The clock is ticking and there’s no more time to deny it or delay…

GDPR is here and if you’re still not compliant, it’s time to act!

Not sure how to become GDPR compliant?

Don’t worry – it’s not as scary as it looks. We know… we did it. As we’re a small brand, we do not have a data protection officer and did all of our GDPR ourselves. That means hours and hours of research and digging through the fancy GDPR legal wording.

You know what’s the toughest part? There are thousands of articles about GDPR, most of them vaguely talking about the changes, but failing to share actual steps to take or things to say to your audience.

That’s why we wanted to do this post – to share our GDPR experience, in hopes that it can help other brands learn something from our experience and get GDPR-ready in time.

Disclaimer: The tips shared in this post are aimed to provide background information to help you better understand how Only Way Online addressed some important GDPR legal points. Do not rely on this article as legal advice, nor as a recommendation of any particular legal understanding.

What is GDPR

GDPR stands for General Data Protection Regulation and is a new EU law designed to protect the personal data of EU citizens. It might have been created for citizens of the European Union but it impacts thousands of businesses all around the world.

For, even, if you store data for one EU citizen (or have one EU subscriber), you still need to comply by May 25th. If you don’t, your business can be fined more than 20 million euros! For more info about what GDPR is and how it affects us, check out our last post.

Data Audit

The purpose of a data audit is to see what kind of data you currently hold and process, and to carry out a revision.

You need to know what kind of personal data you collect, where it’s stored, how it’s processed and who has access to it.

What We Did

Upon assessment of our two sites, Only Way Online and Your Brand Found, we concluded that the only data we collect are the subscriber’s name and email address from email opt-ins and enquiries potential customers send in.


That data is securely stored in our database and accessible only by our CEO and Content Manager. Because we know that all of our audience is over the age of 18, there’s no need for special data security measures to be implemented.

The data audit helped us identify the areas that needed improvement (better data organization and password protection). The next step was de-cluttering the data we currently hold. That meant weeding out all the inactive subscribers. Their data was deleted.

Privacy Policy

GDPR requires you to have a Privacy Policy that all subscribers have access to.

Here’s what it needs to include:

  • The identity and contact details of the controller, and of the data protection officer (if applicable). More info on who is a controller and data influencer right here.
  • What data you collect
  • The recipients of the personal data, if any
  • The purpose of processing the personal data
  • The period for which the personal data will be stored
  • How you use cookies
  • The individual’s right to their information (right to withdraw consent, the right to be forgotten, the right to request a copy of all held data).

What We Did

Here’s what the beginning of our privacy policy looks like:


Consent From New Subscribers

This is the GDPR biggie! You cannot collect or store personal data without getting the individual’s permission.

GDPR is much more strict about obtaining consent than the previous data protection legislature was. Previously, consent could simply be inferred from an action or inaction as long as it signified consent.

Now, however, the new legislature requires consent to be affirmative, “freely given, specific, informed and unambiguous”. Even if all you’re collecting from your audience is a name and email, you still need them to say they agree to it and are aware of what it means.

That’s right! It’s time to say goodbye to the pre-ticked boxes, a simple tiny text notification, or automatic placement in an email list. You can no longer force your audience to consent.

So how do you get consent under the new GDPR legislature?

There are two ways:

  • Using checkboxes that people must select in order to give consent
  • Using a double-opt-in (a form that requires confirmation opt-in).

Both are effective and legal, but we decided to use checkboxes to obtain consent on the Your Brand Found site.

What We Did

Here’s what our opt-in consent form looks like:


You’ll notice that it follows all the GDPR criteria:

  • A checkbox the contact must select to agree to the terms of service and privacy policy with a link to them. It’s very important as this is where people allow you to process their data. We’ve revised our terms of service and privacy policy info to make it more understandable and unambiguous, and made the checkbox – mandatory.
  • A checkbox the contact must check to give consent for each business activity we employ (in our case – email marketing), with a clear explanation of what they will receive if they submit the form.

These boxes cannot be pre-checked. GDPR makes it very clear that the consent must be affirmative, meaning the individual must take a specific action to confirm that they accept.

Last, but not least, we made sure we had an automated system in place to collect the consent. That’s because, under GDPR, companies need to be prepared to share a record of consent with regulators, if asked. You need to record the IP address, location, time the consent was given, and text of consent (or a screenshot of it).

Consent From Old Subscribers

This was the biggest question: do we need consent from old subscribers? Most articles around GDPR think so. After all, it seems that your previous subscribers never affirmatively consented to you sending them marketing material.

At the same time, we knew that if we unsubscribe all of subscribers and ask them to re-consent, we will probably lose most of them. So, a decision was made to not go down without a fight…or at least a bit of good ol’ research…

And guess what? It paid of! Looks like we can keep our subscribers.

Now, bear with me and some legal talk here… GDPR legislature says that direct marketing is usually a ‘legitimate interest’ of the data controller, a non-consent based ground for data processing. So, most of the marketing that is currently done is legal because it’s sent out on an opt-out basis (not opt-in consent). So, if a business’s marketing was never based on consent, there’s no need to seek fresh consent.

Before you start celebrating or think that GDPR can be ignored, know that there are steps you still need to take. Since you have a brand new, or updated privacy policy, talking all about people’s rights under GDPR, you need to make sure your subscribers know about it. Also, take this opportunity to check that there’s a unsubscribe option clearly visible in every email.

