GDPR – What Solopreneurs Need to Know and Do

GDPR – What Solopreneurs Need To Know And Do

You must have heard all the buzz about it. The General Data Protection Regulation: GDPR. It’s coming into force on May 25 — just one week away.

You may be one of those people who sees the emails and just shudders… because, let’s face it — the sky is going to fall in.

On May 25th 2018, the General Data Protection Regulation (GDPR) will take effect.  It promises especially to wreak havoc on the once lucrative email marketing industry.(1)

Days are about to get very, very dark for every brand and soul in the digital marketing game. For those who use “email marketing” heavily, the sky is, quite literally, falling.(1)

But what about all the rest of GDPR?

Maybe the sky isn't fallingIs your sky falling? Is GDPR going to be the end of doing online business as we know it? As a small, one-person business — a solopreneur — do you even have to be concerned?

Won’t it all go away if you ignore it for long enough? Will the “EU police” come knocking at your door if you skip all this? Does it affect you if you’re not a citizen of the EU?  

Sadly, this has not been well presented by those in charge. The result for most solopreneurs has been fear, confusion, and anger — with little coherent help.

Your web host or sitebuilding service gives you a bundle of articles and a “good luck.”  Google (which is involved as a major player who must become GDPR) turfs their obligation onto us. Figuring it all out is tough.

Online, solopreneurs are gnashing their teeth. You’ll find loads of misinformation and negative emotions sparked by this legislation (and by Google not being of much help)…

  • Some solopreneurs are choosing the “ostrich head-in-the-sand” approach.  
  • Others tried but are so confused that they finally gave up and join the ostriches.
  • Non-Europeans think it doesn’t involve them.
  • And many are just peeved as heck. I don’t blame them. There’s a ton to learn and it’s hard to know what to do when you read conflicting advice.

It’s enough to anger a monk. We may not be blessed with profound inner peace, but we can chop this down to size and calmly approach GDPR, step by step. Ready?

OK, Big Breath…

Breathe out all the negative emotion, then take a hard look at the real facts. Let’s narrow down the risks — and maybe even surprise ourselves by finding some benefits.

As with all other laws and regulations, you’re supposed to comply. If you don’t,  the consequences could be heavy, particularly with Google, who shifts some of its burden onto you.

I believe that solopreneurs should have been exempted from this. Most solopreneurs are already within the spirit of the law…

Solopreneurs are not the ones with massive databases and data-mining operations that could compromise a user’s rights.  

Large companies like Facebook and Google, the ones responsible, are also the ones that have the resources to implement and manage GDPR. Meanwhile, solopreneurs face a disproportionate burden to solve a problem that they didn’t make.

Here’s a brief outline of what you need to be compliant…

  1. You must have a way for visitors to consent to your collection of their data. And this must be an opt-in by default, not an opt-out. It must also have a link to your privacy policy (which is also required).
  2. Your privacy policy must outline all the ways that you collect personal information, and what you do with it. It must also outline how they can view, change, download and/or delete their data.
  3. Each form you have on your site must tell users what their data will be used for (e.g., receiving a 7-part e-course or a monthly newsletter).
  4. Each form must give them a way to review your privacy policy.
  5. If you don’t want to deal with collecting parental consent for those under 16, you need a way for form users to tell you that they are 16 years of age or older.

That’s why many solopreneurs are weighing the risks and potential consequences of non-compliance. Our advice?  

Hold your nose and get it done.

That’s why we developed our new GDPR tools for Solo Build It! (SBI!). As far as we know, no web host or sitebuilder (e.g., Wix and Weebly) have turned this complicated implementation into a single, comprehensive solution.

SBI!’s job has always been to filter out what doesn’t matter and to “get it right” for what does count. This allows SBI! members to focus their so limited “solopreneur time” on what matters the most — building their business.

The results speak for themselves, with SBIers outperforming others by 10X to >100X. But I digress. Back to the matter at hand…

We’ve chopped GDPR down to size, slicing it into a step-by-step process that gets SBIers where they need to be with the least amount of aggravation, and in as little time as possible. We created this release, though, not so much to move SBIers further ahead, but to eliminate the risk of being set back.

While I prefer the carrot over the stick, it is what it is. Let’s think this through and then take the necessary action…

Decision #1: Do You Care About the Law?

