GDPR (the global data protection regulation) is now in effect. What does it mean for your podcast?
That’s a very interesting question - and as with many things in podcasting, the answer is going to be “it depends.”
On this episode I break down the GDPR as it relates to podcasting from MY perspective - and keep in mind, I’m not an attorney, European Union official, or compliance officer of any kind. I just read the thing and listened to a lot of people who sounded like they understood it better than me. GDPR could be a big deal for some podcasters - so get the scoop on this episode.
[1:19] What the HECK is GDPR?
[2:17] At what point does an audience member become covered by the GDPR?
[3:10] Most media hosts are on the ball with this thing
[4:44] Your listeners can request to be forgotten by you. Really? Yep, really.
[5:32] Do you gather data of any kind from your listeners? Then GDPR applies.
The Global Data Protection Regulation (GDPR) went into effect in late May of 2018.
What the heck is GDPR?
It's a law that is from our good friends at the European Union and it has to do with how personal data of citizens of the EU or those living, working, or traveling through the EU is collected and used.
You may be wondering, “I'm United States-based podcaster or a Canada-based podcaster or or a South America-based podcaster, what does an EU regulation have to do with me?
Here's the answer to the question.
It applies to all companies or organizations that market to, sell to, collect data from, or do business with citizens of the European Union or those who live, work, or travel there. Podcasting is global thing. I'm telling you, if you have been podcasting for any amount of time, there is no doubt someone from the EU has listened to your show.
Now the question for podcasters is really is this:
At what point does someone in your audience become a person to which the EU applies?
GDPR is pretty convoluted and it's huge - there's lots to read. So it's hard to really narrow down the restrictions and requirements as to how it applies to podcasting. But nevertheless, we as podcasters need to take this seriously.
The GDPR gives consumers/listeners certain rights when it comes to their personal data and if you do not adhere to what the GDPR says you should do in order to protect rights of those on the other end of your communications, you could be fined up to 20 million euros, or 4% of your organization’s annual revenue.
So like it or not, GDPR impacts all of us if we're collecting data of any kind. Even us podcasters.
If you host your media in a place, like Libsyn or Blubrry or Speaker or Podbean, all of those places have their own GDPR team who has made sure they are adhering to all the requirements of GDPR. So in the case of your actual media distribution, you have nothing to worry about.
But if you have your own website or use some kind of email capture form that enables you to get information from your listeners - say it's an opt in form, say it's products you're selling, say it's any kind of thing where people give you things like name, email address, mailing address, phone number, anything like that - you should take a look at the things within GDPR that apply to your collection of that data, because the GDPR impacts how you gather your data, what notifications you need to give to your users about how their data is going to be used, and how you're going to both collect it and store it.
There’s a lot of stuff to be aware of. Keep listening - I give you some best practices that I’m following and suggest you consider as well.
There's also this thing in the GDPR where a consumer can request to be forgotten or erased from your database completely. And this is not just an unsubscribe button, this is the equivalent of a “Delete me from your system entirely” button.
Okay, if someone’s personal data is sitting on some server somewhere that you have access to through an account, you have to erase it completely when requested. The MailChimp and AWebber and ConvertKits of the world already have their side of this nailed down - but you need to do your part too.
Listeners to your podcast who opt-in for your resources also have the right to know how their info is used and stored. And if there are brother or sister organizations that you deal with that are maybe under the same corporate umbrella, but are not the same company, you can't just pass data from one to the other anymore.
So does this apply to podcasters? Well, it depends.
Do you gather data from people?
My guess is if you have a website of your own, not the one your media host provides, but a website of your own that has some kind of a contact form or some kind of an opt in form to an email newsletter or some kind of a lead magnet, you probably need to pay attention to GDPR.
But you should also consider this - Does GDPR apply to anything regarding the guests you have on your podcast?
If you're like me, you collect data from your guests in order to have them on your show, whether that's just an email address, or a headshot or those kinds of things. You need to be able to clearly tell your guests what data you're collecting, how you're going to use that data and how you're going to store that data. It’s all a part of GDPR.
Before we get into the weeds of how GDPR compliance steps can be taken, now this: I'm not an attorney, I am not a GDPR expert. I have done a little bit of research and have applied what I think are best practices for my podcast and my business. But you need to do the same thing.
Don't apply the advice that I'm giving here wholesale, because it's not really advice. It's just me sharing with you some of the knowledge that I've obtained through research.
I’m about to describe what I'm doing and why I think you need to take steps to protect yourself.
The GDPR requires that you provide terms to your audience that is (and here are the terms that the GDPR uses) concise, transparent, intelligible, and easily accessible.
Your website/podcast’s terms of service are supposed to tell your users, in plain language, what it is that you collect, who is really collecting it (so the name of your company), how it's being collected, why it's being collected, how you're going to use it, who it's going to be shared with (if anybody), and/or what effect that collection is going to have on the individual.
YOU need to do YOUR very best to inform your users that you're collecting data from, of these things that GDP are requires.
And I recommend you make it obvious. For example…
That’s on every page of my website because I want it to be clear from the outset, I want you to know what I am going to do with your data.
Oh, man, I hate these kinds of things. Legaleze - more acronyms - more laws we have to abide by.
But you know, that's the world we live in - and it's to protect our listeners.
It may be very simple depending on what you're doing, but just put it together and make it accessible, obviously accessible to those who may be opting in to the things that we're offering as our marketing tools as our opt in offers.
We want people to know that we care about their personal data and that we're going to take care of it once we have it.