GDPR How I approached compliance in my consulting business

What is GDPR?

I’m sure by now you’re well aware of GDPR. In short, it’s a data protection regulation that protects the privacy of citizens in the EU. You can read more here.

The UK is expected to continue with the regulations post Brexit, so don’t think that’s an easy way out! Neither is ignorance of the legislation.

The impact – and the fear factor that many businesses have used to sell their GDPR compliance services – is that the fines can be very significant.

Also, the regulation is unclear, in many areas contradictory, and burdensome to be compliant. This means that, whilst there’s tons of information out there, much of it is contradictory.

In the end, all you can do is choose a position on it, apply it in your business, and wait for greater clarity in time.

The legislation is really targeted at the big firms, like Facebook, so it’s unlikely that a small consulting business will be impacted any time soon. But that doesn’t mean to say you can simply ignore it.

Whilst I can’t and won’t cover the whole of GDPR in this article, I’ll cover the elements that I’ve chosen to tackle, and how I’ve done that.

Before I do, of all the articles I’ve read – and there were a lot – here are two that I found the most valuable:

However, note that even in these two articles there are contradictions.

How I’ve Approached Achieving Compliance

Like most all of the articles on this topic, I should warn you that I am not a trained lawyer and this is not legal advice. It is merely my approach. Only time will tell if it’s right or wrong.

If it’s wrong, I do not fear getting fined millions.

Why? Because that’s now how it works.

In my consulting engagements in the past I’ve helped a number of mid-sized organisations to achieve PCI DSS compliance through outsourcing. PCI DSS (Payment Card Industry Data Security Standards) is the compliance required to handle personal data when taking payments via credit and debit cards.

The way that the legislators work is to encourage compliance because it’s generally beneficial to all. They want to help organisations comply. Fines are reserved for those organisations that make little or no attempt to achieve compliance, and who ignore all correspondence with the regulator.

That’s very unlikely to be you or I.

Lead Magnets and Disadvantaging Non-Subscribers

One of the biggest challenges regarding GDPR for consulting businesses is in respect to content marketing and the use of Lead Magnets.

The traditional approach is to offer a Lead Magnet – that is a free Guide, or Checklist, or some other give away that’s relatively low cost. In exchange for the ‘free’ gift you receive both an email address and the assumed right to stay in contact via email. It was always thought that by providing an unsubscribe ability, anyone who didn’t want to stay in touch could simply unsubscribe.

However, GDPR states that a user (we’ll use that term as we’re referring to our website and ads) cannot be disadvantaged by not subscribing.

In layman’s terms, that means you can’t force someone to give you their email address when giving away free content.

This is a bit harsh, especially as much of this traffic comes from paid sources, such as Facebook advertising. As a business I invest tens of thousands in Facebook advertising each year and now, thanks to GDPR, I can’t even be assured of an email address in return!

Many businesses have responded to this by adding an explicit check box to ‘subscribe’ the user. And GDPR states that a checkbox cannot be ‘ticked’ by default, as might have been the approach taken previously.

GDPR also demands that things are made much clearer. This is why you now see much greater focus on the Terms of Service, Privacy and Cookie policies. Some businesses have even chosen to provide 2 checkboxes – one for the Privacy Policy, and the other for Terms of Service.

If you’ve ever read someone’s Cookie and/or Privacy Policy then you are a very rare human being indeed!

Still, most every company serving customers in Europe (remember, GDPR applies to any business in any country that holds the data of EU individuals) have updated their policies.

Of course, you could simply pay a lawyer to draft you a policy, or you could find a generic one online, purchase it and tailor it accordingly. Or you could simply find a similar business who’s policy you can largely copy.

What you must do, though, is read it!

I’ve read so many policies that have lines in that state, “INSERT COMPANY NAME HERE”.

This is clear evidence that many haven’t even read their own policies, and it doesn’t say much about what they really think of the data that they hold!

I chose to create the policies for my business by looking at similar businesses and choosing the bits that I thought were relevant, and making tweaks. It took a while and a few false starts, but I have a policy that I believe is readable, makes sense, and complies with GDPR.

So What About Those Pesky Checkboxes?

You certainly won’t find a single view on this. I rather like the interpretation of Shane Melaugh of Thrive (the second article link provided above).

My interpretation is that you need to have a check box if you are essentially offering one thing, say a Free Guide, but also intending to add someone to your email list as part of the process. That’s essentially the traditional way a lead magnet works. In this instance, you must inform the user and provide them the choice to subscribe.

