Are You Ready For GDPR Compliance?


By: Drew McManus

On May 25, 2018, the European Union’s (EU) new General Data Protection Regulation (GDPR) regulations related to personal data collection will go into effect.  A quick google search will produce a wide range of sources capable of providing an overview but in a nutshell, it means that if your organization processes personal data of EU citizens, you must comply with required consent measures.

If your organization collects and stores user EU citizen data (often referred to in the regulations as “data subjects”), the individual providing the information needs to be aware of it and give permission before any action is taken.

Along with providing permission to collect data, the GDPR requires that users can request access to their data and have it removed if requested.

One of the more common areas where this will impact your organization is in email marketing opt-in forms and e-commerce checkouts.

Making those forms GDPR compliant is pretty straightforward; in most instances it means included checkboxes for opt-in consent, and editable sections that explain how and why you are using data.

Most major email marketing providers are already incorporating these elements into opt-in and user account functionality, but you’ll want to check with your e-commerce provider and modify any other forms you manage directly that are used to collect user information.

[box type=”alert”]Disclaimer: this is not legal advice, as always, check with legal counsel for rock solid legal advice.[/box]

What Qualifies As Personal Data

Anything that can identify a living person directly or indirectly, such as:

  • Name
  • Address
  • Email address
  • Social security number
  • Location data
  • IP address

The Rights GDPR Provides

Data subjects have the following rights concerning their personal data

  1. Information
  2. Access
  3. Rectification
  4. Erasure
  5. Restrictions on processing
  6. Data portability
  7. Objection
  8. Revision of automated decisions or profiling

Providing Consent

Providing data subjects with a way to provide consent is key to the regulations

Single Opt-in

This is very straightforward, something as simple as a required opt-in checkbox that states “I consent to my submitted data being collected and stored” will suffice.

Marketing Permissions

This should describe why your organization is collecting the information on your form. Example:

ArtsHacker will use the information you provide on this form to be in touch with you and to provide content updates and marketing.

Opt-in Options

A straightforward checkbox field for each messaging point of contact will suffice. Example:

Please let us know all the ways you would like to hear from us:

  • Email
  • Direct Mail
  • Customized online advertising (i.e. targeted search results and social media ads)

Legal Text

Explains how your organization plans on using the data, identify your organization (including any parent company), others besides your company that will be processing user data, a Cookie Statement, and indicate how data subjects can opt-out and obtain a copy of their information. Example (this sample is from the suggested Legal Text provided via ArtsHacker’s MailChimp account):

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By submitting your information, you agree that we may process your information in accordance with these terms.

Privacy Policy and Terms

This information should clearly explain how and where storage activity occurs. This is where things can get rather involved, especially if you share that information with third party providers. Some examples of storage activity and their locations include, but are not limited to:

  • Websites: database plus plugins and add-ons from third party providers that may collect usage data.
  • Files: documents, spreadsheets, databases, PDFs.
  • Storage and backups: computers, portable drives, USB sticks, DVDs, online.
  • Cloud storage: Dropbox, Google Drive, Amazon S3, etc.
  • Intra
  • Email and email attachments.
  • CRM and ticketing systems.
  • Email marketing providers.
  • Social media platforms.
  • Messaging apps (such as Slack, Facebook Messenger, etc.)
  • Productivity and connectivity apps such as Zapier, Trello, Basecamp, etc.
  • Good old-fashioned paper and electronic records you store in the office.
Drew McManus
Drew McManus
In addition to my consulting business, I'm also the Principal of Venture Industries Online but don’t let that title fool you into thinking I'm just a tech geek. I bring 20+ years of global broad-based arts consulting experience to the table to help clients break the cycle of choosing one-size-fits-none solutions and instead, deliver options allowing them to get ahead of the tech curve instead of trying to catch up by going slower. With the vision of legacy support strategy and the delights of creative insights, my mission is to deliver a sophisticated next generation technology designed especially for the field of performing arts. The first step in that journey began in 2010 when The Venture Platform was released, a purpose-designed managed website development solution designed especially for arts organizations and artists. For fun, I write a daily blog about the orchestra business, provide a platform for arts insiders to speak their mind, lead a team of intrepid arts pros to hack the arts, lead an arts business incubator, and love a good coffee drink.
Author Archive

Leave a Comment