Benay: [00:00:00] Hello this is Benay Dyor, the Coach Guardian. And welcome from wherever you are to Coach Pep Talk, the podcast for people who run their own coaching businesses. Each week I talk to an expert who shares wisdom and helps us be better coaches and better coaching business owners. This week I’ve got entertainment and new media lawyer Gordon Firemark on the line talking to us about the GDPR regulations that are coming into effect on the 25th of May 2018. He’ll be showing us how we can get our coaching businesses ready for these new changes. So I’ll see you on the other side.

Benay: [00:00:38] Coach Pep Talk is proudly brought to you by Life Coach Office. Have you been looking for a way to securely store and hold all of your client information in one place online? Easily accessible by you the coach and your clients as well? Well you might want to check out Life Coach Office. Not only does it securely store information but you also have great functionality like an online classroom and a document storage facility as well as a coaching session journal and more. The best way to know if Life Coach Office is going to be a good fit for your coaching business or not is to go on over and give it a try. You can sign up for a free seven-day trial at LifeCoachOffice.com.

Benay: [00:01:21] Episode 28 of Coach Pep Talk is a timely discussion with Gordon Firemark. Gordon is an attorney whose practice is devoted to the representation of artists, writers, producers, and directors in the fields of theater, film, television, and music. He is also the producer and host of Entertainment Law Update, a podcast for artists and professionals in the entertainment industries. His practice also covers intellectual property, cyberspace, new media, and business corporate matters for clients in the entertainment industry. He’s the author of The Podcast, Blog, and New Media Producers Legal Service Guide. He’s also the founder and chief instructor at the Theater Producer Academy, the first of its kind and a comprehensive online theater producing course. On top of that Gordon has a beautiful resonant voice and I think you’ll really thoroughly enjoy our down to earth and practical discussion on the GDPR regulations that are coming to effect and that will be impacting your coaching business in the 25th of May 2018.

Benay: [00:02:26] Before we get into the interview a little disclaimer, although Gordon Firemark is a lawyer he’s not your lawyer and no attorney client relationship is established by his appearance on this podcast. This interview is provided as general information for educational purposes only and should not be relied upon as legal advice. and Without any further ado here is our discussion.

Benay: [00:02:51] Hello Gordon and welcome to the show.

Gordon Firemark: [00:02:54] Benay, Thanks for having me.

Benay: [00:02:55] I’m curious to hear what you have to say today. This GDPR stuff is huge at least in my team. It’s got everybody up in arms and I’m so happy and grateful that you can be with us today to inform my audience of coaches on this issue. But I wanted to just first kickoff with getting to know you a little bit more because you’ve got a quite an interesting background. And I just love to know how you got into being a lawyer for theater, film, and TV, and new media?

Gordon Firemark: [00:03:22] Well I was always going to be working in the entertainment industry. I discovered theater at the age of five, I was in kindergarten and I was in a school that was grade school to high school, you know K through 12. And as a kindergartner. They took us to see the high school kids rehearsing their production of Oliver and they sat us down in that theater and the lights went down on the stage, lights came on, the curtain went up, and I was just in the zone for the whole two hours the rehearsal was going on and I was hooked. And that got me interested in theater at that young age and stayed interested all through you know, junior high school, high school. In high school I was a tech stuff, I was the sound and lighting technician and began working professionally in theater before I’d finished high school. And off to college I go to study theater, which at the school that I chose was really much more about the acting than about the production and the business of it, which I should have known but I didn’t. So I switched over to radio, TV, and film. And in the course of my four years of college studying that discovered a bit of an aptitude for the policy and management and regulatory aspects of things and had a professor who actually suggested, hey you should go to law school. And when I finished laughing I did give it some thought. And after a year in the trenches in Hollywood, after college, and the writers had gone on strike, I decided that was in fact a good time to go to law school so it was entertainment first, law second. It’s been a driving passion of my life. You know all the time. So here I am being able to combine my passion with my aptitude and helping people do the things that they love to do. So…

Benay: [00:05:09] I’m a huge believer in combining passion and aptitude and I’ve found that in my line of work too, and man it’s just such a beautiful space to work from. I just want to say you, your first story was Oliver and I was actually Nancy in Oliver in my high school musical production. I had a little kid come up to me at the end in tears and her mom like had to introduce us, because of course Nancy dies and she said she’s not dead she’s really alive. So you know my acting must have been brilliant.

Gordon Firemark: [00:05:39] That’s Wonderful.

Benay: [00:05:40] Anyway. Okay so that is a really cool story. And I love that You know you found your niche and your calling by combining your passion and your aptitude together. Beautiful. OK. So can you tell me how your expertise is relevant to online Coach entrepreneurs and how this is there’s an overlap there with your expertise in this in this field?

Gordon Firemark: [00:06:03] Well first of all let me say that I also come to this from the perspective of a coach as well. I have in addition to my law practice, I have developed a number of online courses and recently started doing some, well, calling myself a coach in that a lot of my work as a lawyer has been advising clients more about life and strategy than about the legal. And so I decided to embrace that and consider myself a teacher and a leader and an all of that. So that’s part of it. But in the course of doing entertainment law for the last twenty-six or so years you know, that the entertainment industry and the online digital stuff is all converged into the same big old messy pot of stuff. And so I’ve had to learn and study how the law applies to these industries and with my own interest in coaching, of course I’ve been paying attention to that. And you know I’m sort of scratched my own itch by learning this stuff and getting up to speed. And fortunately I’ve got a way to turn that into a part of my business.