GDPR goes into effect within the European Economic Area on May 25. The fines for not complying are pretty steep. Depending on the specific infringement, they can be up to €20 million, or 4% of your annual global turnover — whichever is higher.

Did I just hear you gulp? 20 million Euros? Maybe we should all close down right now — or at least follow the example of Unroll.Me…

No soup for EU!

Our service is intended to serve users in the U.S. Because it was not designed to comply with all GDPR requirements, Unroll.Me will not be available to EU residents.

This means we may not serve users we believe are residents of the EU, and we must delete any EU user accounts by May 24. We are truly sorry that we are unable to offer our service to you.

But wait. Are GDPR fines going to put us all, not just out of business, but in the bankruptcy court? Is it genuinely impossible for small businesses to comply? Is that the real story?

Of course it’s not. It’s the story that makes for good headlines.

So what’s the real deal? The real deal is that those fines are discretionary, not mandatory. Penalties will be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive.”

Note the word “proportionate.” Are online solopreneurs going to face fines of €20 million for an infringement?

It’s so unlikely as to be farcical. In fact, the potential level of those fines is a sign that GDPR was written with the “big guys” in mind: Google, Facebook, Twitter, etc., as well as those spammy marketers you dread seeing in your inbox.

Its problem is that it doesn’t distinguish between the big guys and small business: work-at-home moms, conscientious entrepreneurs, solopreneurs. Everyone, large or small, is required to comply.

GDPR will impact “…every entity that holds or uses European personal data both inside and outside of Europe” (Stewart Room, PricewaterhouseCoopers). In other words, all of us.

Furthermore, facing any amount of Euro fines won’t happen as a first resort. Why?

Before any fine is levied, the EU is most likely to give, in writing, a warning about which part of the regulations are not being complied with. They’ll allow time for you to put the breach(es) right.

In the words of IT Governance, one of the leading EU trainers in GDPR compliance…

Besides the power to impose fines, the Information Commissioner’s Office (ICO) has a range of corrective powers and sanctions to enforce the GDPR. These include issuing warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third countries.(4)

In other words, if a company refuses to comply with GDPR, only then will a fine be imposed.

Suppose you live outside the EU — in Australia, for example, or in the US. Is a police officer going to come knocking at your door with a warrant for your arrest, or a bill for payment of €20 million? Unlikely.

You’re much more likely to receive an email saying that you face a range of corrective sanctions: a warning or reprimand, a ban on data processing, an order to put things right. And, still in the real world, they’re much more likely to go after the big fish than you.

Given that, should you really do nothing and wait to see what happens? That’s up to you.

If you and/or your business live in a European country, remember that any fine against you can be enforced. Assess the risk and decide for yourself.

What might that risk be?

In a recent webinar, this was said to be the potential consequence for a deliberate avoidance of the GDPR requirements:

… if it gets as far as the compliance system, the penalties for any sized business which hasn’t bothered even to try to implement GDPR because they thought they could get away with it are likely to be very steep.

Sidebar: This reminds me of the legislation forcing affiliates to include a prominent notification that they receive commissions for sales of products mentioned on the page. A small minority comply. Some don’t do it at all. Some bury it on the bottom of a page — or the visitor has to link to it. It was announced with great fanfare, but is not enforced.

The quote strikes me as a scare tactic. But that, too, is for you to weigh.

So — decision #1.

For you and your business, are the potential consequences of ignoring GDPR worth the risk of breaking European Union law?

  • Do you believe that the GDPR would make solopreneurs a priority compared to the giant companies that have made it necessary?  
  • Do you believe that, in the unlikely event that they stumble upon you, you’d face some huge fine right off the bat, especially if you’re already doing nothing to violate the spirit of GDPR?
  • And if the worst of the worst outcomes were to happen, how would they enforce it if neither you nor your business reside in the EU?

Important: We built our GDPR tools because our basic advice is to just get it done, regardless of where you reside, and for all visitors, not just Europeans. Be done with it.

On the other hand, we’re not going to fail to bring options to mind. So…

It’s your call. If you’re prepared to take the risk, you’d be finished now, except for the genuine problem that leaves you with little choice…

Decision #2: Do You Care About Google Analytics, Google Maps, Google Pay, Gmail, Google Cloud Platform or G Suite?