One thing you can’t do, as stated above, is disadvantage the user. That means you can’t force them to tick the box to subscribe, and neither can you pre-tick the checkbox.

This means you must be able to give people something for nothing in return.

Doesn’t sound like capitalism to me! Anyhow, in the screen shot below I show how I’ve approached this on my website:


This screen shot is a form that exists on each page within my Resource section where you can download free resources. It is created in my WordPress site using the Thrive Leads plugin. There’s a specific form for each resource, although they all look identical.

Why do I believe it is compliant?

I believe it is compliant for the following reasons:

  1. I encourage the user to read our Privacy Policy and our Terms of Service and provide links to them
  2. I make it clear to do this before ‘signing-up’. This makes it cleat that you are subscribing to a list
  3. There is a tick box that enables subscription, and it details in the text what you are subscribing to
  4. The checkbox is not pre-ticked
  5. You can download the free resource without subscribing. This is done by simply not ticking the box

Behind the scenes

To make this work was quite simply a nightmare to figure out!

The biggest challenge was that GDPR forced me to have two routes – one for subscribers, and one for non-subscribers. This could only be achieved using multiple technologies as my email marketing provider – ActiveCampaign – does not provide the ability to send a download email without capturing download details.

I could utilise Double Opt-In to get around this, but I don’t think that’s the most compliant way to do it (more about Double Opt-In later).

In short, I achieved the objective of enabling the download for subscribers and non-subscribers as follows:

  • I use the paid-for Thrive Leads WordPress plugin to create the form
  • I utilise Thrive Asset Delivery (a feature of Thrive Leads) to send an email with a download link. It is not possible to differentiate between subscribers and non-subscribers, so anyone that clicks the download button will get the file sent via Thrive Asset Delivery (TAD)
  • TAD can’t send the email itself, it merely connects to an email service provider. As I said, this isn’t possible through ActiveCampaign, so I also had to sign-up to MailGun which enables me to send emails without capturing the email address as a subscriber
  • For those people that do subscribe, they enter the normal ActiveCampaign new subscriber automation. I had to modify this to temporarily add an ActiveCampaign Tag via the Thrive Leads form, and have the automation end early for contacts with that tag. This is to prevent the subscriber getting two emails for the same download – one from MailGun and one from ActiveCampaign. I also had to ensure the automation immediately removed the Tag so as not to prevent any later downloads the subscriber might choose via Landing Pages. This definitely burnt some brain cells figuring it out!

Other Calls To Action (CTA)

In addition to Resources page on my website, I also have CTA’s in the following places:

  1. Entry pop-ups when landing on the homepage. This is called a ‘Scroll Mat’ in Thrive Leads and it offers visitors the chance to download my Consulting Business Blueprint whilst also subscribing to my mailing list
  2. Exit Pop-Ups when leaving certain sections of the website
  3. A widget that displays in the right-hand column on the blog

Entry pop-up

Here’s what my entry pop-up looks like:


It should be getting familiar to you buy now, but you can see the following:

  1. Links to the Privacy policy and the Terms of Service
  2. A checkbox to subscribe – when left blank the user will still get the resource, but will not be subscribed to the mailing list
  3. A description of what they are subscribing to

Exit pop-up

Here’s what an exit pop-up looks like:


As you can see, the same things appear: A checkbox for subscription; a description of what they’re signing up to; links to the Privacy policy and Terms of Services and encouraging them to be viewed; and finally the ability to download without being subscribed.


And finally, I have the widget which looks like so:

It goes without saying what I’ve implemented here to ensure compliance.

What About Advertised Lead Magnets?

The above changes covered downloads from my website, and meeting those various GDPR needs as described above.

The next challenge was to work out what to do about users that arrive at my website via Facebook ads. This is an audience I pay for. It’s likely the reason you’re subscribed to my Journal newsletter if you are.

I didn’t want to apply the same approach here as it risked too few people subscribing.

So, for users that come via a Landing Page (typically paid-for traffic) I implemented a form like that shown below:

Let’s explore what I’ve done this time around:

  1. I’ve changed the language of the pop-up box to be clear that the user is subscribing
  2. I’ve provided details about what the user is subscribing to – they will also be able to unsubscribe in any message received
  3. I have provided links to the Terms of Service and Privacy policy and I urge people to read them
  4. For those that don’t want to subscribe, there is an alternative route. This is in the small print at the very bottom. It’s small because I paid for this traffic and I’m providing a highly valuable resource. I really don’t want to give it away for nothing, but if someone wants something for nothing then they can go to trouble of finding out how to do it. By clicking on that link, it takes them to the Resources page of my website where they will be presented with the form that I described above. That form requires the checkbox to be ticked in order to be subscribed, but enables the download email to be sent without subscription. It also serves as a suggestion to the user to again subscribe should they change their mind.