Benay: [00:07:11] That’s perfect. I mean I’m and I’m so happy too that you’re a coach because you know exactly… I mean I guess you’re having to apply all of this GDPR stuff, which we are going to get to in just a minute, to your own business, your own coaching business. Yeah. So it’s just perfect. Thank you so much. I’m so glad that you’re a part of our online Facebook group. And that I could reach out to you, it’s just awesome. OK so the big thing you know, facing the community, the coaching community right now in the legal space, as far as I’m aware anyway, is this GDPR big change that’s coming out at the end of May. And I know that a lot of my audience are like oh what’s this? How does it impact me? So I was just wondering if you could kind of set the stage for us. What is it? What is this funny acronym stand for? And why is it so important that actually coaches pay attention?

Gordon Firemark: [00:08:01] Okay so GDPR stands for General Data Protection Regulation, and what this is a series of regulations that have been established and enacted in the European Union. And it’s actually been a couple of years since they enacted it and it’s now comes into full force and effect on May 25th, 2018. So those of us who have been scurrying around recently to get it all together. We’ve had the time we just haven’t used the time to you know to be aware of and so on. So now it is sort of a hot issue. We’ve got about three weeks until this kicks in and becomes the law. So what it is, is really a series of regs designed to protect the privacy of data subjects, people who live in the EU, and they have had their fair share of data breaches and hacks and things like that that have mostly gone unreported. That the law hasn’t really been in place to require companies that have lost data or misplaced data or those kinds of things, to do any reporting. So that was sort of the impetus to get this thing into place. And in the course of doing so they’ve set up a fairly complex set of requirements for people who collect, process, and retain/store data about EU subjects, EU data subjects. So that’s really the, those are the three phases is the collection, the processing of data, and the storage and retention or disposal of the data. And you know we can boil it down into some pretty simple principles, but first of all the big question is I don’t live in the EU, I don’t operate a business in the EU, Do I have to worry about this? And the answer to this is that if you have a website and the website uses cookies, or google analytics, or you collect email addresses, or anything and your website is more than just you know incidentally, occasionally someone in the EU see it, you need to be thinking about this stuff. And the fact is its good policy to be on top of privacy and security for your data anyway. So you know, over time those that comply will have a little bit of a leg up on those that haven’t bothered to do it. So there you know, it’s about privacy and it’s about the integrity of the data. Making sure that you know, it’s secure and the more data you collect the bigger of an issue it is for you. So…

Benay: [00:10:41] Yeah. So I guess that’s something that I know that we’re looking at and in our business because we do hold, we hold data in our email list and then are you know we hold our client’s data and stuff like that. And you know I’m based in Australia. A lot of my clients are in the States. But you know we do have those EU ones and when the GDPR comes in it’s like do you just focus on the EU people clients and their data, or do you focus on across the board? What is the guideline around that or even your viewpoint about how you’ve handled it in your business?

Gordon Firemark: [00:11:18] My thinking and my approach, which is by the way still underway. I haven’t implemented most of the stuff yet from myself. I’m a work in progress, but my approach is going to be to do it across the board as a general rule. Just so that I don’t have to think about oh those people are in the EU and the rest of us are over here. It’s going to be one approach to everything. If you’re if you’re a giant company and you’ve got you know, some business in the EU and some in other countries it may make sense to segregate it and separate out how you do things out to capture When anybody lands on a Web page where they’re coming from. I don’t want to bother with that technology. I think that’s you know; I don’t have a staff of tech people to make that work. So I’m going to implement GDPR compliant policies across my websites, across my other stuff, law practices have some special issues that I won’t get into too much tonight but we keep a lot of information about our clients that is very sensitive data and you know how we disclosed to the clients what we’re doing with that and so on, it is an issue. And that’s really what GDPR we need to be thinking about for folks that are coaches because that also may be sensitive data. It’s more than just a name and an e-mail address right?

Benay: [00:12:32] Yeah yeah. That’s interesting. We’ve gone we’ve decided to go across the board strategy too, so that we don’t single out certain types of clients and we just make sure that the whole policies comply. Because I imagine too as we go forward, other countries and regions are going to jump on and start having their own sets. So if we just kind of keep up with them it could be a good policy.

Gordon Firemark: [00:12:53] Yeah I think it’s only a matter of time before the U.S. at least and many other countries start to implement similar policies or to adopt. You know GDPR clone kinds of policies. I think GDPR has its flaws in a few places it’s a little shortsighted, we’ll talk about why I think that later on, but it’s a little shortsighted in some ways about how business actually operates in the modern era. The folks that implemented it are European politicians not Tech.

Benay: [00:13:24] Sometimes that’s a good thing. OK. Before we go into some of the details of GDPR and what coaching business owners need to specifically look at to it to make sure they are GDPR are compliant in their coaching business. I want to just get back to that why, why is it so important? What’s going to happen if you don’t do this?

Gordon Firemark: [00:13:40] The consequence of not complying, if there is a complaint or if the regulatory authorities somehow catch on to the fact that you’re not complying they can impose fines, and the structure of the fine is 4 percent of the offender’s worldwide revenue over the past 12 months or 20 million euros, whichever is the larger number I believe. So you know for a company like Facebook that could be in the billions and billions of dollars. for You know small operations like you and me, I don’t think it’s that I mean it’s not likely to be a lot of money, but nobody likes paying out money in fines if they can avoid it. And this is something where if you do things right you can avoid it. So there we are. That’s why we do these things. The other thing I want to make sure that people understand, is this is not something that should induce panic. It should induce an appropriate level of concern and we should be taking it seriously and doing what we can to comply as soon as possible, hopefully by the deadline. But you know, the world is not going to come crashing down on the twenty sixth of May if you don’t have your policies in place. And the regulators aren’t going to be coming knocking on your door. So, one of the other questions that I get a lot is how can the European government enforce their rules against me? I live here in the U.S… And the answer is the U.S. and the EU are pretty friendly and they have treaties and they have international law that does these things and so don’t be don’t think you’re going to get away with it, if they if they realize that there’s a problem. But also let’s remember it’s only if they realize there’s a problem and everything is meant to be proportional to the size of the business and the scope of the offense. So let’s not get panicked.