Why would any of those be an issue?

Because Google has invested a major amount of time and money in ensuring its services are GDPR-compliant from the get-go. And Google wants to make sure that everyone who uses those services is compliant, too.

Is Google helping the solopreneur become compliant? Well, its GDPR-compliant tools will all be available by the implementation date.

But, like many companies, Google is putting responsibility for using those tools in a compliant manner fairly (or some would say, not so fairly) and squarely with the individual.

Google calls this “shared responsibility.” I call it “turfing responsibility.”

GDPR Passing The Buck

To try better to understand it, let’s just take the case of Google Analytics (GA).

You (via your website or blog) send information to GA. It’s not personal information in the sense of names and email addresses. But it’s still data under the terms of GDPR.

GA takes that information from your site and processes it.

That, in GDPR terms, makes you — the solopreneur, blogger, stay-at-home-mom — the “data controller” and GA the “data processor.”

But here’s the thing. You have no realistic way of tracing that data back to the individual on your site. But Google does, once it collects the data from your site.

In order for GA to be compliant, Google has already published revised data processing terms that, as the data controller, you must accept in order to continue to use their services.(2)

If you don’t accept the terms, you won’t be able to use GA — or any of their other processing services above — after May 24. Pretty much all solopreneurs use at least one GA service on their sites…

Suddenly, that “shared” responsibility doesn’t seem so fair. They put the onus on you…

Sign or switch.

So — decision #2.

Do you care? And what’s the downside?

You could switch to another analytics platform, another email / map-building / cloud service — if you can find one that’s not so particular about GDPR. That’s not likely, and it’s going to mean work to learn a new system and switch.

Or maybe you don’t use any of those products anyway. You don’t really care about any of the Google tools mentioned so far. If not, take them off.  

If you do care about those things.. if you find GA offers a wealth of information to help focus your business… if you store information on Google Cloud Platform… or if you use Google Maps on your site?

You have to become GDPR compliant. Because Google knows you’re stuck.

If you don’t care, you’re a step closer to your non-compliance decision. Take off the Google tools. No need to agree to their terms.

But you’re not done yet.

It’s time to move on and look at the next most important risk.

Decision #3: Do You Care About AdSense?

When it comes to AdSense, Google views itself as an “independent Controller of personal data” and states clearly:  

We are committing through these terms to comply with our obligations under GDPR when we use any personal data in connection with these services, and the terms require you to make the same commitment.(3)

Not prepared to make that commitment? Then your AdSense account is in jeopardy and likely will be disabled or shut down.

Do you care? How much does AdSense income matter to you? Have your AdSense earnings tanked anyway? Or maybe you use another ad network that handles your commitments for you, building it into revised code? (No, I don’t know of one.)

Up to you. If you don’t care about anything we’ve covered so far — the EU regulation, the use of Google services, or the placement of AdSense ads on your site — then maybe GDPR won’t be such a big thing for you, after all.

Maybe the sky isn’t falling.


Decision #4: Do You Care About Your Customers?

It has become appallingly obvious that our technology has exceeded our humanity.Albert Einstein

Do you view GDPR as a huge pain in the butt, one that should be the problem of the large companies that generate and store all the data? Or, like the UK Information Commissioner’s Office (ICO), do you view it as a way to…

“increase public trust and confidence in the way personal data is handled”?(4)

Think about this as a site visitor and customer for a second (instead of as a solopreneur). You become someone who is, in GDPR terms, a “Data Subject.”  

You give companies your data, some of it personal, some of it happening without you seeing what’s going on (e.g., cookies, IP address). Or it could be more obvious and personal — a newsletter signup, a hotel booking, or completing any one of countless forms for insurance companies, banks, health services, even your employer…

Laptop Forgotten on TrainDo you care what happens to your own personal information? Do you care that invisible data can be traced back to you when combined with data from other sources? Do you care that your medical information may have been shared between the insurance company and doctors in a series of unencrypted emails?

Or that confidential information about your employee status may be sitting on someone’s laptop — which they’ve left on a train?

Or that your signup for the latest webinar about how to make a million on YouTube has just been sold to a mailorder company that’s about to spam you with countless emails from which you can’t unsubscribe?

