Jonathan Denney

Preparing for GDPR? Here Are A Few Simple Steps SMB Marketers Can Take Today to Help Prepare

In these weeks leading up to May 25th, 2018, the day when Europe’s GDPR (General Data Protection Regulation) becomes enforceable, marketers around the world are implementing changes to how their websites and companies handle contact data.

In April 2018, the topic of “GDPR” surpassed topics like “advertising” and “ecommerce”

Are you a marketer preparing for GDPR too? Don’t worry, you’re not alone!

Unfortunately, you might not feel that way. When heading to the official GDPR website, you’ll find there’s a lot of “legalese”, which may make it hard for marketers to understand and pinpoint whether they’re already GDPR ready, or if there are more steps they need to take.

While large companies have massive resources to help them with compliance, marketers for small businesses, web shops and consultancies are facing an overwhelming task of trying to understand the regulation and reach compliance.

There are countless articles on the web being published right now about GDPR, but few with actionable steps for SMB marketers to take.

If you’re like most marketers, you probably just want to know what you can do right now that can help most when preparing, while not being entirely overwhelmed by confusing legal information that may not help you determine how to take action.

So while we can’t give you legal advice, we’ve compiled a short list of actionable steps all SMB marketers can take today, to help them as they work towards being compliant.

Before getting started, here’s a quick overview of GDPR:

GDPR in a nutshell

GDPR is an EU regulation on data protection and privacy for people in the European Union.

Not only does GPDR apply to businesses in the EU, but it also applies to any company that collects personally identifiable information on EU citizens.

In other words, it applies to almost every internet company or website using contact forms and email marketing, which probably includes your site too.

Regardless of where your business is located, if your website gets visitors from around the world, and collects information from people located in the EU, it should be aligned with GDPR.

“The GDPR aims primarily to give control to citizens and residents over their personal data” – Wikipedia

“I’m a marketer. What can I do right now to prepare?”

When collecting subscribers and generating leads from your website, you’re collecting personally identifiable information such as email address, name, phone number, etc.
To prepare for GDPR, you need to make sure your company:

  • Is transparent about how you handle people’s contact information in your privacy policy
  • Gives people the ability to request that their contact info be modified, deleted, or given to them.
  • Is handling sensitive contact data securely and appropriately according to GDPR’s guidelines
  • Has consent from contacts to use their contact data for marketing purposes and for delivering your services

Important: This article’s objective is to provide quick, actionable steps, not serve as legal advice. We recommend consulting with a lawyer who can help you work on compliance.

Have a transparent and easily accessible privacy policy

Having a privacy policy is a must for your website. Although we recommend that you consult with an attorney when it comes to your privacy policy, and other legal disclaimers,  if your budget is tight, you may want to check out this resource (iubenda).

Make sure your privacy policy is easily accessible on your website and is transparent about how you handle site analytics cookies, personally identifiable information and more.

You’ll also want your privacy policy to be accessible in your contact forms.

Upon updating your privacy policy, you need to inform and update your existing contacts about the changes.

Give contacts the ability to request, modify and delete their contact data.

In the context of GDPR, most organizations are “data controllers”, giving them specific responsibilities to be met.

As the data controller, it needs to be easy for your contacts to request that any of their contact data you’ve collected, be given to them, modified, deleted or moved to another party.

Make sure your website and company give people the ability to make these requests easily.

When your contacts do make a request, all major email service providers and CRMs make it easy to search for a contact manually, export their info, modify it and delete it.

For example, if you’re using ConvertFlow for website lead generation, you can quickly search for a contact by heading to your website’s “Contacts” page, and search by their email address.

You can export their contact information to a CSV by clicking the “Export” button, edit their contact info by clicking the “Edit” tab in their profile, as well as delete their contact record by clicking the “Delete” button and confirming.

Here’s information on the responsibilities you have as a “data controller” –

Make sure you’re handling sensitive contact information securely.

Securely handling sensitive contact information starts with making sure that your website, and any pages that you’re collecting contact information on, is secured using an SSL certificate (https://).

If your website is not currently secured, you should enable this immediately. Recent updates to Google Chrome are now marking many unsecured sites (http://) as “unsafe”.

As mentioned earlier, your small business is primarily a “data controller”. Part of your role is mapping out all the places where you are storing contact data, whether it’s your systems or third-party tools (referred to as “data processors”).

Assuming that you’re handling contact information appropriately, you’ll also need to ensure that any third-party “data processors” you are using are doing so as well.

Likewise, it is essential to make sure that your databases are free from unauthorized access, especially if you’re working with independent contractors. For that, you will need to define your independent contractors' onboarding workflow to track systems and data access.

Read more info on the “data processor” responsibility in GDPR –

Only store data on contacts who have given you consent

Other than holding controllers and processors accountable to transparency and security best practices when working with EU citizen contact information, the primary purpose of GDPR is to give consumers control over how their contact data is being used, and prevent miss use.

This makes GDPR possibly one of the best things to happen for marketers in a long time because consumers are being bombarded with emails and ads from companies that do not have consent to market to them.

GDPR could potentially level the playing field for everyone who is providing real value to their audience and customers.

