You might have seen the term ‘GDPR’ across the web a lot lately… but what is it? You might know that it has something to do with data and something to do with Europe, but if you’re like a large percentage of small businesses, you’re not really across what it is yet.
Essentially, if you’re a company anywhere in the world (even Australia!) and you work with customers in the European Union, or you just have site visitors from the EU, you need to pay attention and comply with the law.
This post is my understanding of the essentials that small businesses need to get across for GDPR for their digital marketing. However, GDPR isn’t just about digital marketing, it’s also about data security, so I recommend you check out some of the other resources online to make sure you’re compliant.
There are great summaries online for small business, there’s the GDPR website, or you might just want to talk to your friendly neighbourhood lawyer. I am not a lawyer, and this is my understanding of GDPR, so if you want to dig deeper into other resources across the web and consult a legal expert, I recommend you go for it.
So…what is it the GDPR?
GDPR stands for General Data Protection Regulation. It’s a new law from the EU to regulate how personal data is handled and it kicks off May 25th, 2018.
In short, It’s giving individuals more control of our personal data – we choose who has our data and what they can do with it.
So for your business, you need to help your customers the understand why you’re tracking them, what you’re doing with their data, the right to opt-out and the right to have their data deleted.
Oh, and there are some pretty massive fines if you don’t comply.
This is a pretty great overview:
Is this even relevant to me?
If you have customers or website visitors in the EU, you need to comply with the new legislation. Big businesses (over 250 people) need to get pretty serious with their record keeping, but smaller businesses don’t need to be as detailed – and, to be honest, probably use third-party tools to manage that data (for example, your email newsletter provider), but you are still responsible for ensuring that they are on top protecting that data.
Here’s a little flowchart I’ve created to help you think about it:
What you need to be across
In terms of your digital marketing, there are a few things you need to be across in terms of what customer data you have access to, and giving your users the right to consent. (There’s also more to do with data protection, but I’ll just be talking about the marketing stuff here.)
What are you tracking?
For many of us, the customer data we are tracking will come down to two things: your email newsletter, and your online ad retargeting (ie. your Facebook Pixel if you have one).
So let’s jump into these in more detail…
Mailing Lists or Newsletters
Australia has some pretty ace laws around the email spam already, so if you’ve been a good little digital marketer, you should already be fairly compliant with GDPR. Hooray!
The highlights of GDPR for your email list are:
a) Ensure people have explicitly consented to be on your list and you have a record of it (For example, they have signed up on your website (ie. given consent). Your email provider will have proof of this.)
b) If you think you have people on your list who haven’t consented, then you will need to get consent before May 25th 2018. (If you’ve added people to your email list when they’ve given you their business card, or you have bought an email list, they probably didn’t explicitly state they wanted to be on your newsletter. Email your list asking for everyone to opt-in to your emails now as it also applies to existing people on your list.)
c) You need to give people the option to unsubscribe from your list, such as in the email footer. This is a default for all good email providers, many of whom won’t let you send an email without this.
The new thing that many businesses may need to update on their website is that when people sign up for your email list, they need to give explicit consent to be on your list.
Now, many of us use lead magnets to grow our mailing list, where we send an amazing free resource in exchange for an email address with a fast-and-loose caveat of ‘by getting this resource, you’re also signing up to our email list’. Now, there is no grey area: you need to get consent to add the user to your email list.
In most cases, this is an additional tick box on your signup form, with a link to your privacy policy. And no, the box cannot be pre-ticked. (This is a great guide here and also here.)
Many email providers like Mailchimp are providing tools to update their signup forms, so you may need to update your website to include a checkbox to allow explicit content. If you use a plugin with your WordPress site to get signups, see if your plugin provider has updated it for additional GDPR consent.
For those of you doing B2B sales, this blog post is a great read which covers a few more angles of email marketing which might you might want to be across:
- consent for email automation or multiple lists
- 1-to-1 cold emails are fine
- if you have a website form asking for a demo, you need to justify what data you’re asking for and why
GDPR To Do Item: Ensure everyone on your email list wants to be on your list, and there’s an easy option for them to get off your list. Ensure new subscribers explicitly consent to joining your list with a checkbox.
Ad Retargeting (or tracking users with the Facebook Pixel)
Online ad retargeting is a little bit of a tricky one, because the responsibility to inform the user of tracking lies with whoever owns the data (or, in GDPR lingo, the ‘data controller’ vs the ‘data processor’). So, informing the user sits with different parties based on the type of retargeting.
For example, if you are sending ads to people based on your personal email list, you are responsible for that data. But if you’re sending ads to people based on their online activity on a social network (ie. people who Like your Facebook Page), then Facebook has responsibility for that data.