What About Joining Your Mailing List

The above two examples cover downloading resources from my website. The next area to consider is where I directly encourage people to subscribe to my mailing list.

As I understand it, GDPR does not say you have to have a checkbox, it’s just that you can’t pre-check it or make it mandatory in return for a free resource thereby disadvantaging the user. When it comes to people choosing to subscribe, their intent is different. The user knows full well that they are subscribing.

I have changed the subscription forms on my website as follows:

Why do I believe this is compliant?

  1. It’s a subscription form, plain and simple. The intent is clear from the outset
  2. The paragraph of text makes it clear to the subscriber what they’re signing up to
  3. I’ve provided links to the Privacy Policy and Terms of Service and encourage subscribers to read it first

Proving When a Subscriber Gave Permission

A requirement fo GDPR is that you must be able to show when a subscriber gave permission. It seems that there is no easy way to do this, and few of the email marketing tools seem prepared.

The way I have achieved it is to set ActiveCampaign to send me an email each time someone subscribes. For ease, I’ve created a separate email address for these emails. They are simply stored and can be recalled if required. This is a very inelegant way in which to do this, but will suffice until the email marketing software providers come up with better solutions.

Another element to proving consent is what is often referred to as Double Opt-In. That’s where the subscriber has to confirm their subscription by responding to an email. When they initially subscribe they are sent an email with a link to confirm their subscription. If they do not click this link, your email marketing software (in my case ActiveCampaign) will exclude their email address from any campaigns sent.

Now I add caution here.

Double Opt-In will reduce the amount of subscriptions that you get. Conversely, it will mean that those who do subscribe will likely be more engaged. And if you have a big email list, then you want it to be optimised as you’ll pay for having the bigger list. Therefore, Double Opt-In is a good thing with one exception – Facebook Advertising.

If you are using Facebook advertising, you need to get an audience of 100 from a single country before you should create a ‘Lookalike’ audience. Any time that you’re creating these initial 100 subscribers, turn double opt-in off to maximise the number of subscribers in the shortest possible timeframe.

Cookie Policy Compliance

Cookie policies have been around for a long time, but they’ve mostly been ignored. GDPR brings renewed focus on them. To achieve compliance, in addition to rewriting my cookie policy, I implemented was a WordPress plugin called Cookiebot.

I tried a number of different plugins, and this one worked the best for my needs. It’s far from perfect, but it does have some cool features the best of which is the ability for the user to easily withdraw consent. This can be done from the Privacy and Cookie Policy page of my website.


I’ve only touched on certain aspects of GDPR and how I’ve approached ensuring compliance. Remember, I’m not a lawyer and this post does not constitute legal advice. My approach hasn’t been tested so should only be seen for what it is – one small Consulting business’s attempt to be compliant.

As a reminder, the actions I took to ensure compliance include:

  • Updating Privacy policy
  • Updating Cookie policy
  • Updating Terms of Service policy
  • Providing links to the above policies on the footer of my website
  • Providing links to the above policies in all areas – landing pages, forms, pop-ups, in articles, etc. – where I capture someone’s email address
  • Implemented Cookie plugin in WordPress
  • Implemented a secondary email delivery capability to provide Resource download emails for non-subscribers

I thought this was going to be a simple task.

It turned out to be a monster! How much of a monster? Just look at the diagram below. It shows the flow of traffic to my website and how I have to route based on whether the user wants to subscribe or not. I’m sure there’s easier ways to achieve this, but this was the best I could do for now.

It’s been a tough journey that has required me to learn how to use a bunch of tools, and to understand my email marketing platform in deep detail. All-told, it’s probably set me back by a month this year.

But now it is done. Hopefully as more clarity becomes available over time, any changes I need to make will be relatively minor in comparison.

If you’ve not yet ensured your business is compliant, then I recommend you put some time aside and get it done! Hopefully the information in this article is of value. At the very least, it explains how I believe I made my business compliant. Your first port of call, however, should be to look at the links provided at the beginning of this article.

error: Alert: Content is protected !!