GDPR. Anyone figured this out?

[jon.M]

My head hurts trying to figure this out, but it’s something we have to do.

Can anyone link to good resources that clearly explain what we need to do?

I don't know how much you know already, but I just throw these videos in here for everyone who's no idea of what GDPR is.

Here are some of my takeaways. Take it with a pinch of salt, though. Not completely figured it out myself.

But the meat and potatoes seem to be that you've got to be clear about what you'll do with their data, and give users control over theirs. For example when you're offering a lead magnet, you NEED to tell users -- and get their active consent -- that you will use their e-mail adress to contact them with additional offers in the future (if that's what you do).

You can't longer do the "By using this site, you accept cookies" trick. Users must have the choice to either accept or reject that data collection.

Users will need the option to opt out from your data collection. That's why Google Analytics just launched a couple of new functions that allows us to, for example, delete all data associated with an individual user:

Today we introduced granular data retention controls that allow you to manage how long your user and event data is held on our servers. Starting May 25, 2018, user and event data will be retained according to these settings; Google Analytics will automatically delete user and event data that is older than the retention period you select. Note that these settings will not affect reports based on aggregated data.

Action: Please review these data retention settings and modify as needed.
Before May 25, we will also introduce a new user deletion tool that allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics and/or Analytics 360 properties. This new automated tool will work based on any of the common identifiers sent to Analytics Client ID (i.e. standard Google Analytics first party cookie), User ID (if enabled), or App Instance ID (if using Google Analytics for Firebase). Details will be available on our Developers site shortly.

Addition: I also think that if the data you're collecting is hacked, lost etc, you are obliged to report the incident to your country's data protection regulator. But only if it has a detrimental impact on individuals whose data is collected.

For example if it could lead to lost money, confidentiality breaches, damage to reputation.

What is GDPR? The need-to-know guide | WIRED UK

 

[Everyman]

As far as I am concerned another 'dead' law.

EU is useless regulating the curve of a banana and light bulbs. This is another adding, to the pile of horse*@t they produce and we let them.

How is google or other giants going to adhere? Answer. They won't.

'Our' company owns more than 5 data centres across the world. Is 'EU' going to raid them to check if they don't keep excessive data? Or else?

Disregard any ridiculous law they produce and move on. This is what we should do. It's not about data protection but to waste your time and give you a headache.

 

[MJ DeMarco]

Ah yes GPDR ... kinda reminds me of the infamous "Affordable Care Act" here in the states -- sure it sounds great with good intentions, but the whole thing just looks like a revenue-racket. As the bureaucrats say, never let a good crisis go to waste when that crisis can be used to implement more fee-generating regulations.

I've just booked myself onto this. Dreading it.

How'd it go?

 

[Andy Black]

So all the email crap hitting my inbox has gone. We're going to spam you to tell you we're not going to spam you. ?!?

Anyway, I went on that GDPR course and it wasn't bad, but my biggest takeaway was when another attendee asked if there was a checklist we could go through and the presenter shuffled through his Powerpoint slides, frowned, and said he hadn't created one. So I've a pile of Powerpoint slides but no checklist of actions to go through? Hmmm.

I had a one hour meeting with a GDPR mentor yesterday that was more useful.

What was even more useful was me sitting the evening before drawing out the flow of data through my business. It was a good process to go through and I identified areas where we're gathering more info than we need, and are taking additional steps we don't need to take. We're going to remove those immediately and that will make my business a bit simpler already.

I was surprised that I actually started finding it quite interesting.

FWIW, here's my notes from the meeting yesterday (note that these are personal notes so go and do your own due diligence):

1. It's my obligation (and in my interest) to explain what data is collected and what happens to it in the Privacy Policy on my company website. This could be needed for mitigation.
   
   
2. Have fun with it! You can use humour if you want in your Privacy Policy. You can make it your selling point that it's simple, and easy to understand. (You should make it simple and easy to understand anyway.)
   
   
3. Check the UK ICO site. They're much more up on this and innovative in the UK than in Ireland.
   
   
4. Where are our landing pages hosted? I need to determine this and put an explanation up in my Privacy Policy.
   
   
5. People can only really lodge a complain if you haven't stated what happens with their data.
   
   
6. Use your Privacy Policy to demonstrate your own understanding of the data gathered and processed in your own business.
   
