On today’s episode, we are going to talk all about GDPR – what it is and what you need to know – right here on Your Website Engineer Podcast, Episode No. 387.

Hello and welcome to another episode of Your Website Engineer podcast. My name is Dustin Hartzler. I’m excited to be here with you today because we’re gonna be talking something technical – something you’ve probably heard about in the news – and that is GDPR. We’ll talk all about that in just a few minutes. I do have a couple of announcements – repeat announcements from last week – and then a new plugin to share with you this week. The first announcement is all about WordPress Anniversary – the 15th Anniversary – which is coming up on May 27th.

There are a lot of 15 year celebrations happening all around the world. I’ve got a link in the show notes where you can see where there’s parties happening and you can sign up to be a party coordinator and you can do this in a local pub or backyard or just spend time with your WordPress Meetup group or whatever the case may be. That’s what is happening for the WordPress 15th Anniversary. I’ll be in Montreal on a team Meetup at that time. So, I’ll be celebrating with the native Canadian Montreal group and so I’m really excited to see how they celebrate WordPress Anniversary up there. The other thing that I want to talk about is WordCamp Dayton is coming up in just a few weeks. We’ve got a lot of great information coming with great speakers.

We’ve got sessions. I’m doing a half-day session on Wu Commerce – how to set up Wu Commerce. We’ve got a session on easy digital downloads and how that is different and the same from Wu Commerce and how you may want to use that, and then 12 different sessions that are happening on Saturday – just tons of information. If you’re in the Dayton area or within a five hour radius, I highly recommend checking it out. If you have any questions, head on over to 2018.Dayton.WordCamp.org and there is a contact form there and all those contact submissions come right to me and I’ll be happy to answer them and answer any questions that you may have about WordCamp Dayton.

Alright. Now let’s move onto the plugin of the week and this one is called WB Keyboard Shortcut and this one just the name of it itself is right up my alley because I love keyboard shortcuts for all things on my Mac and this one is something that you can create and set up keyboard shortcuts for within your WordPress installation. So, you basically can just set these up. You can edit and add and delete options all in the same page. It works in the frontend and the backend, these keyboard shortcuts, and you basically there’s a settings page inside the plugin and then you can just start setting up what the keyboard shortcut is and where it’s gonna go. And so you can say, “Oh, well I’d like to go to my all posts page on the dashboard” or “I’d like to go directly to the store page on the frontend of my site – whatever the case may be – lots of cool things that you can do.

It’s got a really neat interface on the backend and – if you’re interested – there’s a link in the show notes for the WordPress repository, but it also has a seven minute video on there. It showcases and highlights how to set this up and how you can create keyboard shortcuts on your own WordPress site. So, if you’re doing a lot of navigating between the frontend and the backend and doing a lot of configuration and setup on WordPress sites, this may be the plugin for you. I’m not sure if you can actually set it up and then export all the features or export all your shortcuts and then you can put them on all of your sites. If that’s the case, that would be a really cool plugin and you could really do a lot of nice things. So, that is the plugin of the week WB Keyboard Shortcut. You can find it in the WordPress repository or in the show notes for episode number 387.

Alright. Today, we’re gonna talk all about GDPR and this is going to be a podcast where I’m gonna do a little bit more reading than normal mainly because this is a really technical topic and I want to make sure that I hit all the bullet points and want to make sure that we really talk through and explain what this is. GDPR stands for the General Data Protection Regulation and it’s a privacy law from the European Union that goes into effect on May 25, 2018. So, that’s just in about 23, 24 days from now. Even though it’s just a European Union law, all online entrepreneurs need to be paying attention because GDPR will mean major changes for the way that we operate. So, what’s included or what kind of activities are covered by this GDPR? It applies to the processing of personal data and processing is a fancy word for doing anything with data.

So, you should assume that it covers everything that you do with all of your data you collect from individuals and to deletion of that data and everything in between. So, from when you collect it through when you delete it and anything you do with that data in between, this GDPR covers everything that you do. It applies to personal data which is anything that can be associated with or related to somebody who is identified or you can identify. So, things that are identifiable are things like names, email addresses, physical addresses. Most people include IP addresses and other information automatically calculated or automatically collected by Google Analytics. It also includes the type of processing and information that you’re adding to your contact database.

So, this could be information you collect at opt-ins or any other collection method, like surveys or quizzes, etc. or through tagging or segmenting in your CRM database. These activities are included because you are effectively monitoring what people are doing. So, who does this GDPR apply to? It applies to any relationship or transaction – commercial or free – where one or more of the parties is in the European Union. It’s not based on citizenship. It’s based on where they’re interacting with them. So, if you’re an online entrepreneur or marketer based in the European Union, you must comply with the GDPR across your entire business. This means if you’re collecting data from someone in the United States, you still have to comply.

