This is not legal advice, but I did just listen to a webinar re: GDPR and here is my educated advice…. 🙂

Simply said:  GDPR begins 25 of May for the European Union but pertains to ANYONE who markets to contacts that reside in the EU.

You will be held responsible for any action you do related to any/all contacts that you contact in EU.

5 Steps to Compliance



Right to Be Informed.

  1. You need to tell your customers how you plan to process their data, how you won’t process their data & when you’ll be done with it.
  2. You should post your privacy policy on your website & link to it when customers are giving you their information:
    • Web forms
    • Oder Forms



In order to process someone’s data (marketing to them), you have to have a lawful basis for doing so. And you must have documentation (I suggest Tags) that shows you have received one/all of the below 3 areas of consent:

  1. Informed Consent

    • If you have ANYONE on your list that you don’t have a history of consent for, then you will need to identify who they are and send them a Consent Request Email that leads to a Consent Form
      • It’s best to not communicate with anyone that you don’t have proof of explicit consent and who doesn’t complete the form
      • I suggest – for now, only do this with your EU contacts – but know that this is just the first roll out of these mandates, so don’t be surprised when more and more countries pass a similar law
    • Update all published/active web forms/ order forms
  2. Performance of Contract

    • Let’s say you sold a service to someone then it’s natural you will process their information to communicate with them
      • You will have to determine the time-frame that communication is acceptable
      • Be Conservative or Be Risky on the time-frame, you decide
  3. Legitimate Interests

    • This is a little more technical—you have balance the right to market vs using their sensitive information. Should speak to lawyer about this one.




  1. You must be CLEAR about what consent you’re asking for
  2. DON’T PRE-CHECK your consent check boxes. This ensures your contacts are explicitly giving consent.
    • EX language for checkbox:
      • Yes, I would like to continue receiving emails and other communication as described in your privacy policy. (link to policy)
    • If you will be subscribing them to other lists, campaigns, etc, you may want to also list those other offers as individual check boxes
  3. You need to be able to SHOW PROOF of consent for prospects and customers who have granted it.



Create a form that lives on your site so that your customers/contacts can exercise their:

  1. Right to Be Informed

    • Link to your privacy policy
  2. Right to Object, Request Erasure, Restrict Processing

    • You need to give them a way to stop receiving communication from them and that you no longer retain their data
    • If the Contact requests to be erased from your system via your CRMs unsubscribe link, then that CRM should erase their data & you will not be able to re-import them
  3. Right to Data Access and Portability

    • This one is a little crazy to me, but basically, if a contact requests their data, you need to be able to give them all the data you’ve processed about them, in an easy to read and understand format so that they can transfer that data to another “system”
    • Suggest just emailing them an export of their contact details
  4. Right of Rectification

    • If your contact requests you update their information, you need to be able to do this

Have a link to this form in your Privacy Policy

  • Don’t fill this form out for them



You may be obligated to appoint people to the following roles:

  1. Data Protection Officer (DPO)

    1. This position is specific to the depth of the data of information you are processing
      1. Areas such as the below require a Data Protection Officer
        1. Political
        2. Racial
  2. EU representative (must reside in the European Union)

    1. Anybody that doesn’t live in the EU, but is affected by the mandate b/c they market to EU residents – needs this person
    2. This person represents you/your business inside the EU

You will need to document these people in your CRM



  • Do I need to RE-OPTIN my entire list?

    • To be on the safest side, yes, especially if you have not been getting documented consent in the past.
    • Legally, you are only required to get documented consent from all your EU contacts that you don’t already have documented consent from.
  • Do I need to do double-optin?

    • This is not required.
    • The front-end of the process is what’s important.
  • If someone requests to be erased, do I need to remove them from all channels that I have added them to:

    • Facebook Groups
    • Membership Sites
    • Google Docs
    • Skype
      • Best response is to advise them where all you have added their access to and clarify if they want their data deleted from those places as well, if they do, best to advise them on how they can remove themselves or set up a process that you can quickly process their request.
  • What happens when an erased contact completes a web form or order form in the future?

    • Web Forms:
      • The compliance is on the CRM you use:
        • They should have a list of erasures from your app/account and if that contact tries to re-optin, they should see a message of denial
    • Order Forms:
      • Contact will be accepted into the CRM and all the data they had erased will not be reinstated except for transactional history, this will be accessible