What We Did

Since our marketing was sent out on an opt-out basis, we exhaled and rejoiced in the fact that we won’t have to say goodbye to our lovely subscribers. As soon as the celebrations wore off, we sent out an email to all our subscribers – sharing the news of our updated privacy policy and letting them know they can unsubscribe at any time.



There’s nothing GDPR leaves out… So, of course, the cookie policy also needs to be GDPR compliant.

That’s right – it’s no longer enough to just have a pop up that says “this site uses cookies.” Now, you have to give people the option to turn them on or off.

That choice is up to you. You can have a pop-up that lets users turn cookies on, one that lets them turn them off, and one that has both options. Each is acceptable under GDPR, as long as people have a choice.

What We Did

We chose to give people both options. As soon as a user visits our site, a popup appears that lets them choose to keep the cookies on or off. If the user continues to browse the site after a fair notice, that means we have their consent to keep the cookies on via affirmative action.

As for setting up the new cookie notices, there are a lot of services that let you do that, but we used the free Cookie Consent and were happy with it.

gdpr-compliant-cookies.jpg 2018-05-25 10-25-59

Personal Rights

Under the new GDPR legislature, people have eight major rights. Some date back to the previous data protection law, and some are new to GDPR:

Let’s break these down:

The right to be informed

EU citizens have the right to be informed about the collection and use of their personal data. Companies are required to be transparent about what data they’re collecting, what it will be used for, who will have access to it, and how long it will be retained.

What We Did

We complied with this rule by including all this info in our Privacy Policy, which users can see when they’re making the decision to share their personal information.


The right of access

It means that people have the right to know whether their data is being processed, and to access their information.

What We Did

So, how did we implement this? As mentioned before, our opt in form has a choice to allow us to contact the subscriber and process their data. That is clearly visible. As for the right to request, our Privacy Policy says that we will send a copy of the data we hold, if personally emailed about it. We’ve implemented a process to do this.


The right to rectification

Under GDPR, people have the right to have inaccurate personal information corrected. They can make a request verbally or in writing, and controllers have a month to respond.

What We Did

We listed this right in our Privacy Policy, complete with a contact email, and have a process in place if someone makes a request.


The right to erasure

Also known as the “right to be forgotten” this is an all new right, brought about by GDPR. It states that EU citizens can request to have all their data forever erased. This request can come verbally and in writing, and you, as a business, then have a month to carry it out.

What We Did

As with the right to rectification, this right is listed in our Privacy Policy, and we have a process in place if someone makes a request.


The right to restrict processing

People now have the right to request the restriction or suppression of their personal data. The request can be made verbally or in writing and must be carried out within a month.

If a user restricts processing, a company is allowed to store the data but not use it. However, this right is not absolute and only applies in certain circumstances.

What We Did

Our subscribers can always restrict us from processing their information simply by contacting the email listed in the Privacy Policy, under their right to do so.

The right to data portability

This right allows individuals to obtain their personal data from one source to be reused for a different one. Thus, it becomes very easy to move, copy or transfer personal data from one IT environment to another. This is great for the user because they can give that data to services that will get them a better deal.

What We Did

As, the only data we collect is the name, email, and company, we seriously doubt anyone will want to obtain and transfer that data to another source.


The right to object

The new GDPR legislature gives individuals the right to object to the processing of their personal data, and stop it from being used for direct marketing. The request must be made verbally or in writing and carried out within a month.

The only way businesses can object is if they show that they have a compelling reason to continue processing data.

What We Did

If our subscribers do not want us to use their data for marketing purposes, they can always contact us through the email listed in our privacy policy. At that point, we have a process in place to take them off our mailing list.


Rights in relation to automated decision making and profiling

This right means that GDPR also applies to all automated individual decision-making and profiling. Under this new right, you can only process data automatically if it’s based on the individual’s consent, is necessary for the entry into or performance of a contract, or is authorised by Union or Member state law.

If that’s the case, you need to let individuals know their information is being processed, and make it easy for them to request human intervention. It’s also a good idea to carry out regular checks to make sure everything is working.

What We Did

We do not have any automated individual decision-making and profiling. Thus we did not have to worry about this right.

Preparation for Data Breaches

GDPR is designed to limit the number of data breaches and to make sure individuals are aware of them, if they happen.

The new law says that if the company gets hacked, leaks, or loses some personal information, and there’s a risk to people’s rights, there are 2 things that must be done within 72 hours:

  1. Report the data breach to your local data protection regulator.
  2. If there’s a high risk to the rights of the people, the company must inform the affected individuals.

What we did

To prepare for this, we made sure that our entire team was on the same page and knew how to react if a breach were to happen. We also set a processes in place to allow a data breach to be assessed and researched.

Final Thoughts

GDPR, that big scary monster many have been fearing for months, is here. The good news, is that it’s not as scary as it looks. In fact, many of the processes it reinforces are not new – they existed with the old data protection act.

It just means you need to make some changes to your site, processes, and privacy policy, to ensure that people are consenting to you collecting and using their data, and that their data is safe.

But remember – GDPR Compliance is not a cookie-cutter process. Every business is different and requires a different approach. Our goal was to pull back the curtain and show you how we did GDPR.

Hopefully, there’s a thing or two you can implement in your GDPR strategy.

Pin It on Pinterest

Share This