If you do not have consent from a person to hold their contact data (or a legitimate reason, such as to fulfill their purchase), it is recommended that you do not store their contact data, and most definitely that you avoid sending them marketing communications.

GDPR could give marketers who are legitimately building their audiences a massive advantage over shady companies that buy email lists and advertising audiences, and market without consent.

GDPR is seemingly designed to be enforced primarily upon those shady companies, as well as large third-party advertising networks that are amassing inconceivable amounts of personal data without transparency.

With less unsolicited marketing happening on the web, and you having built your first-party audience legitimately, your marketing stands a much better chance of cutting through the noise, and engaging potential customers moving forward.

As a data controller, here’s what you’ll need:

  • A “legitimate interest” for contacts who haven’t given consent
  • Or, active consent given by your contacts

While GDPR’s “legitimate interest” wording is vague and can be interpreted differently, this post on the Econsultancy blog lists a few examples of what can be a legitimate interest.

The perfect example of a “legitimate interest” is collecting contact information when purchasing a product. By purchasing the product, it is implied that collecting their customer information is needed for fulfillment of the purchase.

However, if you’re collecting contact information that isn’t a direct subscription to your ongoing marketing, and then sending ongoing email marketing, it is better to rely on active consent from your contacts.

Collecting consent when generating new leads

Appropriately collecting consent from your contacts for data processing requires that:

  • You are transparent about what you’re using contact data for at the point of data collection
  • You store a record of the contact having given consent
  • You don’t store data on contacts who have not given consent

1. Use active consent checkboxes in your contact forms

When using lead generation forms on your website and landing pages, collecting “active consent” means having the contact give consent by clicking checkboxes to agree to your processing of their contact data.

The checkbox can’t be checked by default, so the visitor has to click the checkbox to give “consent” before submitting the form.

To be as transparent as possible, your checkbox should have a link to your privacy policy where you appropriately state how you’re handling their personally identifiable data.

In certain cases, you may want your checkbox to link to your terms of service.

Note: You’ll want to check with a lawyer to correctly word your checkbox, privacy policy and terms of service messaging, to be appropriate for how your specific business handles personally identifiable data.

Building forms with active consent checkboxes is easy and free using ConvertFlow’s form builder.

You can also enable checkboxes in MailChimp’s popups forms, most landing page tools, or have a developer custom code it into your website’s forms.

If your form isn’t a direct subscription to your marketing, you may need to enable another checkbox to gain consent for ongoing marketing.

In ConvertFlow, controlling the messaging and legal links of all your website form’s consent checkboxes is easy using the site-wide settings.

2. Store a record of your contact having given consent

You’ll need to be able to quickly filter out contacts in your systems who have or have not given consent.

By using ConvertFlow’s consent checkboxes, you’ll easily be able to send a record of the contact’s consent to any of your custom fields in your integrated email marketing tool and/or CRM.

Just connect your email marketing tool, map ConvertFlow’s “privacy_consent” and “marketing_consent” to your chosen custom field’s name into and it will send a “true” value into your email tool’s custom field when a contact submits any of your ConvertFlow forms.

If you’re custom coding forms on your website, you’ll need to have your developer connect your checkboxes to your email tool’s API to store proof of consent.

3. Use confirmation emails if contacts are being entered into your ESP from multiple sources beyond web forms

Placing active consent checkboxes on all your forms moving forward is a step in the right direction, but what about all of the previous ways you are entering contact data into your email marketing tool?

Another step you can take is to enable double opt-in confirmation emails in your email marketing tool, which will help you gain consent from the contacts you’re collecting, while you revisit your existing setup.

However, relying on double opt-in will reduce the number of contacts you’re getting into your system because it requires the contact to check their inbox and click a link to confirm.

Ideally, you could collect consent right at the point of engagement, to make your subscription process as smooth as possible. It’s worth revisiting your forms and implementing consent checkboxes if consent is needed.

Updating consent for your existing contacts on your website

If you have existing contacts in your system that you want to have agree to your privacy policy, here’s an easy way to do this using ConvertFlow.

You can create a simple website popup that targets existing subscribers returning to your website, asks them to agree to your privacy policy and tags them as “resubscribed” in your CRM.

Hopefully, this article helps you develop a better understanding of how GDPR affects your business and your marketing. As well, we hope that if you are getting visitors from the EU, and are collecting their contact information, that you follow the above steps as you work towards being compliant.

Again, this article’s objective is to provide actionable steps, not serve as legal advice. As you work towards being compliant, we recommend consulting with a lawyer who can help you work on becoming compliant.

If you have any questions about using ConvertFlow’s checkboxes to collect consent from your EU contacts, feel free to reach us on chat or at

About the author
Jonathan Denney
Co-Founder & CTO, ConvertFlow
home icontwitter iconlinkedin icon
Jonathan Denney leads product at ConvertFlow. After running a conversion marketing agency, Jonathan co-founded ConvertFlow with his brother Ethan Denney to help brands build conversion funnels without code or waiting on developers. Since then, ConvertFlow's no-code funnel builder has helped launch 100k+ conversion campaigns, across brands such as Volkswagen, NectarSleep, CampingWorld and more.