So – a quick rundown of who is responsible for different ad targeting, with a big hat-tip to this post from Blacktypedigital:
- Ads to people based on website visits – you need to tell your users
- Ads to people if they are on your mailing list – you need to tell your users
- Creating a Facebook Lookalikes audience based on a contact list or website visitors – you need to tell your user
- Ads to people based on social media activity i.e. Page Likes – Facebook needs to tell them
- Creating a Facebook Lookalikes audience based on activity on Facebook (i.e. people who RSVP to a Facebook event) – Facebook needs to tell them
Hopefully, you get the idea – if you have the ‘raw’ personal data with people’s info, you’re responsible for telling your users about what’s going on.
These two articles also have great summaries about Facebook ads and who has the obligation to inform the users here and here.
Okay, so if you’re using any retargeting pixels and running ads with them, you might be asking how you now need to ‘ask for consent’? Well, you might have noticed a little pop up on websites across the web lately where websites are telling you that you’re tracking them. They are called “cookie consent” boxes.
They are a little pop up that asks users to consent to being tracked, and look a little something like this:
These cookies consent boxes look pretty different for different sites, sometimes they are a pop-up, sometimes a whole page. If you’re going down the pop-up road, IAB Europe has provided some sample text if you’re not sure what to put, especially if you’re serving ads on your site, too:
“We use technologies, such as cookies, to customise content and advertising, to provide social media features and to analyse traffic to the site. We also share information about your use of our site with our trusted social media, advertising and analytics partners. Privacy Policy available here.”
So, cookie consent boxes have been around for a long time, but the big change with GDPR is that it’s not just about letting users know that you’re tracking them, it’s that users now have the option to opt-out and refuse to be tracked.
If you’re using WordPress, there are many cookie consent plugins that simply notify the user that you use cookies. It’s my understanding that this isn’t enough under GDPR, because the intention is to give people the option to choose – they should be able to accept cookies, decline cookies or change their mind.
Due to this, I’ve given the WordPress plugin EU Cookie Law a go specifically because they give users to refuse cookies, and, if they change their mind, they can go to my Privacy Policy page and opt-in.
GDPR To Do Item: Set up a pop up for your users to choose whether or not they consent to you tracking them with cookies, and they can choose to not be tracked.
Setting up a Privacy Policy
Those of you with eagle eyes will have noticed that all of these methods of consent point to this thing called a Privacy Policy. Now, we’ve seen privacy policies by big businesses – but it’s not something many small businesses have (until now!).
Now, of my favourite parts about the GDPR is that privacy policies must be in ‘plain english’. Or, as I like to think of it: something your Mum could understand.
This means writing your privacy policy (potentially with the help of your friendly neighbourhood lawyer) will be a lot simpler because you’re not using legal jargon. You’re just explaining what data you’re collecting and why. And let’s be honest, we know why we’ve got a mailing list and how we’re segmenting those lists. We know why we’ve got a Facebook Pixel and if we’re retargeting users. Being transparent is the way to go here.
So the simplest way to set up a Privacy Policy is to create a new page on your website, and write a privacy policy which covers off what data you’re using and why.
I fell in love with this no-nonsense template from Thrive to walk you through how to clearly spell out what data you do, or do not use, in your Privacy Policy. There’s also a really great guide from e-consultancy about different ways to inform users with privacy notices across your site.
I also added a link to my privacy policy in the footer of my website for easy access, so it’s accessible from every page of my site.
You can check out what I’ve done with my privacy policy here (and if you think your Mum wouldn’t get it, let me know!)
GDPR To Do Item: Create, or update, the privacy policy on your site.
The GDPR lowdown
So, from the digital marketing side of GDPR, there is a little bit of work if you’re a small business, but, to be honest, it can be done and dusted in a couple of hours. I recommend you check out the full set of GDPR regulations and how they apply to small businesses, because there are a few more things that you need to be across in terms of data security and documentation.
My digital marketing checklist for the essentials for GDPR includes:
- Ensure everyone on your email list has explicitly stated they want to be on your list, and there’s an easy option for them to get off your list.
- Set up a pop up for your users to consent, or not, to cookies and online ad retargeting.
- Write a privacy policy and put it on your site.
I know it can seem like a lot of work to get across GDPR, but it’s all for a bigger, more important cause of data transparency, autonomy and consent across the internet. And that’s a checkbox I’m sure we’d all agree on!
Want to work with Rachel?

She’s worked with local, national and global companies, in addition to not-for-profits and government bodies. She loves helping businesses tell their stories with creative and data-driven solutions.
She is based in Sydney, Australia.
Want to work together? Rachel would love to hear from you. Get in touch today.