What Is GDPR?

If you've opened your inbox lately, you've likely seen these four letters popping up a few times.

It's time to get your head out of the sand and climb out of the rock you've been living under for a while and face the facts. GDPR is here and you must do something about it.

Because we know that when new things like data-regulations and subscriber handling come into question this can freak you out, we've put together some of the questions that we're getting asked in the hope that it answers many of yours too!


This isn't a time to sit idly waiting to see what happens. This also isn't a time to get yourself into a panic, throw your hands in the air and scream 'well I just WON'T have a newsletter list then!'. (It's okay, we know you were kinda thinking that!).


This is a time to take logical action, cultivate meaningful relationships with your newsletter tribe and show your subscribers that you respect the privilege of showing up in their inbox every week/fortnight/month/year (if that last one is you, please read our post on Connecting Through Content asap!).

Let's go conquer this GDPR thing together, shall we?
We do have to mention, that none of the below constitutes legal advice, nor does it take into consideration your individual business needs. Individuals should seek legal counsel for their specific requirements.

What is GDPR and why should you care?

What exactly is GDPR?

The GDPR, or General Data Protection Regulation, is a European Union (EU) legislation that comes into effect as of May 25 2018. It's purpose is to protect the rights of how the data of Individuals located in the EU is processed. If you are a business based in the EU or deal with data from people based in the EU then the GDPR applies to you.

Not sure if you have people based in the EU on your mailing list?
Many email platforms have in-built functions that can help you find any EU members of your mailing list.

However, if you have a website the chances are high that some of your web-traffic comes from one or more countries that form part of the EU. So, it's a good idea to be implementing the required GDPR processes regardless of where your current subscribers and clients are located.

I've got a disclaimer on my sign-up form, is this enough?

One big question we always get asked is 'Will people know that by downloading my freebie they'll be added to my list?'. Our response has always been that it's generally implied, but it's always nice to add a disclaimer to your forms to let people know.

But this isn't enough anymore!

The GDPR ensures that a person's digital information (data) can only be obtained when their consent has been freely given, specific, informed and unambiguous. So in basic terms that means that:

a) You must have received affirmative consent (e.g. a checkbox) to obtain the person's information  (e.g. their email, name, IP address or location received through cookies etc) that they specifically want to be emailed regularly from you. Whether they've downloaded your 'opt-in freebie' or purchased something from you, it's mandatory that they know and affirm that you can contact them via email.

b) You must have received specific permission to use someone's personal data information the way that you do. For example, if you currently use Facebook Advertising, then you might use the function to 're-target' your email subscribers. Under the GDPR, a subscriber from the EU will now have to specifically allow you to use their personal data in this way. You can no longer assume that it is okay to target them through other forms of advertising, based off the email information they have given you.

c) You must inform your website visitors (and potential subscribers) unambiguously of how you store, use and protect their data. This is where a checkbox comes in handy. You can clearly state what you will use their data for, how it will be stored and processed and how they can have their data removed if they wish.

It's an absolute must that you are compliant with these requirements. 
(If you feel like you need more info about the specific requirements we like this post by i-Scoop).

Ok, I get it.. I need to pay attention.
But how do I comply with GDPR?

It's a big one to wrap your head around, don't worry we feel ya!

Moving forward, it's important that any and all sign up forms hold the relevant information (that we've mentioned above). 

You might be wondering though, how you're going to fit all of THAT into one streamlined form on your website or pop-up.

Well, that's where your mailing list provider comes in handy. If you're using either Mailchimp or ConvertKit to handle your newsletter subscribers, both of these platforms now offer built-in functionality to help you comply with GDPR when collecting data of new subscribers.


If you're using ConvertKit, you'll want to follow this guide on how to turn on GDPR fields in your sign-up forms.

You have 3-options when it comes to enabling the GDPR forms in ConvertKit.
1. Do not enable
2. Enable for all new subscribers
3. Enable for EU web-traffic only

By enabling the GDPR compliant checkboxes, any new subscriber will be taken to a page that looks like the below after they've entered in their email address through an embedded  ConvertKit form, pop-up or landing page.

This will then tag your subscribers in ConvertKit according to what they have selected.

Currently ConvertKit only allow for these two checkbox options. If you require additional checkboxes (aka forms of contact) you'll need to hire a developer to help you code it.

Currently ConvertKit only allow for these two checkbox options. If you require additional checkboxes (aka forms of contact) you'll need to hire a developer to help you code it.


If you're using Mailchimp, you'll want to follow this guide on how to turn on GDPR fields in your sign-up forms.

Turning on the GDPR compliant checkboxes for your form will show these on the sign-up form itself. So if you're using the URL to direct people to sign up, have embedded the form directly into your website or are using Mailchimp's Landing Page feature then these will show on the form itself.

