Welcome to the Business Bites podcast, the podcast for busy entrepreneurs, whether you’re an online entrepreneur or seeking after brick and mortar success. This podcast brings you quick bites of content so you can learn and grow anywhere you are. Now here’s your host, Rachel Brenke.
Hey guys, Rachel Brenke here with another quick episode of the Business Bites podcast. Everybody’s hair is afire with this GDPR stuff. In fact, to be completely honest, I’m really sick and tired, even as a legal person, I am sick and tired of getting all the emails of all the updates of people’s privacy policies, of all of the “Oh my God, what do I do?” Freak out. Freak out.
Now you guys know I’m a United States based attorney and a majority of my listeners are in the United States and I talked in Episode 59 a little bit about the fact that us as U.S. based businesses, we still need to be mindful of what this GDPR stuff that’s coming, right. If you haven’t listened to the episode, the little crash course on it essentially is that GDPR is the General Data Protection Regulation. It is an EU, European Union, specific regulation when it comes to the receipt and storage of personal data.
That’s really important. That’s going to be the number one question that I want you guys to keep in your mind as we walk through this high level checklist for small business entrepreneurs, solopreneurs. Okay? Now, as I just said a second ago, this is a European Union regulation. The compliance drop dead date is May 25th. So you guys are staring down the deadline of that.
However, United States companies listen to me. The first question I just had you ask yourself was, am I receiving information and am I storing it? The answer is yes. If you have a website and you have not blocked all European Union sites or accessibility from those countries or maybe you are one of those that’s targeting overseas customers or marketing, whatever. Basically everyone, unless you’ve taken the steps to block EU companies needs to be mindful of the GDPR compliance, this General Data Protection Regulation and being in compliance, which again regulates the receipt of data and data can be anything.
It can be personal information; first name, last name, email. It can be demographic data. It can be their IP. It can be their location. Google Analytics is a big tracker that almost every one of you are probably using. Your contact forms, your opt-in forms, everything. So yes, U.S. based businesses, unless you’re going to take the steps to block these other countries, you need to be mindful of being at least in somewhat compliant, if not full compliance of this.
Now, I’m a little preachy here today because I’m getting really frustrated for you guys listening to how “difficult and overwhelming” this seems to be so my goal with this episode is to break it down relatively easy for you all. I want you to understand that it’s really important that you look at what GDPR is requiring and take the steps to comply with it.
Now, let’s just take GDPR off the table for a second. Let’s just take out the fact that it’s an EU, European Union specific regulation. Let’s take out any of the push backs. You may be saying, “Well, it doesn’t matter. How are they going to enforce it on me?” Okay. The core elements, the core compliance requirements of GDPR do apply to you in these ways.
That is the number one low hanging fruit thing that United States based businesses can focus on getting implemented. I’m going to give you the next steps that you guys need here in a couple of minutes, but just know you’re gonna need to have proper terms in place. So go ahead and just snag GDPR compliant ones, especially if you need to update your stuff anyways, cause what one, best business practice. Two, guess what? Many states are already requiring some of what GDPR requires. Mind blown, right?
I would lay money that United States is going to start moving towards requirements much like this. As we move on in this technical age, guys, with the advances of technology and data mining, consumers are getting more and more wary about it. They want to know what information is being received, how it’s being received, how it’s being used, right? Be transparent with your audience. Be good business [inaudible 00:06:17]. Get in compliance with GDPR. Get in compliance with your state, but also be proactive and go ahead and get all these birds killed with one stone in order for you to be able to move forward confidently.
Because I will guarantee that many of what is in the GDPR and a lot of the existing state requirements is going to end up branching across America. So we need to make sure that we are not only being reactive, we’re not sticking our head in the sand on this GDPR stuff cause you think it doesn’t apply to you. We need to move forward.
So what have we learned thus far? Okay. GDPR is EU based. If unless you’re going to block your site, you probably need to get compliant. I’ve also explained to you that the lowest hanging fruit, the most simplest thing that you can do is have proper GDPR compliant terms bundle. Why? Good business. Gets you in compliance. Many states are requiring it and states are probably going to move towards it and you’re going to build the consumer and visitor confidence by being transparent when people know what you’re doing with all their data.
