GDPR and you

I’ve had a few clients ask me about GDPR – the new version of Europe’s privacy laws, applicable from May 2018.    A question asked 3 times should be a blog post; here’s the answers as I understand them.

Firstly, the obvious disclaimer:  I’m not a lawyer.  I don’t pretend to know enough to give legal advice.  This is my best guess at understanding the laws, but I might be wrong – please get appropriate legal advice.

The questions about GDPR have boiled down to two things…

  1. “Is Infusionsoft itself compliant?” and
  2. “I use Infusionsoft – does that mean I’m automatically compliant”

Here’s my take on the answers.

Question 1:  Is Infusionsoft itself compliant?

As a user of their system, you may have received comms directly from them.  You may also have noticed the new features (check the what’s new area, if not).  My understanding is the answer is yes, and they are/will be working under the EU Model Contract.  (Obviously, I’m not a representative of Infusionsoft, and can’t talk on their behalf.)

Here are a couple of links where they talk about the system and their own readiness.

There are other notes, emails, blogs and so on from the company discussing this.

Question 2: Does using Infusionsoft automatically make you compliant?

No.  That’s partly because everyone uses Infusionsoft differently.

But also because you almost certainly have information elsewhere.  In your website, your email account, your finance package, payment gateways, any tools such as landing pages or surveys, pixeling or analytics, and many more possible places.

Keep in mind that although GDPR is a big event with lots of noise at the moment, many of its requirements are not new.  Much of this has been in law since the mid-1990s.

Other thoughts

Most of it is good common sense.

Let’s read that again.  The core basics of the law are simple common sense.  It…

  • asks you to know what data you keep about people.
  • asks you to have a good reason to have it.
  • expects that you’re able to correct or delete it on request.
  • asks you to take reasonable precautions to protect it.

Is that hard, or unreasonable?

It’s a law that lets you choose to balance your company’s need vs. the individual’s privacy need.

The more data you have, and the more personal it is, the more you need a good reason for keeping it.  There are several types of good reason, and you may fall into more than one category.

That makes it a bit confusing, but also perhaps gives some flexibility around your good intentions.

What does this mean to you?  That the “right” setup will be different for everyone.

It might not even apply to you.

Automagic complies with much of it,  because we think it’s a good idea – but we don’t actively engage or market to European citizens, residents or visitors.  We also try not to keep “sensitive” data.

But don’t just assume it doesn’t apply to you – the law is not specific about citizens or residents of Europe, just people who are there.

Speaking of Europe.  Yes, This is a European law.  But…

With the events around Facebook and related data issues, it may be only a matter of time before it’s a law wherever you are.  And since it’s largely common sense anyway, maybe take a good look.

It’s not hard to find information on GDPR – a quick search of YouTube will reveal a lot of explanations, ranging from 5mins to well over an hour.  There are many guides, events and so on available to you.

Again, if you’re in any doubt, please contact a legal expert.