If you are an online entrepreneur or marketer based outside the European Union, you must also comply with the GDPR when interacting or collecting data from people inside the European Union. Okay. So, how does this apply to non-European entrepreneurs? Let’s break this down in this manner as well. A non-European Union entrepreneur has to comply when processing people in the European Union, but only if that processing is related to offering products or services to the EU and that means lead magnets actually count. So, if you’re capturing lead magnet information from people in the European Union, you have to comply with these standards and monitoring the behavior of people in the European Union. Then there are a few gray zones as well.

So, people aren’t sure on how the territorial limit will apply, but questions that may come up is, “What about people who don’t knowingly collect information” or “Facebook ads, if Bobby focuses on people in the US, he’s not actively trying to attract people in the EU, but he looks at his list and five percent are in the EU. Is he gonna be in trouble by not applying to these standards or whatnot?” “What about adding a disclaimer that you sell to people in the United States?” all these things are not crystal clear yet and we’re still trying to wait to figure out what’s gonna happen and what kind of new regulations and whatnot are coming into and what that language in detail will pertain to us here in the United States.

There’s six principles of the GDPR and the first one is data shall be processed lawfully, fairly, and in a transparent manner. So, this just basically means you have to be up front about what you’re collecting the data for – whether you’re going to use it for … they’re gonna get a free eBook and that’s it or if they’re gonna get a free eBook and then you’re gonna market to them or whatever the case may be. You have to be very, very explicit on what is going to happen when you collect their data. Number two, data shall be collected for a specified, explicit, and legitimate purpose. You can’t collect data without explaining how you’re gonna use it. It’s kind of like that first one and the first one is more about lawful and fairly and transparent and this one is you have to say exactly and it’s legitimate purposes of why you’re collecting this data.

Principle number three, data processing shall be limited to what is necessary for the purpose. You can’t collect all kinds of data on a person if all you need is an email address for a lead magnet. You can’t say, “What’s your home phone number and your address?” and all this information. You just need to get the minimum amount of data that’s necessary. Once you’ve collected the data, then you can use it for its intended purposes. Principle number four, data shall be accurate, kept up-to-date, and corrected. This really doesn’t apply to us as entrepreneurs or as small business owners. This is more for the Google and Facebooks of the world. They have to make sure that their information is always up-to-date and current.

Principle number five, data shall be kept so it identifies a person no longer than necessary. This means you should not keep data around forever and there’s no reason to keep it forever. You know if it’s something menial, you can keep it for a few months or a year, but then you don’t need to keep it absolutely forever. One of the side notes that’s not coming from this whole technical mumbo-jumbo is I saw Wu Commerce 3.4 is coming out soon and there is a button in there that you can redact a lot of information on old orders. This is a really neat new tool that’s gonna help with this GDPR standard because when you have old order information, you don’t necessarily need to keep all that information if they purchased something from you five years ago. You just need to know that the order was taken so you can keep calculating and see what your profit and loss statements are.

So, there’s a button inside the new version of Wu Commerce that basically will take out the name, the email address, the address, and all that good stuff, but just keep the order in the database. So, that’s what it kind of means. We’re not keeping it forever and ever. We’re just keeping it as long as necessary. And then principle number six is data shall be processed in a manner that ensures appropriate security. So, this means you have to take responsible steps to protect the data. We should already be using an SSL certificate and other ways to make sure that we’re protecting our data. Data should be stored behind a secure password, wall, or whatever the case may be. You want to make sure that that data is very, very secure on the backend of things.

So, one of the questions that may come up is how will you need to change the way you collect email addresses for potential leads with your marketing efforts? This is a great question. There’s a lot of information out here on this and this basically means that the only lawful basis for adding someone to your marketing email list under the GDPR would be consent and the GDPR requires that consent be freely given, specific, and unambiguous. This means that we must get a separate consent to add them to our marketing list. We can’t require them to give the consent as a condition for getting your freebie and you have to sell prospects on the benefit of your list to get them to voluntary sign up – just not as a requirement to get your lead magnet. So, this is kind of a big deal.

A lot of people say you know you’ll go to a form and it’ll say enter your email list or your name and your email address” and then you check this box to get more information or stay on our mailing list and then you get the free download. That’s not a thing anymore. You cannot do that for folks in the European Union. You have to have that extra step in between. So, you have to allow them to get the freebie without opting into that list and then you have to allow them to add into this list. It’s really kind of complicated. I’ve got some links in the show notes for some of the details and some of the articles that are out there just to kind of help you wrap your mind around how you have to change some things on your website in the next couple weeks to make sure you are compliant with GDPR.

The new consent standard applies to your existing list as well. So, if you can’t show that you have the right kind of consent for people you already have on your list, then you cannot email them any longer beginning May 25, 2018. So, this is very important. Because consent must be specific and unambiguous, someone downloading a lead magnet from you does not equate to consent to be added to your general email list. The GDPR also prohibits that you ask for consent as you add them to the email list. So, getting consent for multiple things or in the course of some other transaction is gonna be hard. You likely need standalone consent. So, as someone – I heard this today – was basically we’re gonna turn the entire internet into a bunch of, “I agree” checkboxes and make sure that everybody knows what you’re signing up for.