It helps to see “the other side,” doesn’t it? GDPR was not created to give businesses a hard time, although to you that’s certainly a by-product. Its aim is primarily to give ordinary people control over their personal information, to make businesses have more respect for your data, and mine, and our customers’ than they have in the past.

It’s as simple as that. But the fix isn’t.

That said, I still believe that the solopreneur was not considered in “the fix” of a legitimate problem. I think too much has been put on them, with no recognition of their limited resources.

Now think again about your customers and about you, as a controller of their information.  You blog because you have a following who like and trust you — but you’d like that following to be bigger.

Or perhaps, you write an evergreen, informational website because you have a real passion for your subject, and like nothing more than to engage your site visitors with your authentic storytelling.

You care about people, about your customers.

And you want their data to be safe. That does not mean, though, that you should be responsible for some of the work that you are being asked to do. Solopreneurs should have been exempted or at least considered when drafting this law, along with its spinoff that impacts third-party services that you are now locked into.

On the other hand, some aspects do obviously belong to you. If you want to keep collecting email addresses and first names for your newsletter, you have to do it right. Basically, if you collect and store data on your own server/web host, you are responsible for it.

If, on the other hand, you use an intermediary party such as Google AdSense or MailChimp, and don’t store any of the data on your own, your work should have been reduced as much as possible. Don’t get us wrong…

No one argues the need for our visitors, subscribers and customers to be better protected. It’s good for them, and boosts confidence.

And that gives everyone more confidence in both “the system” and you. On the flip side..

Email SellerIf you’re part of a very small minority of “bad guys” (e.g., sellers of email addresses), you have a problem now. A law with teeth increases your risks substantially. And, of course, Google and Facebook are going to have to control their data better — few were considering that at these companies, in their drive for ad dollars to ever-more-highly-targeted visitors.

Compare that to solopreneurs. Most solopreneurs have good and noble reasons to put themselves out there and try to improve their lot in life. I believe that you care about the folks you reach through your site and social media. You are closer to them than any of the multi-billion dollar conglomerates.

While I believe that as a solopreneur you, too, have to handle the data that you collect and store, you have been given the short shrift for much of this. You sure didn’t cause the problem. Nor were you consulted in the creation of this regulation.

However, as responsible citizens of the online business community, we still recommend that you put GDPR in place, regardless of where you live. It’s a one-time effort that will, together with widespread adoption, reassure the “data subjects” (i.e., your visitors, customers, etc.) who give you their information.

You care about their personal information. You want to do everything you can to keep it safe. You want them to know that you’ll treat their data as carefully as if it were your own.

Now you know how!

According to the UK Information Commissioner’s Office,(4) research has shown that only one in five people in the UK trust companies to use their personal data responsibly. There’s no reason to suppose other countries will be any different.

The reassurance of being GDPR-compliant will result in increased trust, which increases their willingness to interact with you, sign up for your newsletter, and ultimately to purchase something.

Whether you consider it from your point of view as a solopreneur or as a user of the Internet, something was needed to stanch the loss of confidence. No, you didn’t cause it. But you and I should be part of the solution.

Sidebar: Of course, this does absolutely nothing about the plague of fake reviews online.  In our view, this is growing so quickly that it is becoming as serious a problem as GDPR.  

Google is totally ignoring how easily its algo is tricked into ranking fake reviews to the top. Subscribe to our mailing list for an upcoming blockbuster post on the next big threat to Google’s reputation. It’s going to take a whole new Panda to fix this problem.

But I digress again. Back to GDPR.

On to our next decision…

Decision #5: The Carrot: Do You Care About Your Business?

Maybe I should have started with this one, because it’s the single decision that could trump all the rest.

How much information does your business hold on its servers, its databases, its spreadsheets, even its filing cabinets, that it doesn’t need?

How many outdated webinar presentations, obsolete images, unused apps, emails from 5 years (or more) ago are sitting on your laptop, helping make your machine run so slowly it feels like the bad old days of dial-up?

How much of that outdated data are you using to base decisions in the here and now? Is it still correct? Do you even remember gathering it?

When was the last time you cleared out your email list, got rid of those subscribers who haven’t opened your emails for the last two years? How much are all those subscribers — who, by the way, will never buy anything from you — costing?

Part of following GDPR’s processes is the need to assess your current methods of data collection, and how the data is used. Most businesses are viewing it as a hassle — an interruption to their day-to-day operations that they could do without.

Is that you?

If so, how about turning that opinion on its head? How about seeing it as an opportunity for spring cleaning? To ditch the old data and make space for the new? To streamline your business, to make decisions based on reliable information?

I know it’s one of those things that can be put off until “tomorrow”… forever. Why not take advantage of this opportunity to do a thorough “spring data cleaning.” It is spring, right? 😀

Putting off until tomorrow

In the process, you’ll save you and your business time and money down the road.

Decision #6: The Stick: Do You Care About Being Sued?

Let’s suppose you don’t care about…

  • The law
  • Google Analytics (etc.)
  • Google AdSense
  • Your customers
  • Your business

Do you care about the potential for being sued?

Perhaps it will never happen. After all, who would take the trouble?

Your competition, that’s who!

A competitor might see your non-compliance as a way to do some damage. This is more likely, of course, as you grow and become a force within your niche — it’s not as much of a worry if you’re just starting out.  

By the way, if you are just starting out, you have it easy. You just have to follow the new rules, which is pretty easy compared to those who have loads of changes to make.

But back to that nasty competitor.

The co-founder of blockchain-based media agency Truth, Mary Keane-Dawson recently had this to say…

I’ve heard murmurs of activist consumers targeting brands and organisations because they don’t like what they do globally; GDPR is a way to go after them. It’s all rumours at the moment, but I wouldn’t be surprised if there were a few PR disasters.

So once again, this is more of a worry if you’re a force within your niche. It’s more of a concern for the large and mid-sized companies.

Still, if your site is growing to thousands of visitors per day with solid monetization, becoming compliant starts to look like a good financial investment in your business.

So maybe you should stick around and talk about the last key point….

Decision #7: Does Your Business Partner Care About You?

So you want to make your site as GDPR-compliant as you can. I agree… there are more reasons to get it done and move on. And the larger your business, the more reasons there are to do it.

What’s next?

Our suggestion is to get it done as soon as you can. Realistically, loads of solopreneurs won’t be done in time. Following all the confusion and emotions out there, you can afford to integrate the most important pieces first, as close to May 25 as possible.

For the rest, being a few days or weeks late is not going to be the end of the world. I can’t absolutely promise that, especially given the help that many solopreneurs are getting from their ISPs and/or sitebuilding-software companies. More on “timing” to come.

Judging from what we’ve been reading, there are lots of heads spinning out there right now.  Some folks feel like their business is about to fall off the edge of a cliff. Others feel like they want to give up now — the task seems so daunting.  

So what’s next is this question…

Does your host or website-building company, whoever it is, care about you? What are they doing to throw you a lifeline that keeps you from falling off that cliff?

And if you’re not sure about either of those things, what can you do?

  • The more progressive companies, GoDaddy, for example, have given some information already. Are you finding it easy to follow? Are there step-by-step instructions that lead you through the entire process, concentrating on the “must-dos” for blogs and small online businesses, and leaving the rest alone?
  • Are they providing tools? Are those tools on the same platform, or do you have to go somewhere else to find them? And are you sure the tools are GDPR-compliant?

Take WordPress plugins, for example. There are a lot of them, and that’s part of the problem.

GDPR WordPress Plugins

Which will help you become compliant — and how will you know? Will they work together? Which are actually necessary — and how will you know that?

Or perhaps your provider is simply saying it’s your responsibility. Or not saying anything at all.

Are you seeing vague statements like this?

For many, it will be a moot issue. For others, there will be some updates.

Some are promising information “soon” — but time’s running short. Solopreneurs range from panicked and unhappy with the help they’re getting from their providers, to blissfully unaware that this involves them. And then, of course, there’s Google (we’re all still waiting on them for much).

Will you be ready? There’s just one more week before your users — or competitors — could come knocking at your door.

Let’s be blunt about this.

It’s a week before GDPR goes into effect. Some companies — particularly the larger, corporate organizations — have been preparing for GDPR for two years.   

Sidebar: We’ve found companies online claiming to be GDPR-compliant — but their sites were not even secure (httpS)! That’s a prerequisite if you plan to protect user data.