Just like with ConvertKit, your subscribers will be added to GDPR groups depending on what they've chosen. A benefit of the Mailchimp GDPR forms is that you can actually remove/add checkboxes according to what forms of contact you intend to have with your new subscribers. For example, if you've collected a mobile number in your form and you intend to send them SMS notifications of some sort then you've got to add that as an individual checkbox for them to opt-into to allow you to do so.

Our Honest Opinion

Both of these processes work fine if you're just wanting to email your subscribers after they receive your opt-in and maybe some retargeting marketing.

If you're after more complicated methods of communication, neither process really gives you all the options you'll need and makes it easy to do so. If you find yourself in this boat, we suggest you get in touch with us to help you find a solution.

I've updated my forms, I'm good to go now, right?

Well first up, good on you for doing so! We know that overcoming the tech can be a hassle, but you should be proud to have done so.

However, to be truly GDPR compliant, you have to actually communicate with your subscribers within the rules of GDPR (for your EU subscribers at least). 

Those tags we referred to above? Well that's where they come in handy.
Both Mailchimp and ConvertKit offer you the ability to create 'segments' according to what your subscribers have selected on their GDPR checkboxes.  

It's important, specifically for your EU subscribers, that you are using these segments to send out your newsletters, rather than your entire list! Subscribers who have selected the email checkbox can be emailed. Subscribers who haven't selected this, but might've selected one or more of the other forms of contact can't be emailed. That's just one reason you need to be utilising segments in your mailing lists. 

Not sure how to do all that? We'd love to help you get setup. Simply fill in our contact form and let us know that you want help setting up your GDPR segments!

What about my Squarespace Forms?

Currently, if you're using the Squarespace Newsletter block, this isn't enough on it's own to comply with the GDPR requirements. Why? If your newsletter block simply states 'pop your email address below to sign up to my weekly newsletter emails', then you're probably okay, because someone is specifically opting into being contacted on a weekly basis.

However, if you're using the newsletter block to present your opt-in freebie and it's then assumed that you'll be sending out weekly newsletters, then you're not complying with GDPR.

Personally, we use ConvertKit, which allows us to implement streamlined and custom-designed sign-up forms on our website. With the ConvertKit process, subscribers are then sent to an external page to confirm their communication options, leaving our website design in-tact and streamlined.

However, if you're using Mailchimp and the built-in Squarespace integration, you're going to want to:

a) Ensure that your double opt-in is applied to all forms/lists that you have created in your Mailchimp account. This means that your subscribers have affirmatively acknowledged that you'll be contacting them with via email moving forward (as long as your email states this!) and can confirm this via the button link.


b) If you have additional forms of communication (e.g. Text, Re-targeting Advertising, Phone, Direct Mail), you'll need to send them an 'Update Your Preferences' email before you can contact them via those mean. Good news? Mailchimp have a template ready to go for you to utilise.

If you're doing the above, then you're likely to be complying with the GDPR for all subscribers, not just those in the EU, which is a plus in our books.

Sooooo, is it really necessary I do this?

If you've made it this far kudos to you! You might still be wondering though if this is really necessary for you - particularly if your primary business is outside the EU and you don't currently have anyone on your subscriber list who is in the EU.

The thing is, in this age of the internet, anyone from anywhere in the world can find and visit your website. With the recent goings-on of the Facebook/Cambridge Analytica debacle, we have a hunch that more countries will be implementing these sorts of data-protection regulations in the future. 

As a business owner it's important that you're setting yourself up for success. So rather than taking the 'I'll just stick to my own sandbox over here' approach, take this as an opportunity to brush-up on your processes and ensure that you're protecting the data of your tribe.

What about my current subscribers?

We know that you've put so much time, energy and good vibes into lovingly creating your subscriber list and the thought of possibly not having as many subscribers because of some new legislation (that may or may not even be in your country) is breaking your heart a little.

At a very minimum, you need to identify your subscribers that are current EU residents and be contacting them with an opportunity to update their preferences (i.e. provide consent for email marketing purposes).

We'd encourage you to take this opportunity to do a spring clean of your list and it's subscribers. You could offer them something new for updating their preferences, or simply remind them of all the great content that you have to offer. 

At the end of the day the ones who update their preferences and want to stay are engaged and loving what you're putting out. The ones who don't? Well they probably weren't going to hire you anyway. 

Just so we are crystal clear, you absolutely need to identify if you have anyone on your list from the EU and if so provide them with an opportunity to update their preferences. If they haven't done so by May 25, then you'll need to remove them from your list altogether.

As a final note, there really is a lot to this topic and we couldn't fit everything in here that we wanted to say (it was a long one as it is!). But if you do have questions on how you can ensure that you're GDPR compliant please send us through an email and we'll do our best to point you in the right direction.

You can get in touch with JuJu Creative Hub via our contact form.