Benay: [00:15:36] OK. I like that. Thank you to you for pointing that out. That is really important. You know, do your best, do your little checklist. And it’s a good place to start. Okay so let’s start looking about what do you what is sort of a normal small coaching business owner Need to think about and do to be prepared for this may 25th deadline?

Gordon Firemark: [00:15:57] Well step one is to think about and actually do an inventory, or sort of an audit, of the kinds of data that you have about, or people in the EU as the bare minimum. But think about this, so you know we all have an address book that has names, addresses, phone numbers, maybe birthdays, those kinds of things- That’s data under the GDPR rules right? If you if your Website collects information about the browser and the IP address that it’s coming from, and most websites do collect this stuff, if your website drops cookies, you have disclosure requirements about that as well. And if you collect information in the marketing context, you know like using a mail in service to send out lead magnets and then have a newsletter, those kinds of things- you’re collecting data. And so if any of the people who provide that data to you are from the EU, this is where we have to comply. So I think I answered the question.

Benay: [00:16:57] Yes. OK. Yes, so the first step really is to is to be really clear, do that inventory, about what kind of data do you have. And then once you do that audit, and it sounds like that includes any place where you’re storing your client’s information on your own computer. Is it even in your, like your paper files? Like how far do you go?

Gordon Firemark: [00:17:19] In your paper files and the part of the GDPR talks about the security and integrity of the data. So you need to keep things, especially the sensitive stuff, under lock and key and only people who have a need to see it and work with it to process it should have access to it. So that’s the kind of thing. The GDPR sets up two categories of data handlers, one is the controller, that’s you and me the business owner that has a need for the data and to do something with it. And there are data processors, data processors are the firms and the entities, and you may be both you may be a controller and a processor, But the firms and entities that do certain things with our data, for example if you use a shopping cart service, if you use an e-mail service like Aweber or ConvertKit, or MadMimi, or…

Benay: [00:18:13] Active campaign, yeah all of those. Infusionsoft.

Gordon Firemark: [00:18:18] All of those. So those companies are processors, and they are subject to these rules too. And you want to make sure that the ones you use are following the rules about how the data is collected, stored and eventually removed. So. So you identify what you have. Make sure that you know what you’re doing with it. That you have a legal basis to do what you do with it. The legal basis can be, there many of them, but the basic legal grounds are you know, you’ve got a contract you’ve sold somebody a product and you need to deliver the product to them or you need to provide continuing service to someone. Then you need to have their information so you can reach them and give them the thing that they have paid you for, or promised to pay for. Or if you have some other legal obligation, like I do as a lawyer, I have obligation to keep certain data for a certain amount of time. Similar with medical practices. I don’t know if coaches necessarily have a formal legal obligation but might be something to think about. Are there vital interests at stake or some public task or some…? There’s the big catch all is legitimate interest. You know if someone has contacted you for a particular kind of information, then you’ve got a legitimate interest in keeping their data so you can provide that information to them over the course of time. And then the final big one is consent. And we are gonna spend a lot of time talking about what’s required with consent.

Benay: [00:19:41] So is that the third step? So it’s inventory, what do I do with it? Is it. and How am I legally using it? And then consent is a third step.

Gordon Firemark: [00:19:50] Well getting consent from anybody new, but also refreshing the consent from folks that you’ve already got in the system. Unless the way you collected the data originally is compliant with GDPR. You’re supposed to before May 25th, this is the big urgent one… You’re supposed to refresh that consent. Get them to acknowledge the kind of data that… Look. What you do is you tell them is we have this kind of data, we collect this, you gave it to us, and here’s why we use it. Here’s what we use it for. And you know, check this box to say yes, you want to stay on this list, Basically. or Keep in touch. And so again for the coaches if you’re reaching out to your clients you say you know I use this data to Keep in touch with you and provide these things and so on. You know, please acknowledge and say yes, you want to continue otherwise I have to remove you from my list. And that’s really what it comes down to.

Benay: [00:20:49] And it’s not, I mean when you’re talking about, just to say a client list, let’s say you know you have just a very personal one on one relationship with you coaching client, do you have to email all of your personal clients and get them to e-mail you back?

Gordon Firemark: [00:21:02] Or check a box. You could direct them to a website and say I’m going to be purging anybody who doesn’t check the box by this date. And so please visit this website and click the box.

Benay: [00:21:15] So the world is going to be inundated with uh re- uh…

Gordon Firemark: [00:21:20] Well have you checked your e-mail lately? Have you noticed how many privacy policy updates people are getting?

Benay: [00:21:27] Yes.

Gordon Firemark: [00:21:28] That’s all part of this. Everybody is scurrying to comply with GDPR and that’s what these privacy policy updates are. That’s the next thing to think about is get into your privacy policy and make sure that it is compliant with GDPR. the privacy policy has to include all that same kind of information that I was telling you about. Who you are, what data you’re collecting, why you process that data, what the legal basis for holding the data is. And how and when and if you ever transfer that data to other parties, especially across international boundaries or outside the EU. How long you hold the data and the rights of the subjects with respect to the data to access it, to make changes and corrections to it, and to remove it. And also they have this right to be forgotten. And that’s a big one because it means, you’re not allowed to keep their information for any purpose. Once they say I want to exercise my right to be forgotten, you delete them from the list. You know, normally someone unsubscribes from your list, They’re still there in your system, just with a tag or something that says don’t send them stuff. And you want to…You Know there are good reasons that you want to keep that. But nowadays the GDPR, excuse me, the European subjects can ask to be completely removed.

