The new General Data Protection Regulations (GDPR) come into force starting 25th May 2018. The regulations are designed to be an update to the Data Protection Act laws from 1998, which – as you can imagine – are waaaaay out of date.
So are bloggers affected by GDPR? Yes indeed.
Whilst GDPR covers the EU area (any bloggers in Europe are affected), if you are a blogger in say the US or Australia, and you hold personal data on someone in Europe, then you are also affected.
Put simply, any organisation or individual entity that collects personal data, such as email addresses, falls under GDPR. That means pretty much every blogger and business operating online will be affected.
BIG DISCLAIMER before I go any further. I am not a legal or privacy expert. I work in digital marketing. Everything written below is my interpretation of GDPR from a bloggers point of view. As such, please get someone with a legal background to double check how you are affected, and the steps you need to take to become compliant. Thanks! Read on…
Whilst this is no means a full proof guide to becoming GDPR compliant, it should give you enough insight into what you need to change in terms of processes and compliance moving forwards.
From the end of May onwards, the consumer (or ‘data subject’) has more power and control than ever before. So the more transparent you make your reasons for collecting and processing data (such as email addresses), and the more control you give users over that data, the safer you’ll be.
But will bloggers really be penalised for lack of compliance under GDPR? Surely the ICO should be going after the big businesses that process lots of data?
Very true and a good point. The honest answer is I have no idea.
And I’m not sure any GDPR experts have a clue either.
Let’s start with decoding some of the overly complicated terminology used by the Information Commissioner’s Office (ICO). This is the UK’s independent authority set up to uphold data privacy for individuals. The more you understand about the key wordings and rights set by the ICO, the easier it will be for you to comply.
The ICO talks about data controllers and data processors. A data controller determines the purposes and means of processing personal data. A data processor is responsible for processing personal data on behalf of a controller. And the two are intrinsically linked.
For example, let’s take my friends blog, Vicky Flip Flop. Vicky kindly agreed to let me use her blog as an example – thanks Vic! So in her case, she is a data controller. She uses Google Analytics, Adsense and Mailchimp, which are her data processors.
HOW ARE BLOGGERS AFFECTED BY GDPR?
The new privacy regulations talk about ‘personal data’. This means any online personal identifier: name, address, phone number, email address, National Insurance Number, IP address and other IDs.
As such, the areas where GDPR affects bloggers are as follows:
- Email subscriptions and newsletters
- Blog comments (WordPress)
- If you use any sort of tracking, such as Google Analytics
- Contact forms
- Plugins that might collect personal data
- Competitions and giveaways
NOTE – not adding a checkbox means that users are giving you their personal data without consent, which means that technically, you would be in breach of the GDPR laws.
If that wasn’t enough, you also need a record of how someone opted in, and when they opted in.For those that use WordPress or Blogger, you receive a time stamp from contact forms and comments, which is perfect.
The other option is to somehow switch off WordPress from collecting the personal data in the first place…no data means no consent required. Although I’m not sure how to achieve this.
GDPR & BLOGGER EMAIL DATABASES
For email subscriptions and databases, there is good and bad news. The good news is that if you have email subscription forms on your site, all you need to do is add an opt-in mechanism, such as a checkbox. This shows the user has given you consent to add them to the database.
Getting users to simply hit subscribe will no longer be GDPR compliant. I would say most bloggers have a simple form, such as the ones below, taken from Vicky’s blog, and Monica’s blog (TheTravelHack.com):
I asked the ICO whether these would be compliant under GDPR. “Take my friend’s blog, and note the ‘subscribe to the newsletter’ link towards the bottom of the page. In this case, this wouldn’t be GDPR compliant moving forwards, right?”
This was their reply:
“Yes, everything needs to be very transparent”
The bad news is that GDPR doesn’t just affect personal data collected moving forwards…it also affects how you’ve requested and collected email addresses previously.
As per my comment above, if you can’t prove a user opted in / consented to subscribing, AND when they opted in since you started collecting personal data, then you may need to remove them from your database.
The option here is to send an email out to your subscribers, explaining that you’re updating your database, and ask them to re-subscribe (essentially getting them to opt-in this time around). Those that re-subscribe using the new opt-in method can remain in the database.
Here was my question for the ICO, and what they said in reply. “GDPR applies to everyone that has signed up to their newsletters, prior to the 25th May, correct? In which case will they (bloggers) have to remove those people from their database and delete whatever data they have if they cannot prove those users explicitly opted in, and on what day? Or if they cannot get them to re-validate their subscription?”
“Their consent will need to be GDPR compliant, they may need to refresh the consent or have another legal basis for processing the data. If the subscribers don’t refresh their consent, their data shouldn’t be keep no longer than is necessary.”
A vague response, but you get the idea.
The other saving grace (potentially) is that consent isn’t the only legal basis you have for collecting an storing email addresses. The most flexible and loose terminology is around ‘legitimate interests‘. The ICO says digital and direct marketing may be a legitimate interest (helpful).
The ICO also says that: “…as long as the marketing is carried out in compliance with e-privacy laws and other legal and industry standards, in most cases it is likely that direct marketing is a legitimate interest”.
To add a further twist, it seems that if you are a full time blogger, and rely on your subscriber database, it may be the case you don’t need consent for previous sign ups, as the processing is minimal and provides a ‘clear benefit’ to you, AND ‘there’s a limited privacy impact on the individual’, which is true.
See how vague and complicated this all is?!
I know what you’re thinking. If you have hundreds or thousands of email subscribers, you’re probably going to lose a lot, if you don’t want to risk reliance on ‘legitimate interests’. But you’re not alone – think of the huge companies operating in Europe that have thousands of email subscribers. If they can’t prove opt-in type and time, they are also going to have to remove a large chunk of their subscriber base also, if they want to comply.
For those using Mailchimp, they are ahead of the game, and have published information about how they comply, and how they can help you comply – https://blog.mailchimp.com/gdpr-tools-from-mailchimp/.
COMPETITIONS & GIVEAWAYS
For most bloggers, you will have run a competition or giveaway in the past. For people to enter, they may have to tweet, send you an image, select an answer to a question…or various other ways. If you’ve used Rafflecopter or Gleam, the chances are that you have collected a lot of personal data on everyone that entered. That means GDPR comes into play.
If you don’t have the content (which is likely), then you will need to delete the data. Now, you might have passed names and email addresses to the brand you were running the competition or giveaway with. You guessed it – they also need to delete that data.
The only option for keeping the data is to get consent from those that entered, otherwise you a) have no lawful basis for using the data, and b) you’re keeping the data for much longer than required.
Gleam have written a post on how their systems will comply – and help you comply – with GDPR. Please review their post here – https://gleam.io/docs/updates#gdpr. Hopefully Rafflecopter will do the same in the next few weeks.
GDPR & THIRD PARTY COOKIES
Next up, and where it gets a little more complicated, is with Google Analytics and adverts.
In order to track users on your blog, the first time someone visits your site, Google Analytics will drop a few cookies to help them track users. