Handprint Legacy

Katie Hornor, faith-based business strategy for coaches and course businesses

By

Mythbusting: GDPR for US-based Bloggers

Why is the blogging world in a panic over the GDPR (Global Data Protection Regulation) deadline looming just a few weeks away on May 25, 2018? Because while this has been “in the works” since 2016, it's only been recently that actual how to's and expectations have been released that the ensuing panic has caused some to compare this to Y2K! (I'm not even kidding!)

In this post I'll break down several of the myths floating around out there regarding GDPR and US-based bloggers need for compliance, and also show you the 5 simple steps to be sure you are compliant by the deadline, as well as you options if you choose not to comply.

Mythbusting GDPR for US-based bloggers and solopreneurs on the foryoursuccesspodcast.com fys049.twitter

Disclaimer:

I am not a legal expert, and this course does not provide legal advice. I have a vested interest in your success under the GDPR, but if you need concrete legal counsel, talk to a lawyer. I strongly advise you to research GDPR on your own and consult with a certified legal professional in regards to your decision to comply or defy GDPR.

Myth: This is coming out of no where, why the short notice?

It been in the works since 2016, but no one really paid attention until a deadline looms and until recently we didn’t have clear expectations set forth.

Myth: I am not an EU resident, I don’t have to comply.

A: If any of the following are true about your business, it is in your best interest to comply:

  1. Is your site for EU residents or targeting them in any way?
  2. Can you identify traffic coming from EU countries?
  3. Do you have subscribers from EU countries?
  4. Do you have customers/clients from EU countries?
  5. Do you use google analytics? or third party data processors?

Webinar: https://suzannedibble.lpages.co/gdpr-replay/

Myth: This is about giving them my freebies without being allowed to follow up with offers.

A: Data protection is about personal rights and a culture of respecting them. It's about communicating to your users, readers and customers

  1. What info is collected
  2. How it is collected
  3. How it is handled, transferred, and stored
  4. How it can be requested, amended or deleted
  5. What it is used for
  6. And the right to revoke consent

It’s about the right to give consent, rather than having assumed consent. It's good customer relationships really, and most companies who care about this are already probably mostly compliant. As far as your freebies and list opt-ins go, you will likely need clearer wording as to what you are going to deliver, and how often, but isn't that in the best interest of the relationship with all of your subscribers anyway?

[ctt template=”5″ link=”b2e_I” via=”yes” ]#GDPR Myths busted! Find out how GDPR applies to US-based bloggers [/ctt]

Myth: It is impossible to comply.

A: Not impossible, or EU residents and business owners themselves would be up in arms protesting the changes. It may not be “easy” but it's certainly not as complicated for US-based folks as some believed it to be. Especially if you are not purposefully targeting EU residents. You just need step by step help to be sure you’re making the correct changes by May 25, 2018. Here are the main steps to comply with GDPR:

  1. Audit and document all personal data
  2. Review and document the legal basis for all of the data processing
  3. Review privacy notices and amend where necessary
  4. Get compliant consent for EU list and make consent explicit going forward
  5. Put systems in place to be able to keep records of consent and safeguard users data

ICO's GDPR consent guidance: https://ico.org.uk/media/about-the-ico/consultatio…

ICO's 12 steps outline: https://ico.org.uk/media/1624219/preparing-for-the…

Myth: If you don’t comply you’ll be fined 20m euros.

A: This is not entirely true, and here's why:

  1. The highest fine in UK currently is 500,000 pounds.
  2. The stated fine for non-compliance is 17m pounds or 4% of annual global profit, whichever is higher. The head of ICO herself has said that this is more of a shock value to reinforce how serious they are taking data protection, than something they plan to enforce left and right.
  3. No one is going to inspect your website come May 25 to see if you are compliant and come fine you if you’re not. They don’t have the staff in place to do that. Investigations can be initiated, but only upon receiving a substantial complaint.
  4. If someone complains about the way you handle their data, an investigation could be initiated and burden of proof is on you.

https://www.fsb.org.uk/first-voice/gdpr-the-uk-information-commissioner-writes-to-smes

Myth: They can’t fine me if I am not an EU resident.

A: Well yes, technically they can. The ICO and the EU work closely with the Federal Trade Commission (FTC) on these matters.

https://community.spiceworks.com/topic/2007530-how-the-eu-can-fine-us-companies-for-violating-gdpr

Myth: My email service provider is going to be compliant by May 25, I don’t need to do anything else.

A: Not true, if someone complains about your list, YOU are liable, not the email service. You also have to have obvious and easy way to find policies on your site about the data you collect and process as well as how you allow users to opt out of cookies, and/or request to change, or delete information (erasure). Data processing by third parties is only one part of the GDPR.

Myth: This is so scary!

A: Um no. It's not scary, and if when you calm down enough to focus on the facts, it's fairly straightforward. We are scared of the things we do not understand. If you take some time to investigate the sources and understand what is happening and what you must do to comply, you will be fine. In the last 10 years of blogging there have been tons of other changes and we've survived. Those who succeed ultimately are those who face challenges like this without letting it stop them.

Your GDPR Options in the face of the May 25 Deadline:

1. Do nothing and risk it

  • Pro: no stress, no worries, carry on like normal
  • Con: possible big problems and fines should someone report you

2. Block EU countries from your site

Pro: You think “EU users can’t find me, I’m not liable.”

Cons:

  1. Using VPN they can still find you.
  2. Blocking entire countries of IP addresses with the htaccess or a plugin will slow down your site as it has to verify the IP address against the blocked list before serving the page or the error page.
  3. Blocking can be expensive: Cloudflare will do this but it requires the most expensive package, over $200/mo. Blocking countries at the server level is optimum, but only certain hosts do this. Black Chicken and WPengine will.  Momwebs will if you have a dedicated server which is an extra $50/mo fee.
  4. The very act of blocking their IP is processing their location data to make a decision that affects their right to information. From what I understand the US doesn't currently consider location/IP address as personal data, but the EU does. EU based business owners are legally not allowed to block countries. As of now, US businesses can, but we may not always be allowed to.

3. Get compliant by May 25.

Research, read, learn, make an effort to comply.

It's not as hard as you think to do these 6 things:

  1. Elect a Data Protection Officer (i.e contact person)
  2. Audit and document all personal data
  3. Review and document the legal basis for all of the data processing
  4. Review privacy notices and amend where necessary
  5. Get compliant consent for EU list and make consent explicit going forward
  6. Put systems in place to be able to keep records of consent and safeguard users data

Ultimately you have to make the best decision you can for your business. Comply or Not. How will it affect you and your people and your bottom line going forward? I can't answer that for you.

Here is a 6-step compliance checklist. 

FREE GDPR Checklist!

You're moments away from receiving the FREE GDPR compliance checklist by email. Just tell us where to send it!

Unsubscribe at any time. Powered by ConvertKit

see our privacy policy here.

But, if the thought of getting compliant on your own overwhelms you, I'd encourage you to join The Blog Connection or purchase my GDPR Compliant masterclass where I will walk you through step by step what to do to be compliant.

Buying the masterclass will give you all you need as a US-based blogger or solopreneur to make your business compliant on your own (though we do strongly suggest you research and consult a legal professional on your own).

And in the The Blog Connection, we’ll be delivering the same training to our members as well as keeping you updated as this progresses so you can stay on top of it.

Other Resources:

My post on Mount Hermon Writer's Blog: How to Be GDPR Compliant

How to segment your email list by country or region (video)

How to easily make your opt-in forms compliant with ConvertKit (video)

Bobby Klink, lawyer talking GDPR on The Bacon Podcast (I was on Bobby's show a few weeks back and he knows his stuff!)

Bobby Klink on Amy Porterfield's podcast re: GDPR 

Mythbusting GDPR for US-based bloggers and solopreneurs on the foryoursuccesspodcast.com fys049.twitter

Katie Hornor

Most days you’ll find the founder of Handprint Legacy answering client emails or working on her next book in the front room of their 250 year old home in tropical Mexico. She’s an author, speaker, mindset and business strategy coach, homeschool Mom of 5, and the #CourseCreation expert behind SuccessfulOnlineCourses.com and TheCourseFormula.com helping Christian experts reach more people and make more money through courses and high ticket offers. Be sure to grab a copy of her FREE Course Creation Blueprint before you go.

Footer

flamingo advantage podcast katie Hornor