Benay: [00:22:49] Okay. All right what else, what else are the big things that coaches need to do to be prepared?

Gordon Firemark: [00:22:56] Well so identify what you have. Identify how you use it. Notify them. Get their consent. And update your privacy policies on websites. If you gather data from your subjects on paper, if you hand them a form to fill out or something like that, it also should have a privacy notice printed on it that explains what you’re doing with this data, all the same information. And then yeah, refresh that consent. Then…So That’s the collection phase. How we collect the data. Once we get into the storage and the retention and processing phase, we have obligations of data integrity and security. And if there is a breach, you’ll have to notify the subjects within 72 hours of the breach. You have to notify the authorities in the EU as well. What else is there …I’m looking at some crib sheets here.

Benay: [00:23:58] What would be an example of a breach? A storage breaches, is that what we’re talking about?

Gordon Firemark: [00:24:03] Well let’s say, here’s an example so I use a service called ConvertKit for my emailing service. Right. Right. They’re the ones that send out my e-mail newsletter. If somehow my account were hacked at ConvertKit, or their system was hacked and somebody got everybody’s e-mail address, then, and was using it, it was potentially going to use it for some improper purpose or I don’t know. I don’t know maybe a Cambridge Analytica kind of a thing with Facebook. The data was used inappropriately. Facebook would have an obligation to send a notice to its users saying this is what’s happened. This is what we’re doing about it. And this is how you can protect yourself. Same thing if you will.

Benay: [00:24:49] So, when it comes to sort of a coach being in their preparedness for the GDPR deadline for the 25th of May. What exactly do they need to do in this sort of storage space? Like I found the collection phase was really relatively clear but in the storage phase, I’m a little bit confused. Like is there anything you need to do, or do you just need to be prepared If you get hacked?

Gordon Firemark: [00:25:12] Well step one is make sure that the services that you’re using are compliant with GDPR and will notify you, if your, if their data has been breached and therefore yours is at risk. So that you comply with your obligations. I think it’s important to backup the data. So if you’ve got a big emailing list, you want to download that and encrypt and store it somewhere safe, so that God forbid the data isn’t just hacked but also destroyed, you have a way of going and reaching out to those people and saying here’s what happened. Otherwise their e-mails are gone. How do you do it? Right. So. So I think that’s pretty important. And you just sort of you know being vigilant about it. Also trained your staff, if you have employees that are accessing the data. It’s important that they be trained and understand the ramifications of things and what their responsibilities are. Many many data breaches are the result of an employee grabbing the Rolodex. The digital version of a Rolodex. And so you know, some supervision of the employees in that regard is also worthwhile. I’m sure that if your firing somebody, you’ll lock them out before you tell basically.

Benay: [00:26:27] Yeah well we’ve had a recent thing too, where we’ve had to review all of our employee contracts and just make sure that you know, they sign and date and agree to all this sort of stuff up front.

Gordon Firemark: [00:26:41] That also brings up another point actually, employees. If you have people who work for you in the EU, you have data about them in that regard too. And you have the same obligations with respect to keeping that data and so on. Now you have a legitimate interest in holding that data even though they may not want you to keep their information. You’ve got reasons that you have to, so that there is some give and take in some of this.

Benay: [00:27:06] Yeah. Yes, I mean some of these contracts that I’m having to put together just like, oh gosh, I seem like a pretty dogmatic person. OK. So is there anything else important for the basic small coaching business that they need to concern themselves around with preparedness in a storage capacity before we move on?

Gordon Firemark: [00:27:24] Well storage and processing. So the other component of this is that you only process the data for the purposes for which you have authority to do so. So when you’re gathering that data, you have to ask them specifically, may we send you marketing material? May we send you our newsletter? You know those kinds of things. And the protocol seems to be there needs to be a checkbox that they click and if they don’t then you don’t send them the newsletter. You don’t send them the marketing material. So you’re not exceeding the scope of the authority given and that needs to be pretty granular and very, what’s the word I’m looking for, informed consent. It needs to be very specific and clear and uncoerced and set.

Benay: [00:28:08] Yeah. Yep. We’ve been going through that same thing. Do you want to be on our newsletter? Do you want to be on our podcast? You want to get affiliate promotions? Do you want to get promotions from us? Oh gosh. And then you have to kind of be forward thinking and think which ones I might add in the future. Interesting. Can you just, I just want to backtrack a tiny bit. This whole thing of processing data. Could you, put like a definition or something around that for coaches who don’t quite understand what that means?

Gordon Firemark: [00:28:37] Well processing data is basically anytime you do anything with it beyond just looking up a phone number you know. So if you are sending an e-mail list. If you’re sorting the list, that’s technically considered processing. If you decide that you’re going to…Now Of course there you can be getting a decent deep analytical stuff about the data too, if you’ve got important information that you can you know, identify certain segments of your list or of any data that you have. Uh, pretty much any transaction with the data that happens is considered processing. I think the term is really just to distinguish from the owner of the data vs. the company that’s doing the thing with it. But every time you ask them to do something with it you’re processing. does That make sense?

Benay: [00:29:28] It’s a kind of anytime you use that data your storing, That’s kind of processing.

Gordon Firemark: [00:29:36] And even storing is technically a processing of data.

Benay: [00:29:40] Oh gosh, gosh, I love it.

Gordon Firemark: [00:29:42] But it’s a distinction we don’t need to worry too much about. The point is we’ve got to keep the data secure and we have to only use it for the and for the purposes we’ve been given consent for.

