs to be in a privacy policy stating that you have it and for as long as you keep it for.

If you are in need of a Privacy Policy, here are a few suggestions for you:

Cookies? What are Cookies?

If you noticed today when you first visited our site, there is now a Cookies pop-up for you to see, where you can choose to read them or click the X for it to go away. Once people click that X once, it won’t appear again.  A Cookie Policy is basically telling people what you are tracking and how you can connect further with them - for example if you use Facebook Ads or Pixels, people write blog comments, or if you use Google Analytics, you need to disclose it in a cookie policy. Have it as a pop-up on the very top of your website so that people see it when they get there.  You need to have a short and simple page with information for your readers, that is a separate page from your privacy policy.

For those of you who are Squarespace users, add a Cookie Banner to your website here, (or) if you want to go one step further and are familiar with Custom CSS and want to change the look of it, see this article here.

Your Email List

Email List To-Dos:
(a) segment your list
(b) email everyone with your updated privacy policy + terms of service

Why do I want to do this, my list is going to shrink because people won’t see the email!

Ok now let’s chat about this.  Think about it this way - if they don’t see your email, or they aren’t consistently reading your emails, do you want to really have them on your list, just to have a higher number? If you run this and your numbers go way down, that’s not necessarily a bad thing, because you want to be delivering content to the people who will read it.  

You need to look at this as an opportunity to clear your list of people who aren’t reading your content and thus your open rates will be higher. I know some people will disagree with me for saying this, but t is better to have a smaller list with people who are engaged with your content and opening all of your emails than having a large list with people who don’t ever open them.  If you’re pouring your heart into what you do, you don’t want people to simply be on your list. You also want them to be engaged with you.

How do I segment my list if I use ConvertKit?

This article was one that we found the most helpful in doing so.  Send out an email to those people who are in the GDPR, and for anyone that doesn’t comply by 5/25, remove them from your list.

How do I segment my list if I use Mailchimp?

  • Here is a general article for you to reference first. Now, what we found is that Mailchimp does not have the entire EU as a location listed, so you need to create a segment within your email list that tags each of the people with a location, which is determined by their IP address.  Or, you can go the other direction and just send everyone on your list an email with your updated privacy policies, and give them the option to either comply with the new policies or be removed from your list.
  • Here is an article on the tools that Mailchimp has released to help you as well.  They now have checkboxes with forms available to you and share how to handle data requests, etc.
  • Here is how you can segment your forms within Mailchimp to make them GDPR Compliant.  Please note, for every place you have a form on your website, you will need to update the form! So if you are on Squarespace, you need to re-embed each form so that it is the correct one that shows.

What do I need to do if I use Leadpages?

Here is a helpful article we found for what you need to do if you use Leadpages.


Your Shop

Your Shop  To-Dos:
(a) update your privacy policy + terms of conditions

You need to remember, just because you have a shop on a platform, especially if it's Etsy, you are still responsible for communicating with your customers what you do with their information.  It is your responsibility as a business owner to have a compliant privacy policy on your shop, even if it is on Etsy.

  • Etsy Shop Owners - If you need to have a Privacy Policy, Etsy has created one HERE that you can literally copy and paste into your shop, just make sure to make the necessary changes so that it is for your specific shop!
  • Shopify Users- If you need to have a Privacy Policy generated, Shopify has created one HERE that you can use.
  •  WooCommerce Users - here is a helpful collection of articles on what you need to do for your specific shop

And that's everything you need to do. So, please don’t panic about this. Just simply take the time to make this happen sometime this week. Set aside sometime to do the following:

1.  Create or update your Privacy Policy + Terms of Service on your website and your shop
2.  Create or update your Cookies Policy on your website
3.  Update what you need to for your Email List and Forms

And you’ll be good to go! I hope that you found this post helpful today, please comment below if you have any further questions. Once you have your things set, you'll be on your way to being more transparent with the people who visit your website and being 100% GDPR Compliant.

GDPR Compliance for Small Business owners by the Society for Creative Founders