   
7. Illuminate people!
   
   
8. Mention that payments to Google are through the Google AdWords platform. Mention Stripe, Paypal, etc.
   
   
9. Tell people what you DON'T do, not just what you do. E.g. We don't take your credit card details.... they're input into Google, Stripe, etc.
   
   
10. I pretty much have a GDPR compliant business already because I just create a page for consumers to call Blacksmiths or send them an email. I don't (really) collect consumer data. I need the Blacksmith's phone number and email address to serve them. I just need to get everything documented in my Privacy Policy.
    
    
11. Don't forget to mention that people can email <email address> to get a copy of their data or to request it is deleted. (Note that you can decline to delete data if you have a requirement to keep it. E.g. for legal reasons where I might need to keep data for 7 years.)
    
    
12. Don't capture data you don't need.
    
    
13. Don't add processing steps you don't need.
    
    
14. In my case, we don't need the consumers email address when they request a callback. We just need their firstname, phone number, and maybe the brief message.
    
    
15. In my case, we don't need to send a copy of the email to ourselves so we can see everything is working. We just need to note the date/time a message was sent, and to whom.
    
    
16. (My own note: I should chat with all my team members about our requirements for protecting consumer and client data. I should also get a short contract stating this.)
    
    
17. If/when I come to sell a business, make the fact that it's GDPR compliant and SIMPLE a selling point.

 

[Andy Black]

My head hurts trying to figure this out, but it’s something we have to do.

Can anyone link to good resources that clearly explain what we need to do?

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Thoelk]

As far as I am concerned another 'dead' law.

EU is useless regulating the curve of a banana and light bulbs. This is another adding, to the pile of horse*@t they produce and we let them.

How is google or other giants going to adhere? Answer. They won't.

'Our' company owns more than 5 data centres across the world. Is 'EU' going to raid them to check if they don't keep excessive data? Or else?

Disregard any ridiculous law they produce and move on. This is what we should do. It's not about data protection but to waste your time and give you a headache.

I wouldn't call it dead, rather passive. EU won't investigate by themselves actively, but you as a consumer will get the support through these laws. Just ask yourself the question, if cliënt X sends me a mail with the question to give all his data.. and afterwards delete it. Am I able to do that, yes or no? Because you should be. But I agree, it's all a bit fuzzy. And if you want some nice freelance opportunities, getting ''hired" as a DPO to prepare for GDPR is a good choice.

I wouldn't simply wash it away. Comparing yourself to a Silicon valley gigant is never a good idea..

 

[theag]

ensure my clients are compliant too

In our consulting business we honestly tell our clients that we can't advise on GDPR and they should seek specialized legal advice if they want to be on the safe side. I think this is the only reasonable way to go as a service provider, for example Adwords or (even worse) FB campaign management, otherwise you might have a high risk of unintentionally giving wrong advice and being liable for it. And the stakes are high with GDPR penalties.

FB's privacy breach problems are already making waves in the FB ads environment and I think it might get a lot worse next month. Worst case FB ads become useless for a majority of businesses because targeting options disappear and the FB pixel needing an actual opt-in (what my lawyers tell me), rendering highly profitable remarketing useless (because nobody opts in), no more lookalike audiences and no way to track campaign performance. Unless you are willing to take the legal risks.

There is a high chance of GDPR killing off a lot of small advertisers and ruining businesses, while further strengthening FB's and Google's positions. A lot of the adtech companies might get serious problems. And the EU is clueless about the consequences of their doings.

 

[Formless]

I ghost-wrote a series of articles about GDPR. Mostly to get people to go to a seminar.

GDPR IN PLAIN ENGLISH (Part 5/5): What the C-Suite or Owners Need To Do About Their HR Practices (and a quick summary of the series)

In this post, press ctrl/cmd+f "Summary of the Series".

It's a bullet point list explaining the crux of GDPR in plain English.

If you wanna understand it like the back of your hand. Set aside an hour and read the directive itself. Most online resources (my own article included) are just boildown summaries or sales pitches for seminars.

 

[Andy Black]

I meant no disrespect @Andy Black . Although my language is direct and harsh. Andy, you touched my nerve here, but it's mine, not yours to deal with.



I know we shouldn't discuss politics like this and also go far from 'conspiracy theories'. I will make an exception here and hopefully it won't be against the rules (hence deleted). I don't blame the gov, or anyone else for my own outcomes.

This is just a short explanation and my thoughts.

1) This is not conspiracy for me. These are facts. The intelligence (any smart like CIA or MI6) can activate your phone without it showing signs of being active.