Benay: [00:29:53] Yeah I love that that’s really that’s really poignant. Could you just say that again, because I think everybody who’s listening needs to stop what they’re doing, unless of course you’re driving a car in the middle of traffic, and write this down. So I think it will help us all stay very centered. Now hopefully you can remember.

Gordon Firemark: [00:30:09] Right right. Well I’ll say it another way but it’s basically when you obtain consent for the use of a bit of data that you gather from somebody, when you get that data from them, you ask them for permission to use it for certain purpose- That’s the only purpose you may use it for. You may not take data from… Here’s a here’s example. You sell a product to a customer, and then a week later you want to send them a follow up note about the product- that’s allowed because it’s related to the product. But if than a week after that you want to send them an opportunity to buy an upgrade or something else- Now you’re sending them a marketing message that they didn’t consent to you sending. And that’s a violation. So you need this granular consent. Only use the data you have for purposes authorized by the owner of data, the person about whom the data is.

Benay: [00:31:05] Got it. And I think that’s really key. So I’ve just written get the data and get consent for how you’re going to use it. At the same time.

Gordon Firemark: [00:31:13] And don’t exceed the scope of that consent.

Benay: [00:31:16] And okay and honor your word. Don’t exceed…

Gordon Firemark: [00:31:19] Yeah really. You know, be a good person.

Benay: [00:31:21] Yeah, Don’t exceed. Ok…Consent. OK, Is there… So we’ve talked about collection, we’ve talked about storage and processing, is there anything else we need to cover? You know for coaches, just considering, okay, how do I need to be prepared for this GDPR?

Gordon Firemark: [00:31:38] You know there are lots of sort of special case scenarios that come up and coaches I guess in some sense are. If it’s if you have data about them that is sensitive, so more than just their name and their contact information and you know sort of generally about who they are, but if you have financial information, health related information, anything that people have sort of higher expectation of privacy about. It’s really smart that the data also be kept encrypted so that it cannot just be accessed by anybody who happens upon a computer file, something like that. Really the security of the data becomes more a higher priority.

Benay: [00:32:17] I think that’s a really important thing actually, because data sensitivity, just understanding what that means, I mean if you are a coach you know you could be having quite personal conversations with people about their past and their emotional well-being and so on.

Gordon Firemark: [00:32:32] So well if you’re taking notes, or recording those conversations then then you’re collecting data. And by the way data can include things like a photograph or a video recording. So yeah. If you’re if you’re gathering anything more sensitive, you know.

Benay: [00:32:51] OK. So all that. That’s interesting because that was one of my questions actually is what qualifies as sensitive. Is it being it just financial or health care. No. What I’m hearing from you is it’s actually bigger than that. It’s any anything that they might be embarrassed by or nervous about being found in public. Like where do you delineate where do you draw the line?

Gordon Firemark: [00:33:11] Well I wouldn’t go saying anything that they might be embarrassed about because people can be embarrassed about things that are really not sensitive.

Benay: [00:33:19] That’s true. Oh My Gosh my birthday is on this day, I’m so embarrassed-ha.

Gordon Firemark: [00:33:21] But you know, things that are just there’s a reasonable expectation that will they will be protected more. I mean they’re in here in the U.S., we have a number of laws that restrict education information and well stuff about minors is always considered sensitive. That’s something else we will talk about. But health related, financial related, credit stuff. Yeah you know very personal kinds of stuff. Yeah. And you know let’s face it if you’re a coach and you’re and you’re recording conversations then you’re probably going to get into that sort of highly personal level stuff that is yeah, that you know if… religion, your religious beliefs, your political beliefs, these are other kinds of sensitive data. Racial, ethnic kinds of things as well. So. if You’re gathering that stuff and retaining it in some you know, discrete way then it ought to be kept more secure, as securely as possible I should say.

Benay: [00:34:29] Ok.

Gordon Firemark: [00:34:29] Let’s talk about the kids for a second, you know, because I mentioned them. You know you need parental consent when you gather data from anybody under 16. Here in the U.S. We have some laws that set the bar a little lower at 13. But let’s just go with 16. If you’re getting information from somebody 16 years or younger, you need their parent’s consent. And again, if you’re collecting any personal data about children under 16, need to have that informed consent from the parent.

Benay: [00:35:02] So that’ll apply to any of our listeners who are coaches who are working with minors, like Counsellor’s and so on that are working with kids.

Gordon Firemark: [00:35:11] Yeah if your business is tutoring or something like that it applies. And it’s also that education data stuff so, you need the compound consent and also, this is across the board, when you get consent you need to make sure that there are records of how and when consent is obtained. So, you know, if it’s just a check box there’s no saying what if the kid checked the box on behalf of the parent or what. So you need to implement some additional protocols to make sure you’re getting real parent consent.

Benay: [00:35:45] Right right. I have a feeling this, that this interview is going to open up a lot of additional questions. There are people who are listening… Like oh…

Gordon Firemark: [00:35:54] Never Ask a lawyer for a concise answer on what to do because it will be, well it depends.

Benay: [00:35:59] So true. OK. What else. As far as preparedness?

Gordon Firemark: [00:36:06] Well certainly…

Benay: [00:36:06] I just want to make sure we’re hitting the low hanging fruit. The big things that at least start their process in this podcast, because obviously we can’t cover everything and in this episode.