A week is probably not going to cut it, even for a small business with relatively simple processes (like yours). It can take longer than that to read through all the documentation.

So here’s the question you need to ask now: what are the priority steps, and what is your web development platform doing to help?

Is It All Too Little, Too Late?

It’s been made clear that businesses that have — at least — made an attempt to comply are likely to be given more leeway than those that have made no effort at all. And not even the greatest champion of GDPR expects businesses to be completely compliant on May 25.

So yes, there’s still time. How efficiently you can use that time will depend in large part on what help you get. GDPR is no walk in the park. It takes time, energy and commitment to understand the basics, let alone to set up your site to enable smooth compliance.

Here at Solo Build It! (SBI!), we’re providing an integrated range of tools, information and step-by-step updates to help SBI! members become compliant in time for the deadline date.

We’ve always been the only platform that offers everything under one umbrella. In short…

We condense the overwhelming and ever-changing complexity into one all-you’ll-ever-need, business-building approach.

And that doesn’t apply only to our hosting, software tools and guidance. It applies to helping solopreneurs…

  • fix external nightmares such as Panda and Penguin
  • get the most out of the ever-changing world of social media
  • and now, integrate the confusing world of GDPR in an organized and efficient way.

As far as I know, and please excuse us for tooting our own horn, we’re the only platform providing GDPR compliance tools, all under one umbrella. No need to fight through the jungle of information (good and bad), nor to glue info from various sources, etc.

As usual, “we do it all for you.”

We’d like to help other people, too — people who’ve not found SBI! yet. People who might be reading this and wondering whether to throw in the towel altogether…

Is that you?

Do not throw in the towel. I understand. As much as you may support the goals of GDPR, your business is likely already compliant in most ways, if not all.  
So it may not feel like time well spent. But what if I could present a clean “to do” — you’d be doing everyone a favor while helping to re-grow trust, while eliminating risk.

So, let’s get you off that cliff and back on solid ground.

We at SiteSell can’t help you become totally GDPR-compliant in the space of one article. But we can start, by sharing with you just four basic steps that will help your website or blog on its way to becoming GDPR-compliant. That’s an 80-20 that everyone can live with.

Before Data Collection

Step 1: HTTPS

If your website or blog is not secure, data sent through your site or blog is not secure either. So the first step is to make sure your site or blog is HTTPS.

To throw that lifeline to our own customers, here at Solo Build It! we made sure there was a quick and easy way to change sites from HTTP to HTTPS. A pre-switch checker, the “switch” itself, articles supplemented with videos to lead people step-by-step through the process, and 24/7 support.

Task 1

Make sure your site is secure.

How do you know? Look for the little green padlock next to the URL…

Make sure your site is secure

If it’s not secure, you’ll see this or something like it, with a warning in red if the information icon is clicked…

Non Secure Connection

The question to ask of your website host if you don’t see that little green padlock?

What are you doing to help my site be secure?

Step 2: Data Audit

You have data coming into and going out again from our blog or website in a lot of different directions. Just when you think you’ve nailed it, something else occurs to you and you have to start all over again.

But to implement GDPR it’s critical to understand where data is coming from and going to — and what happens in between. It’s the foundation of everything that follows.

There’s a way of dealing with that. It’s called a data audit. The purpose of the data audit is to tie down…

  • Where your data comes from
  • What and where it is
  • How it’s processed
  • How long it’s kept
  • Where it goes to
  • How secure it is
  • What needs to happen to make it GDPR-compliant.

And it can be done in bite-sized stages.

Task 2

The first thing to do is simple: sit down with your favorite beverage and ask yourself what you remember about the information you collect. Just brainstorm it.

There are some obvious places, like newsletter signups, where people have to enter their name and email address, and contact forms, so people can communicate with you directly.

And some not so obvious, like Google Analytics, which takes browsing data without needing more personalized information like name and email address.

Consider both types of data — information you actively request, and information that’s taken automatically by, for example, our old friend Google.

Write down what you think you collect.   

Task 3

When you’ve finished brainstorming, go over to your website / blog and take another look. Check exactly what you collect, and from where.

Maintain a worksheet about your data processes. It’s evidence, should evidence be required, that you’ve assessed your site to the best of your ability.

Keeping a reasonably thorough note now will make the process much easier.