So now that I said that, I’m going to give you guys the nice little high level checklist that many of you solopreneurs or small business entrepreneurs need to be mindful of. One of the problems with this whole GDPR craze is that you’re seeing these large impacts and these large blog articles coming out from these huge companies.
If you are not a company that is managing mass amounts of data, that’s not processing mass amounts of [inaudible 00:07:42]. That’s not even necessarily running your own data storage. You’re not your own host. You’re not your own server. You’re merely using third party apps. This whole hype is not that big of a deal. I’m going to give you guys the easy steps here in a second to be able to fix and get easy compliance and make sure that everything is all protected. Okay?
Now, so stick with me here. Say it with me. I’m going to get in compliance for all the reasons that Rachel said. I’m going to get in to compliance because I am a professional and this was what I should do for my visitors. So here are the quick steps that you need to be mindful of. First one, very simply, very interesting that I didn’t think that this still needed to be said, but you need to double check to make sure that your site has an SSL certificate.
All right, so here’s where I think it gets a little more finicky where people are freaking out. They’re like, “Okay, well how do I get in compliance? Is it what I’m doing with the data or is it when I’m taking the data?” It’s both. Okay. So let’s first look at our website. Let’s check out, because this is where all these EU companies or these EU customers or consumers are potentially going to come through us, through the websites that we have, right?
I’m talking about you’re stand alone website, so let’s look our server. Let’s look at our hosts. Are they in compliance? We’re going to run through all third party companies that we’re using in order to ensure they’re all in compliance. We’re also going to run through, if you’re on WordPress, all of our plug-ins and make sure all creators that are receiving data are in compliance.
Please pay special attention to the free plug-ins that may have not been updated for a couple of years or even low cost ones. Just because you had paid for it doesn’t necessarily mean that it’s going to be in compliance. So we want to make sure that we check all third party apps, that they’re going to be compliant and make sure we check all of our plug-ins to ensure that all creators that are receiving data are in compliance.
Cause again, what is the threshold? What is the question that we’re asking ourselves? Are we receiving data and what are we doing with that data? So we want to ensure are we using a plug-in that is sending data to another site? Is it sending it back to the creator? Are we using APIs and those sorts of things. Check your plug-ins. Check your third party apps. Super simple and easy.
You have to show them and then you have to delete at their request, unless you can maintain it under applicable law. That is basically what the data protection officer’s responsibilities are going to be. They also need with in those scope of that data protection officer, which it can be you, especially if you’re a solopreneur, you’re already wearing many hats. You can do this as well. You need to identify what happens if I do have a breach. What are my steps going to be?
Another step that you need to take is you want to identify, and this isn’t necessarily I think a super big requirement, but if you guys listen to my other episodes, I’m a big proponent of having insurance. If you are a site that has taken very sensitive data and you’re not completely relying on third party apps, even still I probably would want a CYA. Check with your insurance companies and see if they have a cyber-insurance terms written into your existing liability. That you insurance you have or see how much a rider would be.
This is a really good insurance policy to have because some of them allow for that if you have a data breach and you get sued, you could potentially be able to have your attorney’s fees recouped through the cyber-insurance. It can also look at paying your damages for you as well. So that’s something that you and the data protection officer, again it can be yourself, want to talk through.
All right, and I’m just going to end off of this with this high level checklist of what you guys really can tangibly go and do right away. One of the biggest things and the key foundations of the GDPR is that we have all these new policies that we have to be in compliance with, but we also need to have the visitors of our site or anyone that we’re taking information from may need to overtly assent to the terms.
Go to your opt-in pages. Do your opt-in pages. Take their name, their phone number, their other data, their email. Yes. Okay, good. We’re getting information, so what do we need to do? We need to have a checkbox or some sort of overt assent. Not just by behavior. Behavior is not assent. We need them to actually take and click or sign that they are agreeing to the terms of the site. Link your terms like talked about Episode 59.