Gordon Firemark: [00:36:16] Look I think updating your privacy policies is the big one that needs to happen right away. And also if you have you know online forms that you collect the data, the forms need to be brought up to speed. And that is that you have to tell on the form itself, you have to say here’s what we’re gathering, why, and how you know, you can link to the privacy policy right on the form and have that tick box that I mentioned for the additional marketing material or the newsletter or whatever it is. But beyond that I think we’ve pretty well covered it. You know you want to have analysis, you want to educate your people, implement the safeguards and systems that we’ve sort of talked about, adopt a retention, oh this is the other one… retention policy. You have to have a system to make sure you don’t keep the data longer than you really reasonably need it. so That maybe a few years after the relationship with a client ends, because if you’ve got, I don’t know, you know risk of malpractice exposure or just need to be able to you know, prove something happened you know, Whatever or didn’t happen. You want to be able to have that data, but once it’s sort of reasonable to assume that there’s no need for this data anymore, you have to dispose of it. And then you also have to have a policy in place for how the data subject can get the data… Access, the data modify the data, or remove the data. And it has to be basically as easy as it was to provide the data in the first place. It Can’t be, Well I gave you an e-mail on a web form to join, but if I want to unsubscribe I’ve got to go have a notarized letter sent to the to the companies You know, Belgium office or something like that.

Benay: [00:38:06] OK.

Gordon Firemark: [00:38:07] Yeah. So and then beyond on the retention policy, updating the privacy policies notices.

Benay: [00:38:16] OK. So we I actually I was very excited about our interview and I put posted on my online coach entrepreneurs Facebook group that we were gonna have this discussion and a couple people did post some questions. I was hoping we could go over to that and maybe you could address a couple of those? So let me just look over there and get some questions from people. Okay, so here is a question from Jenny and she’s curious about, so she’s really curious about the opt in, so you know when people opt in for a lead magnet or a freebie. And the disclaimers. How to phrase your disclaimers and then she says, but most importantly if you think that a checkbox is necessary or by having a clear disclaimer and stating that by filling up the email address they’re giving consent. Is that enough? Hope this makes sense.

Gordon Firemark: [00:39:13] So this is that, that question about the scope of the authority given in the consent. You know if I provide my email address I’m doing so because I want to get something. But I may not want to get everything you want to send me. So you need to be, as I said a little more granular about the nature of the consent. The form itself should specify what it is they’re opting into and the protocols really is a checkbox. You know it should be, and that is not checked in automatically. So when they go… I just did this today on my site…Put The tick boxes on. If you if you want to send me a question through a form on my website or whatever you fill this thing out and you have an option, yes please send me your newsletter which contains these other things. That’s the way I would articulate it. Is have the tick box with the, yes please send me blank. And that’s what you’re allowed to send, if it’s a newsletter, if it’s marketing materials, if it’s whatever. You know, great offers and deals, those kinds of things and they check the box and then click the Submit button and you’re good to go.

Benay: [00:40:19] Can you put all of those things under the one tick. Like, can you say, I want to get your marketing stuff, your podcast, and de de de de de, or should you itemize each one out and put them on different lists based on what they select?

Gordon Firemark: [00:40:29] If they select the guidance that we’re seeing from the you know the ICO, which is the authority in England that sort of advising folks about this and the general principle seems to be, no, you don’t want to have the laundry list of hey, yes you can send me ABCD all this stuff, but if you put a form together that has five tick boxes on it, people aren’t gonna tick any of them right, or their gonna tick all of them. So it’s a, there’s a fine line here. I’d say if you’re really targeting EU people as your customers you want to be more discreet and granular about this stuff. As a practical matter I think most of us can do you know like mine. What I did was I said What is a newsletter and off…is My newsletter contains my offers. I’m not going to go sending them separate advertisements and pitches. It’s really just the newsletter. So that’s the, that’s how I’m approaching it. I think if you have multiple categories of stuff. first of all, if you’re selling somebody a product you have the authority to send them information about the product, how to use it, recalls, warranties, you know that kind of stuff. And so the further scope of the newsletter or the advertising marketing materials is where you need the tick box.

Benay: [00:41:50] OK so if somebody does come in and buy like a coaching program or e-book or something from you and they buy it. Do they are they automatically… It’s not like they have to opt in to get that that updated information about that product because by buying it they are pre opted in? Is that…?

Gordon Firemark: [00:42:08] Well they’re opting in to receive the product.

Benay: [00:42:11] The product Yeah.

Gordon Firemark: [00:42:12] And stuff that relates to them you know, so they can better use the product, as long as it doesn’t involve selling them something more. I think that’s really, you know you have a legitimate interest in telling the client, the customer, how best to use that information or the product. Or how best to access it or how to protect themselves because you found a flaw you know, whatever that might be. But when you want to then tell them about your other product, That’s the thing that requires that additional consent.

Benay: [00:42:42] Got it. Alright. OK. OK. I think that was pretty clear for Jenny. And Mo said that’s a great question. There were a couple people who said I’m blind to this. Tell me more. Here’s one. I’d also like to know how to deal with it if I have two businesses, can I share information and contacts from one to another? If I have their permission can I cross promote?

Gordon Firemark: [00:43:09] Boy this is a little tricky. My thinking is probably not. I mean I guess if you have a hairstyling business and a nail salon business next door to you, you know figuratively speaking, next door to each other you might be okay sharing the list. It wouldn’t be unreasonable thinking. But again if they’re not under the same digital roof for lack of a better term, I would be hesitant to cross promote across the two lists. Yeah again, unless you could use something in a consent like you know, may we share your information with our affiliates or we own another business you could do the tick box like that. We own this other business and would like to send you information about that too, click here.

Benay: [00:43:58] So it’s really just about, just really getting very clear consent I think and being an honorable and a person with integrity. If you follow those rules, you’ll actually be okay and that the EU is telling us that we actually have to get approval first before we start spamming people. Not that you know any of us actually do spam people of course. OK. Moving right along, here is one of your clients there. I’m clueless and then we’ve got this one- and are there any requirements associated with GDPR that must be carried out by humans Behind the scenes, beyond the payment process? I think you’ve actually already answered that. Is there anything you want to add?