You might be surprised at what you find. For example, “Who is Hotjar and what are they doing on my website?” is a question one of our employees had to ask herself when she found a long-forgotten code in her site’s head section, sitting there collecting data she had never used and never told anyone about…

What you need to ask: is your website builder (Wix, for example, or GoDaddy — or even WordPress) providing you with a way of planning and analyzing your data audit?

If not, Download This Free Data Audit Template Worksheet.

Data Collection

Step 3: Form Compliance and Obtaining Consent

Consent: Under Article 5 of GDPR, businesses (large and small) must have a valid reason for collecting data. For some companies, it’s a contractual or legal reason — courts, for example, have to collect and process data on offenders appearing before them. And payment processors need a lot of personal information.

There are a number of other lawful processing conditions, but the one solopreneurs will normally use will be “consent.”

GDPR says consent must be a:

freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

It also requires that you give privacy-related information at the time you’re obtaining the data, in other words at the point where the person fills in, for example, a contact form or a newsletter / course subscription form.

This has implications for all our forms, and for our freebie signup giveaways. You’ll be able to find advice about the giveaways elsewhere on the Internet. Of course, it’s not always accurate, so be careful.

So for now, let’s deal with the forms themselves.  

Contact forms and newsletter signups: You may be forgiven for thinking that if people contact you, they’re giving their consent to you having their data. After all, it would be hard to reply to someone without having their email address.

But “consent” goes all the way back to the first interaction someone has with your website. If that’s via the contact form, the fact that you’ll collect and store personal details, even for a short time, means that you need to get clear consent from each individual…

They must agree with your privacy policy and they must give permission for you to reply to them about their query. If you don’t want to deal with parental consent for those under 16, you must also ask for confirmation that they’re over 16 years old.

And all that must happen before each individual submits the contact form, or signs up for our newsletter, webinar or paid-for course.

What Does That Mean, In Practice?

The simplest way to do that is:

  • A checkbox to confirm that the person is over 16 years old.
  • A link to the privacy policy, and another checkbox to say s/he has read and understood it.
  • A checkbox through which the individual gives consent to the collection of the data for the intended purpose.

Each checkbox must only capture one piece of information. So you can’t use just one checkbox to say “I am over 16, I’ve read and agree to the privacy policy and I accept you storing my data.”

GDPR CheckmarksWhy are checkboxes necessary? Consent must be “verifiable.” If a site visitor has to tick the boxes before submitting the form, that information can be stored and acts as verification.

The form itself must collect no more information than absolutely necessary — in the case of contact forms this will usually be a name, an email address and a text box for the query.

Will people who want to contact you like having to check three boxes? Maybe not. But visitors are going to get as used to checking those boxes as they are “agreeing” to cookie warnings. In any event, ticking boxes helps qualify the serious contact, weeding out the frivolous.

Will some people who may otherwise have signed up for your newsletter just click away? Maybe. But again, those checkboxes will become commonplace. And those people who did not want to tick… would they have been truly engaged? Probably not.

Task 4

Check whether your email provider has the capacity to add checkboxes to your forms.

Some companies, like MailChimp, are already compliant; many are not.

If it’s unclear, write and ask them. In particular, ask them to clarify what they’re doing about allowing you to add checkboxes to your contact forms and signups. Be clear — ask for a timeline.

If they’re not going to be compliant by May 25, you have another decision to make.

And if they tell you, as some do, that it’s the publisher’s responsibility (that’s you!) — think about whether you’re with the right provider. As I noted above, MailChimp will be compliant, and is making it as easy and understandable as possible.

For Solo Build It!, we view this as totally our job, simplifying the lives of SBI! members. SBIers can customize or translate the default messaging, so making forms, including email subscription forms, GDPR-compliant is clean and fast.

After Data Collection

Step 4: Rights of the “Data Subject”

General: GDPR says that “data should be collected for a specific purpose, used only for that purpose and retained for only as long as it meets that purpose.”

So don’t collect more information than you absolutely need.

Task 5

Look through your site or blog’s forms now. Are all the fields you have strictly necessary for the task you need to complete? If not, remove them.

The less personal data you collect, the less impact of possible data breaches.

Data Subject rights: What about when the data has been given? We’ve already seen that publicity is starting to raise awareness in the public — your site visitors / customers — people who trust you with their information.