We all are wearing spying devices (phones) with microphones and cameras. Fact. If you don't believe you don't have to. I know you think The Dark Knight was just a movie. No. The Batman character doesn't exist.

There is no vigilante that will pull the plug as soon as he will finish it with the bad guys. I know we subconsciously seek this 'father' figure that will save us, but no. No father in real life. "Rich dad, poor dad". I can see Mr. K reaching into our pockets.... Save yourself with your own hands. Read below...

2) Yes, comparing ourselves to google is a big mistake. They can afford to bribe lawyers, politicians, even whole countries...

Nevertheless it gives you hints how to operate. Big guys have money (Apple's cash position is over $200BN... srsly... or even more, why would you need an excessive amount of money like this?! No, the answer is not 'because I can'). And we have flexibility. They don't. I treat laws as traps for small guys like I or you, set by big companies to stop competition.

While we cannot afford lawyers and accountants as good as the big guys. We can go unseen and do whatever we want. This is my advice. We cannot afford to waste time on useless 'laws' that don't bring any value to anyone...

Sorry for this, but I am fed up today. And also see that more and more people do not produce anything and still get 'food', out of producers pocket (forced on producers to 'share') which is just immoral and causes more problems...

It helps me going on.

KNOW YOUR ENEMY​

I find the FASTLANE the cure for this. I don't look for excuses. When you understand the system. You can outmaneuver it to your advantage. The FASTLANE brings hope, and balance so producers can keep the world revolving. Just don't pretend that taxation, laws etc... work to your advantage. Because mostly they don't....

Not sure how I’ve touched a nerve.

I need to get compliant, and ensure my clients are compliant too.

That’s it. Just another hurdle to step over.

 

[c4n]

Sites will need to have one of those popups for EVERY SINGLE COOKIE they set soon, according to the law interpretations I read. Not with GDPR, but the ePrivacy thing that is supposed to come in 2019.

Fortunately this is not true, the ePrivacy regulation will actually aim to simplify rules for cookies and exclude non-tracking cookies from consent.

A Wiki summary of goals: ePrivacy Regulation (European Union) - Wikipedia

The full proposal: Proposal for a Regulation on Privacy and Electronic Communications

 

[theag]

exclude non-tracking cookies from consent

Yea, but nobody cares about non-tracking cookies (e.g. shopping cart, etc). The tracking/remarketing cookies + lookalike audiences are the money makers. And those are the ones under attack by the new regulations.

You should read your wiki link again. They want to move from consent popups to browser settings to make it more user friendly, because obviously these popups are annoying. But if they make do-not-track standard in browsers, like some propose, its bye bye to profitable remarketing and even conversion tracking. The effects of this are obvious for everybody even remotely aware of how online marketing works. Its a business killer.

From what I have read there is already discussion of changing GDPR and ePrivacy before they are even in action, because they realized that its doing the opposite of what they intended, so who knows what exactly will happen..

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Andy Black]

I've just booked myself onto this. Dreading it.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[jon.M]

Ah yes GPDR ... kinda reminds me of the infamous "Affordable Care Act" here in the states -- sure it sounds great with good intentions, but the whole thing just looks like a revenue-racket. As the bureaucrats say, never let a good crisis go to waste when that crisis can be used to implement more fee-generating regulations.

B-b-but our leaders do everything for the good of the people. Because everyone are really concerned about their privacy. Forget that we stayed on Facebook during its recent crisis. Forget that we publicly post images of our kids on Instagram. Forget that we spend our days on Snapchat, which lets contacts see our exact location in real time.

 

[MJ DeMarco]

Therefore, US laws etc do not trump GDPR and it doesn't get "stronger" or "weaker" depending on the location of where you conduct business or the demographic you're actively targeting.

That's what I've been interpreted.

Only people who have never owned a business or held a position of authority within a company would have ever created GDPR.

All one needs to know is the regulation is 99 pages long, the perfect size so no one can understand or no one will read it, belaying an army of lawyers that can be hired for gazillions, and fines that have no limit (even capped at 20M) in their reach.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[theag]

I'm throwing up in circles over GDPR.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Everyman]

I meant no disrespect @Andy Black . Although my language is direct and harsh. Andy, you touched my nerve here, but it's mine, not yours to deal with.