Gordon Firemark: [00:44:39] Well I do think you know, look humans have to make the make the determinations about what we’re going to do with the data. And so yes humans are involved in this. It isn’t a completely automated thing. One other thing that isn’t really strictly speaking GDPR, but you know if your website uses cookies, which many do just to sort of track what the users are doing and keep them getting a more tailored experience you also need to make sure that they consent to that at the time that the cookies are being dropped. So there are some really cool online term, uh tools that make that pretty easy.

Benay: [00:45:15] And can you recommend any?

Gordon Firemark: [00:45:18] Actually I discovered this one because of you and it is called Cookieconsent.com.

Benay: [00:45:25] Ah good, Jenny has been really good at getting those things in place.

Gordon Firemark: [00:45:28] It’s really easy and I just implemented it right before we started our call tonight actually. It took me all of three minutes to accomplish it. So it was great.

Benay: [00:45:38] OK, but the cookie acceptance isn’t actually a part of GDPR or that…?

Gordon Firemark: [00:45:43] Well it is, it is, but it’s a little bit different. Yeah because what it is, is the cookie is actually data that’s being deposited on the user’s computer. So it’s going the other direction but it’s yeah it’s still covered under GDPR, but it’s just something that you might not have thought about because you’re not collecting the data. Of course unless your website is sophisticated and actually tracks who’s using those cookies for what Elsewhere on the web, which many sites do so…

Benay: [00:46:09] Yes.

Gordon Firemark: [00:46:09] You want to be disclosing you’re using cookies for.

Benay: [00:46:12] Okay. And this one I think we’ve covered, this is from Kimberly. She’s wondering if…so She’s got two questions. she’s wondering if there is a place where she can get a sample privacy policy statement? And then also what, do we need to tell them that I use Google Analytics?

Gordon Firemark: [00:46:31] So on the Google Analytics question absolutely yes because Google Analytics does, they are a processor of data. So you are collecting the data and they’re doing stuff with it to help you figure out how to reach these people better or where else, what are their other interests are. Right. So that’s definitely something you need to tell them specifically. What you use google, that you use Google Analytics and what it’s for.

Benay: [00:46:56] Would that be in your privacy statement, is that where you tell them?

Gordon Firemark: [00:46:59] Yeah, In the privacy statement it would say, we use certain analytical tools like Google analytics to help us provide a better experience, you can you can finesse it a little bit and spin it. But then you do need to tell them specifically what’s gathered and how it’s used and how long it’s kept. And Google will provide you with that information on, I think on the right on the analytics set up pages now that they’ve got a link to that information.

Benay: [00:47:25] And along those same lines if you’re using you know an email marketing system like MailChimp or Active Campaign or AWeber. do you need to tell them that to in your privacy policy?

Gordon Firemark: [00:47:36] Yes the privacy policy needs to disclose any time you’re transferring data between, well from you to others from your company or your business to others including all the various processors. I don’t recall if you need to disclose the specifics about which companies you do that with, merely the fact that you use these services to provide certain components of your package of services and therefore your transferring the data. And that by consenting, continue to use the site, they’re agreeing to that.

Benay: [00:48:08] OK. So you don’t actually have to list all your providers?

Gordon Firemark: [00:48:11] right.

Benay: [00:48:12] Okay.

Gordon Firemark: [00:48:13] The policies I’ve seen are much more general in that regard.

Benay: [00:48:18] Okay cool. That’s a nice distinction, thank you. Make it okay. And then Kimberly’s second question was, where do I get a sample privacy policy? Is there is there a place where you can go give me a privacy policy?

Gordon Firemark: [00:48:31] Well I’m in the business of selling the service of making privacy policies so um….

Benay: [00:48:37] Perfect!

Gordon Firemark: [00:48:37] Well I’m not I’m not trying to make a sale here, but just saying you know so it’s a little awkward for me to recommend where you can find a sample privacy policy.

Benay: [00:48:44] Well I won’t put you on the spot there, she can google it.

Gordon Firemark: [00:48:47] Well they are out there and I would say Google GDPR compliant privacy policy. My caution on that would be that every business is different and the kind of data you collect is different so you’re going to be doing a lot of customizing anyway and it makes sense to sort of, if you don’t know what the questions are to ask, you know, have someone who does Do you have privacy policy.

Benay: [00:49:08] If this is something you do would you. We didn’t actually talk about this beforehand but would you be willing to sort of share kind of what the ballpark ranges for doing a privacy policy for a smaller coaching business?

Gordon Firemark: [00:49:21] You know it ranges from about 500 U.S. dollars up depending on the complexity of things.

Benay: [00:49:29] Well that’s good, that at least gets people who are listening, if they really want a helping hand, who knows this stuff, kind of what they’re looking at investment wise.

Gordon Firemark: [00:49:35] Right. And that and you know that is custom tailored bespoke work by a lawyer. There are some services on the web that provide a privacy policy for 50 or 60 or 70 dollars and a much more automated kind of a thing which may be fine for many businesses so I wouldn’t…

Benay: [00:49:52] I appreciate your absolute transparency with all that. Thank you so much. I know our listeners well too. OK. So that covers the main questions from the group I guess out of that Gordon is there any other thing you want to throw in or add to Before we wrap up?

Gordon Firemark: [00:50:10] Well again I just want to reiterate, don’t panic you know, give this the attention it deserves but no more. And you know, excuse me, just keep in mind that that that three-week window now is closing. So you know sit down today, tomorrow and have a look at your privacy policy and you know find some good examples as your follower has asked for and do the best you can. You know, proving that you’ve tried and you know if you missed the mark a little bit is better than not having tried it all and just thumbing your nose at things. My biggest concern would be about the way you gather that information. The forms that you use to collect data because that will be the red flag for people. They’ll see that and say ooh, they’re not doing it right you know, exactly.