So, it’s gonna be a little bit more of a process to set up that email list and get consent from people in the European Union. So, the big thing that you want to do is how to preserve your maintaining list or that existing list that you might have and get compliant. It’s kind of a two-prong approach. You need to segment your list into two parts. You need to have a part for your non-European Union subscribers – so those that are in the United States and everywhere outside or the European Union. You can segment those into one list and then you segment the second part of your list – your subscribers from the EU – and any other unknowns.

Sometimes in your email service provider, you have unknowns and maybe because they don’t have any data about where they’re located. And so you have to treat them like they’re in the EU and many email service providers have this functionality or they’re working on it. I know that I’m using Convert Kit and they make it very simple to segment this like this. And so what you want to do is you want to segment those into two separate lists. Now you’re gonna have to reengage with the subscribers from the European Union and so this means when I send out an email from Your Website Engineer to all of the folks that are in the EU, this means that I’m gonna try to be reengaging and making sure that they are interested in continuing to be on my email list.

Mainly what’s gonna happen to that list is then I’m gonna have to run a reengagement campaign and so this means before you send out consent emails, you want to add value. So, in theory, I should be sending out a few emails over the next couple weeks to make sure that I’m delivering value, giving great feedback or information, making sure that, “Yes, it’s very important that you should stay on my email list because of this, this, and this” those types of things. So, after you’ve kind of primed the pump, if you will, you spent a few weeks delivering high quality content, providing interesting things for people to read, then – after we’ve sent that valuable email information over to our email subscribers over the last couple weeks – then we want to send an email asking for consent.

Again, this only has to be on the segmented list that’s in the European Union and those that have the unknown country location. But you make sure that you want to put them into a special tag or give them some sort of nomenclature inside of your email marketing system, your CRM, and make sure that they are tagged as such like, “Yes, I’ve given consent.” You want to send multiple consent emails to make them enticing. Make sure you pay close attention to the subject lines. Any catchy or blatant subject lines may work well. The challenge is to get people to open the emails and the only goal of the reengagement campaign is to convince people to give you GDPR compliant consent. This might mean clicking on a link in an email or signing up via an opt-in page. It all depends on your email service provider.

Anyone who doesn’t give necessary consent by May 24th should be deleted from your list. Remember, even storing or deleting their information is processing. So, this needs to be done before May 25th. That’s probably the biggest takeaway that needs to happen. If you do nothing … so say you’re doing nothing and then on May 24th what you need to do is just go into your email newsletter provider and delete anything that … any person that is in the European Union or that has an unknown location. The biggest takeaway probably of the entire episode is just that last statement.

Anyone that doesn’t give consent by May 24th should be deleted from your list. If you’re storing or deleting their info, that is considered processing and the processing – in order to process somebody’s information – they have to have given you consent. So that all needs to be done by May 25, 2018. So, the summer of the steps and suggestions to preserve your existing list is build some goodwill over the next three weeks. Just give more value than you normally do. Go above and beyond. Make sure your content is so good that no one will want to miss the awesomeness. And then step two is to create your targeted list. You want to make sure that you are only sending them to the people that need them.

There’s no sense to send a, “Will you give me consent to be on my list?” to people in the United States because it doesn’t matter for the United States. So, you want to make sure that you’ve segmented those lists and then you run this reengagement campaign to the list of people you need to provide fresh consent. Sell them on the benefits and do it in your own style. Good copywriting is a key. Know your audience. You’ll plan this series of events with increasing urgency and interesting subject lines to make sure people don’t miss them. And so it is for online entrepreneurs, for us that are just trying to run businesses and keep websites up-to-date in markets of people that are interested in what we’re doing. This is one of the big deals.

This is the main impact of GDPR is just it impacts how we build our email list and how we work with that list that we’ve already created. So, that’s what I wanted to share today. It’s the big idea is to make sure that we are learning about GDPR. We’re getting ready for it. Like I said, we’ve got about three weeks – a little over three weeks – until this happens and so we’ve got plenty of time to write some email newsletters to get people on our list, engaged and interested once again. I’m sure you’ll see this from a lot of different people that you have signed up for under their email lists. They’re just sending out lot of information and whatnot to keep you enticed to be on their email subscriber list.

But that’s your homework for this week is come up with a couple subjects – what you’re gonna send emails about – and get ready to start segmenting your list and keeping those email subscribers there and continue to learn and talk about it and I’ll see if I can pull together some more information about GDPR and what that looks like and how we can best manage that data and manage that information. So, that’s what I wanted to share with you this week. That’s your action items. You’ve got lots to do this week. I’ve got lots to do and let’s go ahead and make some progress here in our WordPress goals and make sure that we’re not losing tons of email subscribers in the next month because of the GDPR. That’s all I’ve got this week. Take care and we’ll talk again soon. Bye-bye.