If you have an online business or an email list that you communicate with, you’ve probably heard the rumblings around the internet about the EU’s new General Data Protection Regulation (let’s just call it GDPR, shall we?). This new regulation goes into effect May 25, 2018 and in an effort to understand what it is, what it means to online marketers, and what we need to take action on, I’ve invited Bobby Klinck, an intellectual property attorney, to help us navigate all things GDPR. Bobby is not only an attorney, but he is an entrepreneur himself, so he really has his finger on the pulse of what online entrepreneurs need to do to protect themselves. Let’s dive in and figure this all out! What is GDPR? GDPR stands for “The General Data Protection Regulation” a privacy law from the European Union that goes into effect May 25, 2018. Even though it’s a European Union law, all online entrepreneurs need to be paying attention because the GDPR will mean major changes for the way we operate. What activities are covered by the GDPR? The GDPR applies to the processing of personal data. Processing is a fancy word for, “doing anything with data”. You should assume it covers everything you do with all of the data you collect from individuals from collection to deletion (and at every point in between). Only applies to personal data which is anything that is associated with, or related to, someone who is identified or who you can identify. Identified includes: names, email addresses, physical addresses, and most people agree it includes IP addresses and other info collected automatically (usually collected by Google Analytics). Also includes any type of processing and information that you’re adding to your contact database. This could be information that you collect automatically, through an opt-in or any other collection method. (ex: surveys, quizzes, etc.), or through tagging or segmenting in your CRM database. These activities are included because you are effectively “monitoring” what people are doing. Who does the GDPR apply to? The GDPR will apply to any relationship or transaction (commercial or free) where one of more of the parties is in the EU. It is not based on citizenship, it’s based on where they are when you are interacting with them. If you are an online entrepreneur or marketer based in the European Union, you must comply with the GDPR across your entire business. The means that if you are collecting data from someone in the US, you still have to comply. If you are an online entrepreneur or marketer based outside of the EU, you must comply with the GDPR when we are interacting with or collecting data from people in the EU. This is where things get complicated! There are some instances where it doesn’t apply if you’re outside the EU . How Does GDPR Apply to Non-EU Entrepreneurs? A non-EU entrepreneur has to comply when processing of people in the EU. But ONLY if the processing is related to: Offering products or services to people in the EU (paid AND free) - that means a lead magnet counts! Monitoring the behavior of people in the EU (as mentioned earlier) Here’s where the GREY ZONE enters in: People are not sure how the territorial limits will apply. Questions you may be asking: What about people who don’t knowingly collect information? Ex: Facebook Ads: Bobby focuses on people only in the US. He’s not actively trying to attract people in the EU. But when he looks at his list, about 5% are in the EU. He’s not going to refuse doing business with this 5%, so he will have to comply with GDPR when he’s interacting and handling data with this 5% from the EU. What about adding a disclaimer that says you only sell to people in the US? Unfortunately, there are not crystal clear answers to these questions, but let’s dig into the language and details and see how this pertains to you. 6 principles of the GDPR #1: Data shall be processed “lawfully, fairly, and in a transparent manner.” You have to be upfront about what you are