Guys, this is super simple and easy. It’s something you could do in the time that I finish talking on this episode. So check boxes to get the overt assent by anybody that’s visiting your site and who’s submitting in to their private information, sensitive information into your your website. Keep in mind though, you’re check boxes can not be defaulted as checked. They have to take the actual act of either checking it or signing. Okay?
Now again, the United States based consumers or the people that are on your list, unless you’re in a specific state that requires it, none of those people necessarily have to take that step to overtly assent to the terms, right? But your EU based people do. So whether you want to segment out this existing list that you already have or you want to just send it to everybody, but make sure that you check that segmented group of EU people, because once you’ve given them an opportunity to assent under GDPR without their permission, you shouldn’t be storing, not just using, storing their data anymore. Okay.
See if you have any cyber-insurance available to you. Make sure you have check boxes with linked terms for an overt assent such as contact forms, opt-in pages, link all your website terms and privacy policies on every page of your site. I just find that great business practice even without this GDPR stuff.
Identify how many people on your list are from the EU countries. Decide how you’re going to have them give this overt assent to remaining on your list and what the drop dead date that you’re going to use for purging them and getting rid of this data.
Now, as of May 25th you’re supposed to cease use of any EU data for marketing and/or targeting without this express opt-in agreement to terms. I’ll let you guys do with that what you want, but that’s the drop dead date again is May 25th. Now, if you guys are using independent contractors, if you’re using employees, here’s something else that you need to be really mindful of.
You need to ensure that you’re implementing documents that also include confidentiality language in there that’s going to help to insulate and protect you if these contractors or employees have potential access to the data that’s being stored. Because think about it, we’re looking at all of this and and this episode really is primarily from a website based perspective. You could have people that call in. You could have … it depends on where you are and who you’re marketing to, but you could have people mail in stuff.
It’s all … what is the threshold we talked about. It’s the receipt and storage of personal information, of this sensitive data that we’re collecting. Okay. And if your employees or contractors have any access to the site, if they have any way that they’re seeing spreadsheets or they are handling this personal information, they not only need to be well versed in the data protection plan that you’ve created with the data protection officer, but you also need to make sure that you have in their documents with them that there’s confidentiality that exists.
You need to have confidentiality language and honestly guys, you should have already had your employees and your independent contractors already signing the proper documents. But just double check and make sure and you might want to address in there the policies and procedures and just another line of defense to make sure that you are taking all steps to safeguard this personal data because you as the owner, as a CEO, as the entrepreneur, are the person that’s going to end up having an issue and you’re going to be the one that ends up in trouble and you just want to have a little recourse and little safety.
So make sure you have the proper documents in place that have confidentiality language and policies in there as well. Now, I hope I didn’t overwhelm you guys too much. This is a little little longer episode than normal.
If you guys have any questions at all, please feel free to jump over to the Facebook Business Bites group. It’s simply The Business Bites I’m more than happy to try to answer questions, get you some more resources on it and now we’re not heavily working on this, we’re going to put out a lot more resources since we are United States based business. The information that I put out is what I find to be the most relevant and easiest stuff that United States businesses can implement.
If you are an EU based business or a US business that consistently markets to an EU, you may need to seek local counsel to get a little bit more hands on assistance. Maybe you’re a U.S. Based business that has a way more complex system than just a typical website or even an e-commerce site and you have a lot of different programs and systems in play.
Definitely worthwhile getting a legal review done to make sure that everything is in compliance. Because again, like we’ve talked about in other episodes, guys, you never have an issue, until you have an issue. We don’t want there to ever be an issue and you have to end up playing clean up. Really easy to get all this implemented. I believe in you and I’ll see you guys in the Facebook group.
For show notes, a list of recommended tools or referenced episodes, you can find them at BusinessBitespodcast.com until next time.
Rachel Brenke is a lawyer, author and business consultant. She is currently helping professionals all over the world initiate, strategize and implement strategic business and marketing plans through various mediums of consulting resources and legal direction.
Hi, I’m Rachel Brenke
I hope you are enjoying the Business Bites Podcast.
The goal is to grow your business in 10 minutes an episode.
Don’t put off business education due to lack of time.