Benay: [00:51:08] Okay. Well and I think too, I mean what this this whole legal alarm bell, you know it’s kind of been a legal alarm bell in my business you know, we’ve all been rallying around. But what it’s really brought to my attention is that there is a shift happening kind of in a global space around data and privacy and protecting people’s, people’s right to privacy and the use their data. So just going forward as a coach, you know it’s a good idea just to be very mindful of what you’re storing, how you’re storing it, and how you’re using it. And making sure that you have buy in in advance. And if you can just integrate that philosophy as you go forward you know, on your coaching journey then you’re going to be in pretty good hands. Are you going to you know you’re gonna be pretty well-off?

Gordon Firemark: [00:51:53] You know I did think of the one thing that I didn’t really cover earlier on, when we were talking about the collection of the data. And that is one of the most common ways that people use e-mail collection when they live the way they go about collecting it is to use the Lead Magnet or the quote “bribe.” The Free report, or the free audio, or the free course, or something like that as a way of getting people onto their mailing list. The GPDR rules have changed that a little bit because you are supposed to be able to access that free report or whatever without having to consent to getting more marketing material or more stuff. So that sort of takes the wind out of sales of that particular approach to marketing for some people. So that’s the whole idea of having to have the tick box so if you, If I’m giving you my e-mail address so you can send me the free report, I don’t necessarily have to consent to you sending me anything else ever again. And sort of defeats the purpose in a lot of ways of that, of having a lead magnet offering it in the first place. So there are some you know ways to finesse it. One is you know sign up for my email list and I will also send you this bonus material. And now the tick box becomes can I send you the bonus material?

Benay: [00:53:15] Yeah Its going to really, is going to change the landscape a bit of have online marketing, lead magnets.

Gordon Firemark: [00:53:20] And I will say that that is my interpretation of things and it may not be a hundred percent in alignment with the way the EU policymakers wanted it to work. So you know you use it at your own risk but you do have to still be granular. I would say if you’re asking people to sign up for an email list, make it clear that’s what they’re signing up for, a newsletter or whatever it is, marketing materials. And the bonus can be the you know, Yeah, the lure. But you can’t deny the bonus somebody if they don’t give you the consent. That’s really the long and short of it.

Benay: [00:53:57] Well you know what. I mean that just kind of it. I like it. I mean I like the idea that people can opt out. They can say I really want your freebie but really Benay, I don’t have anything else to do with you or your company. And really I don’t want them taking up the space if they really don’t want anything to do with my company anyway. I’m a big believer in this thousand true fans thing and if you have a thousand you have a viable business. So I think it’s fine.

Gordon Firemark: [00:54:21] And the answer to that is if you make good enough content that they really like can you build that trust with them at that level. And you know there’s no saying that you can’t put an advertisement in the last page of your report saying hey for more of this kind of great information Come over here and sign up. Now you know, you can get that consent later. But you don’t have to you know… Date before you get married.

Benay: [00:54:45] But I think that could be cool. It Could be cool, it could make everybody just sort of raise their level a bit more and really thinks more about the value and the quality that they’re putting out there which we’ll see, It’ll be interesting to see what impact this has on them on the online marketing and world Basically. I’m going to watch with interest. Okay. So I suppose your kind of already said that. I’d like to recap it and then if you want to rephrase, but I’d love to end on You know, like you had one parting piece of advice and you kind of said it earlier that you said don’t panic and give. And do you give the GDPR the attention it deserves.

Gordon Firemark: [00:55:29] Yes.

Benay: [00:55:30] Would you like to rephrase that or add anything to it?

Gordon Firemark: [00:55:34] No I think you nailed it.

Benay: [00:55:36] Well you know I’m just repeating your word so, you nailed it. OK excellent. Gordon thank you so much for your time today. And I know that you know probably some of the listeners here are like, oh my gosh I have more questions. I want to know more. If people do want to know more and get in touch with you what’s the best way to do that?

Gordon Firemark: [00:55:55] Well I have my own GDPR resource, it’s a free 30 minute or so lesson where I talk about this stuff in a little more detail than we’ve gotten into here and you can access that and any other information about me at Gordonfiremark.com. And it is a free resource that one. It’s actually part of a larger course that I’m in the midst of creating called The Digital Entrepreneurs Legal and Business Toolkit.

Benay: [00:56:26] Awesome I love that.

Gordon Firemark: [00:56:28] Where I’m really teaching a lot of information about you know, making contracts and making and how to use intellectual property properly. Protect your own. All that kind of stuff and everything and the kitchen sink. Isn’t that when it’s a big big project. But I decided to create the GDPR one quickly because it was urgent. So here we are.

Benay: [00:56:50] So When People go to gordonfiremark.com is it really obvious how to get to that GDPR freebie?

Gordon Firemark: [00:56:56] It’s right on the very top of the page. Its currently in the hero position on the website so … And just generally if you want to reach out to me in my legal practice that has that is at firemark.com.

Benay: [00:57:09] Excellent. I’ll put all of those links into the show notes so that you guys can grab them with ease. All right. Well Gordon thank you so much for your time today. I really appreciate you sharing your knowledge with me and my listeners of online coach entrepreneurs.

Gordon Firemark: [00:57:26] Well thank you it’s been a real pleasure Benay.

Benay: [00:57:28] And Thank you listeners again for listening to another episode of Coach Pep Talk. Be sure and go like the show on iTunes, that sends us a good karma and extra traffic which we love. Have a great day everyone. And happy coaching.