Rethinking Data Collection in a GDPR World

You’ve spent years reading up on marketing strategies and doing everything you thought counted as a best practice. Then GDPR legislation passed.

Now you’re worried about whether all those strategies that used to come highly recommended could now get you in legal hot water. Big businesses can lean on their legal teams to make sure they keep their marketing on the right side of GDPR, but little guys like you? It’s overwhelming and frankly kind of scary.

You do NOT want all the hard work you put into your business to go out the window because of a law you find confusing. And you can’t cross your fingers and hope that being a small business will mean nobody pays attention to whether or not you comply. The stakes are too high. 

What GDPR Is: A Quick Summary

GDPR stands for General Data Protection Regulation. It’s a law passed in the EU focused on providing consumers more protection in how their personal data is collected, and giving them more control over how businesses then use that data. 

While the law is focused on European consumers, the effects of it are far reaching. Even if your business is based in the United States, if any European citizens that come to your website fill out a form or make a purchase—you legally have to comply with GDPR.

That means businesses that mostly serve U.S. customers should still aim for GDPR compliance. And if concerns about the GDPR itself aren’t enough for you to make data protection a priority, then the growing number of state laws in the U.S. that offer similar guidelines (like the CCPA (California Consumer Privacy Act) and the New York Privacy Act) should change your tune. 

How to Move Forward On the Right Side of GDPR

You can’t sleep on this data privacy stuff, but knowing that doesn’t make the whole thing any less overwhelming or confusing. To help you get started down the right path, here are a few of the most important best practices you can implement now. 

1.Embrace transparency.

A big part of the GDPR is giving consumers more control over what happens with their personal information. For businesses, that means you need to get in the habit of being entirely forthright about what data you collect, and what you plan to use it for. 

In practice, that includes drafting a clear privacy policy that you publish on your website and letting website visitors know about it if you use cookies to track visitor behavior. (That’s why you’ve started to see so many notes popping up on websites about cookies).

gdpr cookie notice on website

Any form on your website that requires visitors to hand over personal information (including their name or email address) should include messaging about what you plan to do with that information. If they’ll be signing up for your email list in the process, make sure you tell them that!

2. Worship at the altar of the opt-in.

The most common type of personal information businesses collect from prospective customers is their email address. Building an email list is the cornerstone of many a small business marketing strategy. And you can keep using email marketing under GDPR, you just have to make sure you’re only contacting people who have opted into your email list.

Hopefully you were doing that already. We’ve all rolled our eyes at the acquaintance we met once at a friend’s party and somehow started getting marketing emails from the next week. Not cool, Bob 🙄. 

I’m sure you’ve never been that guy. But a lot of businesses adopt habits around their email lists that still fall outside of full opt-ins. Do you automatically add everyone that stops at your booth at a conference to your email? Or every prospect that fills out a form on your website for more information? Don’t do that anymore—only sign them up if you explicitly ask permission first. 

Even better, give your visitors more control over what they opt-in to. Have you ever signed up for an email list hoping for coupons and gotten a lot of emails about content you weren’t interested in? Or signed up because you were interested in skateboarding products, but now you’re stuck getting a bunch of emails about roller skates? The more power you can give your audience, the better. 

3. Make unsubscribing easy.

The flip side of the opt-in is the unsubscribe. Any consumer should be able to easily opt back out at any time. Luckily, any legitimate email marketing software you use will require this, so this part’s easy to comply with.

Segmentation can be useful here too. That subscriber that just wanted skateboarding content? If you let them unsubscribe from just the roller skate related emails, they may stick with you for longer. 

4. Audit your database(s).

The GDPR may be recent, but the rules apply retroactively to any past data you’ve collected. If you have personal information sitting in a database now (and that includes any information about your leads and customers—name, email, phone number, address, and especially sensitive data like credit card numbers), go back and review it. Are you absolutely certain that the person gave their consent to your collecting that information and storing it?

If not: delete, delete, delete

And really consider how you got that data and why you have it. Was it from business practices that would put you on the wrong side of the law now? How can you make sure you cut those out moving forward? 

5. Stop asking for data you don’t need. 

And on that note, stop assuming more data is better. Many businesses are in the practice of collecting data they don’t need, and won’t even necessarily use. This not only hurts your form conversion rates, but can get you in hot water with GDPR.

Look at the various forms on your website and any other processes you have now for collecting data, and ask yourself if you’re requiring people to hand over information you don’t need. Maybe you can leave the phone number field off that form after all. And do you really need to hang onto that credit card number any longer than the time it takes to process it? (Pro Tip: Check that any WordPress form plugins you’re using are GDPR-compliant.)

The more information you have, the more responsibility you have to keep it secure—so think of data as a double-edged sword. Stick with keeping only what you need. 

6. Do talk to a lawyer.

I get it, you’re a small business on a budget and lawyers are expensive. But this is a case where it’s worth paying some money now to avoid potential consequences later. A blog post can sketch out some best practices, but to make sure you’re following all the nuances of the law, a professional’s expertise is worth the cost. 

The GDPR is Good, Actually

It sounds like a pain. It seems like a long list of tedious rules you have to follow. 

But hear me out: the practices and processes you put into place because of the GDPR are the kinds of things your customers have wanted all along. And doing what your audience wants is good for business–you don’t risk losing their trust by seeming creepy when you know too much about them. And you reduce the risk of facing the (expensive, embarrassing) consequences of a data breach.

Even if they seem annoying at first, following the standards of privacy laws like the GDPR and CCPA will make you a better, more trustworthy business. And that’s worth it for reasons that go well beyond legal compliance.

Kristen Hicks is an Austin-based freelance content writer and lifelong learner with an ongoing curiosity to learn new things. She uses that curiosity, combined with her experience as a freelance business owner, to write about subjects valuable to small business owners on the HostGator blog. You can find her on Twitter at @atxcopywriter.