So how do you deal with their rights?

GDPR says “data subjects” — those who give you their information — have the right (among other things) to:

  • have access to all the personal data you hold about them (“right to access”)
  • modify any details of that information, for example if it’s out of date or incorrect (“right to rectification”)
  • have their data deleted from your system (“right to erasure,” also known as the “right to be forgotten”)
  • download their data from your system (“right to portability”).

Sounds like a nightmare? It shouldn’t be. What’s your sitebuilder company or hosting platform doing to help you through this? How easy is it for you to access information from, for example, your email provider’s database?

If a subscriber comes to you in two weeks’ time asking to change or download her information, will you know what to do and how to do it? Where to find it, even?

For most providers, accessing the information will lie squarely with the solopreneur.

What — another job on top of being CEO, marketing director, content writer, social media manager, customer service officer and chief coffee-maker?

Yep. Another one to add to the list.


SBIers won’t need to go anywhere near their customer’s data.

GDPR Solo Build It!How’s that?

One of the main philosophies of everyone who works for the company is to provide our customers — SBIers — with tools that will save them time. Because we know that time is the single most precious commodity for the solopreneur.

So when it comes to GDPR, that tool will mean all subscribers — the data subjects — will be able to access, alter, download and delete their own data.

The SBIer will not have anything to do with it, unless contacted directly by a visitor or customer.

More time saved and, more importantly, another worry resolved.

Here at SBI!, we don’t want to leave anything to chance. If we can help SBIers, we do.

So we did.

We invested a ton of time, energy and money into getting this right. If you think it’s hard enough for one person, imagine how tricky it is to develop a new module that fits the needs of thousands.

Needless to say, it grew into one of those “bigger than we thought” projects. That said…

By May 25, every SBIer who has been through that decision tree and has made the decision that she wants to comply, will have all s/he needs to do so. We’ll have a far higher compliance rate because we’ve made it more doable than anywhere else.

And all this at no additional cost to the SBIer.

THIS is the reason I love SBI (and came back!) because you take care of all the “extra”, providing tools and practical ways of meeting demands, not just waffle.

I too have spent many hours reading, going to real-world workshops, watching webinars and getting overwhelmed [by GDPR]… until I saw that SBI was taking care of it, and I chilled out.Adele from

This law un-levels the playing field against solopreneurs. Our job is to help level it again for SBIers. Our GDPR tools make it doable in the least amount of time possible. It’s the only resource they’ll ever need.

All because we love to see SBIers succeed. When we see a hurdle in their way, we do our best to remove it.

When we see our SBI! family feel like they’re falling off a cliff, we throw them all the lifelines they need, to save themselves and their business. It’s a great example of what SBI! does…

We care about solopreneur success, about visitor security and about eliminating the risk of disobeying the law — even if we don’t believe that solopreneurs have received fair treatment.

Most of all, we care about our SBI! family. They have proven to us that everyday people can do amazing things if we simply remove the barriers (like GDPR!) that overcome most people online. It’s why rigorous, reproducible-by-anyone studies show how we generate from 10X to 100X more high-traffic successes than Wix, WordPress, GoDaddy and Squarespace.

Do you already have a blog or a website? How are you doing with GDPR?

More specifically, how much does your website company care about you?

If you don’t yet have a site or blog — if you’re just at the point of thinking what it might be like to start your own online business and all this GDPR stuff is pretty much gobbledygook…

We don’t feel like the sky is falling.

GDPR or no GDPR — we feel like the sky’s the limit.

  1. GDPR: The sky is falling
  2. Google Analytics: Data Processing Terms
  3. Google: Google Ads Data Processing Terms
  4. Information Commissioner’s Office: Your Data Matters
  5. The Drum, ICO readies campaign to educate UK public around GDPR, The Drum, February 2018
  6. Google: EU user consent policy
GDPR - What Solopreneurs Need to Know and Do
Ken Evoy (CEO, SiteSell)
Ken Evoy is the Founder, CEO, and Chairman of the Board of SiteSell Inc. He is the creator of Solo Build It!, SiteSell's comprehensive online business-building system. Ken is also a successful inventor, author, and emergency physician. He feels strongly that solopreneurs can be empowered by leveraging their income-building potential online.