I wouldn't call it dead, rather passive. EU won't investigate by themselves actively, but you as a consumer will get the support through these laws. Just ask yourself the question, if cliënt X sends me a mail with the question to give all his data.. and afterwards delete it. Am I able to do that, yes or no? Because you should be. But I agree, it's all a bit fuzzy. And if you want some nice freelance opportunities, getting ''hired" as a DPO to prepare for GDPR is a good choice.

I wouldn't simply wash it away. Comparing yourself to a Silicon valley gigant is never a good idea..

I know we shouldn't discuss politics like this and also go far from 'conspiracy theories'. I will make an exception here and hopefully it won't be against the rules (hence deleted). I don't blame the gov, or anyone else for my own outcomes.

This is just a short explanation and my thoughts.

1) This is not conspiracy for me. These are facts. The intelligence (any smart like CIA or MI6) can activate your phone without it showing signs of being active.

We all are wearing spying devices (phones) with microphones and cameras. Fact. If you don't believe you don't have to. I know you think The Dark Knight was just a movie. No. The Batman character doesn't exist.

There is no vigilante that will pull the plug as soon as he will finish it with the bad guys. I know we subconsciously seek this 'father' figure that will save us, but no. No father in real life. "Rich dad, poor dad". I can see Mr. K reaching into our pockets.... Save yourself with your own hands. Read below...

2) Yes, comparing ourselves to google is a big mistake. They can afford to bribe lawyers, politicians, even whole countries...

Nevertheless it gives you hints how to operate. Big guys have money (Apple's cash position is over $200BN... srsly... or even more, why would you need an excessive amount of money like this?! No, the answer is not 'because I can'). And we have flexibility. They don't. I treat laws as traps for small guys like I or you, set by big companies to stop competition.

While we cannot afford lawyers and accountants as good as the big guys. We can go unseen and do whatever we want. This is my advice. We cannot afford to waste time on useless 'laws' that don't bring any value to anyone...

Sorry for this, but I am fed up today. And also see that more and more people do not produce anything and still get 'food', out of producers pocket (forced on producers to 'share') which is just immoral and causes more problems...

It helps me going on.

KNOW YOUR ENEMY​

I find the FASTLANE the cure for this. I don't look for excuses. When you understand the system. You can outmaneuver it to your advantage. The FASTLANE brings hope, and balance so producers can keep the world revolving. Just don't pretend that taxation, laws etc... work to your advantage. Because mostly they don't....

 

[Everyman]

Not sure how I’ve touched a nerve.

I need to get compliant, and ensure my clients are compliant too.

That’s it. Just another hurdle to step over.

I don't like regulations, that's it.

Anyway I hope you will get it sorted properly.

 

[theag]

But seeing the 'accept cookies' thing whenever I visit a European site is just annoying. They're going to make it more annoying?

Sites will need to have one of those popups for EVERY SINGLE COOKIE they set soon, according to the law interpretations I read. Not with GDPR, but the ePrivacy thing that is supposed to come in 2019.

 

[johnp]

In the email industry it's a pretty big deal too. My company has been jumping through some crazy hoops for GDPR compliance. A lot of money was spent on new features and other stuff.

On the email side, I'd argue that GDPR is good for email. For example, now you now have to be really clear about what you plan to do when someone opts-into your list. It's even recommended that you make someone click a checkbox before they subscribe. Obviously there is more friction with that experience, but subscriber expectations are important for good email deliverability.

Thing that I'm worried most about with GDPR is remarketing and custom audiences.

My head hurts trying to figure this out, but it’s something we have to do.

Can anyone link to good resources that clearly explain what we need to do?

I'm not sure if this helps, but I'm pretty sure that Unbounce is on track for GDPR compliance in May.

I think (but could be wrong) that switching over to Unbounce should cover your clients on the landing page side of things.

 

[c4n]

Yea, but nobody cares about non-tracking cookies (e.g. shopping cart, etc).

I do, makes my software business easier Not only are those consent pop-ups annoying as hell, with the current directive you need to take in account country-level implementation to make sure your software is compliant throughout EU.

I agree with the rest of your post though and freaking hate the "privacy" bureaucrats.

 

[Chris McCarron]

B-b-but our leaders do everything for the good of the people. Because everyone are really concerned about their privacy. Forget that we stayed on Facebook during its recent crisis. Forget that we publicly post images of our kids on Instagram. Forget that we spend our days on Snapchat, which lets contacts see our exact location in real time.

Only people who have never owned a business or held a position of authority within a company would have ever created GDPR.

The primary aim of GDPR is protect PII from data breaches and being leaked online and to have one unified set of rules.

