What Is Considered Personal Information?

Personal information (also referred to as data), is any piece of information that relates to an identifiable person. This includes names, addresses, emails, genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership.

Who Is Protected?

EU residents, and citizens regardless of where they reside. So a citizen of the EU residing in the United States or Canada, for example, would be entitled to the protections of GDPR and enjoy its benefits.

Who Has To Abide By GDPR?

Read the previous paragraph carefully. Because what it means is that any organization or business that has access to the information of an EU resident or citizen, regardless of where that organization or business is based, must abide by GDPR. A mom and pop grocery store in rural Iowa with only a local customer list likely doesn’t need to worry about GDPR. A consultant, coach, course creator or digital marketer likely does.

What Are The Penalties For Failure To Be GDPR Compliant?

They’re huge. The EU has set a maximum fine of €20 million (about £18 million) or 4% of annual global turnover – whichever is greater – for infringements.

But I’m Located Outside The EU… Do I Really Have To Worry?

Yup. The Dutch Data Protection Authority (an EU member authority) levied a fine of €525,000.00 (about US $620,000!) on a company NOT located in the European Union for violation of a provision of the General Data Protection. Businesses outside the EU, especially in the U.S., and especially small coaching, consulting and digital marketing enterprises, have taken a very low key approach to GDPR compliance. They have presumed that EU authorities wouldn't venture outside the EU... across the pond as it were.... to pursue non-EU businesses. The EU authorities have shown that they will aggressively pursue businesses, regardless of where they’re based for violations of GDPR.

How Do I Get GDPR Compliant?

You need to get explicit consent to email people. Ideally, this means that there needs to be a consent checkbox that the person opting in must check giving consent before you can follow up and email. It also means that you must make it clear that the person opting in can unsubscribe, and make it clear how that person can unsubscribe.

You must keep your clients’ and customer’s data confidential. You must not share or sell it. Which likely appears self-evident. Here’s where it gets tricky: you need to ensure (as it’s on you) that the handlers (processors) of your clients’ and customers’ information also must comply with GDPR (like your CRM provider).

Your Privacy Policy and Cookie Policy must contain the requisite GDPR representations.

And, if you are located outside of the EU, and process the data of EU residents or citizens (have them on your email list) you must have an Article 27 Representative within the EU.

Here is a complete GDPR checklist.

Our templates are GDPR compliant.

What Is An Article 27 Representative and Where Do I Find One?

Article 27 of the GDPR requires that, if your business is located outside of the EU, and you have data pertaining to EU residents and/or citizens, then you must appoint an EU representative within the EU on your behalf. This representative is designated to receive, respond and remediate complaints on behalf of EU residents and citizens for violations of GDPR. This is a serious and enforced provision of GDPR. We have a relationship with EU Business Partners located in Ireland (the only English speaking country within the EU). The principle of EU Business Partners is knowledgeable, reputable, of high-integrity, and he knows the digital marketing landscape well.