In theory this is positive and it's clearly directed at large global corporations that are consistently targeted by hackers.

The unfortunate side effect is that businesses of all sizes are quite rightly frightened by the imposing fines, and therefore within our entrepreneurial bubble, the new regulation is overshadowed by "can I email someone?".

I recently reached out to a business owner by email so that I could introduce myself and see if I could assist them. I shortly thereafter got a reply spouting GDPR and "spam".

Complete nonsense and devoid from logic or common sense. Additionally, unless it's a German resident's business email address, then business contact details do not constitute as PII. Therefore GDPR does not apply.

Not many people know this and I find it hard to fathom how much money businesses will miss out on by being too afraid to email professionals or by spending time to respond directly to professionals claiming that contacting them via their business details is against the new GDPR legislation.

This is where the bureaucracy, micro managing rules and laws has brought us: fear, expense, time-consuming nonsense that applies to every business - regardless of the size of the entity and if it has ever been or ever will be the target of hackers.

Furthermore, GDPR data breaches will in all likelihood not occur on servers owned by a typical business, but rather the tools, software and platforms hosted by third parties to store PII. For example Shopify, MailCheat(Chimp), Cloud storage etc.

Therefore, it's irrelevant and therefore not logical for GDPR to apply to any business other than the data processor.

Is it all bad? No
Is 99% of it precisely the same as the Data Protection Act? Yes
Is it something that people have demanded within the EU? No (well perhaps a tiny minority)
Should GDPR apply to my business? Absolutely not
Should GDPR apply to data processors? Yes, probably

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[ALC]

It's a complete non sense for Business owners, it's sure is right for the privacy of our data, but what a mess !..

 

[MJ DeMarco]

How can you enforce this on a foreign company?

My guess is the EU will become the internet Gestapo... don't pay your fines and they will strong arm the search engines and network data access to your website across the EU. Seems ridiculous, but when it comes to unelected bureaucrats and politicians, nothing surprises me anymore, just as long as you preface your liberty killing regulation with "it's for the children" or "it's for safety." SMH.

As with most gigantic regulatory BS (think "affordable care act") it sounds great simplified, but once it's put to paper and executed, not so much.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Limitless4Life]

Www.cvent.com/gdpr

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Sanj Modha]

It's just a tightening up of laws. I'd say it's more transparent which is a good thing.

 

[Andy Black]

I'm throwing up in circles over GDPR.

I’m not quite throwing up, just glazed over.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Andy Black]

In our consulting business we honestly tell our clients that we can't advise on GDPR and they should seek specialized legal advice if they want to be on the safe side. I think this is the only reasonable way to go as a service provider

Yeah. Clients need to take responsibility for this. Just figuring out how to raise this with them.

We don't do Facebook ads, just AdWords, and we do very little remarketing. That might make life easier. However, on landing pages we build for clients we install by default their Google Analytics code, heatmap code, and are trialing reverse IP lookup solutions.

I'm only finally looking at GDPR now. It's been that can of worms I've not wanted to open.

FB's privacy breach problems are already making waves in the FB ads environment and I think it might get a lot worse next month. Worst case FB ads become useless for a majority of businesses because targeting options disappear and the FB pixel needing an actual opt-in (what my lawyers tell me), rendering highly profitable remarketing useless (because nobody opts in), no more lookalike audiences and no way to track campaign performance. Unless you are willing to take the legal risks.

There is a high chance of GDPR killing off a lot of small advertisers and ruining businesses, while further strengthening FB's and Google's positions. A lot of the adtech companies might get serious problems. And the EU is clueless about the consequences of their doings.

Ouch. No more remarketing and no more look-alike audiences would have a big impact on FB advertisers.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[GoGetter24]

And the EU is clueless about the consequences of their doings.

More like they just don't care / do whatever they feel suits their bureaucratic selves. Fortunately, membership is still optional, unless Germany decides to "not optional" Europe again.

That said, the ability to request "delete all my data" suits me fine as a consumer. How enforceable it is, is another question -- it's impossible to know or prove if something has been deleted from everywhere.

But seeing the 'accept cookies' thing whenever I visit a European site is just annoying. They're going to make it more annoying? Is there a "remove EU sites from my SERP" option in Google?

 

[theag]

unless Germany decides to "not optional" Europe again

Not with the sorry state of our "army"

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Chris McCarron]

At the risk of self promotion, this video covers just about everything related to GDPR:

Hope it helps Fastlaners who need to understand GDPR.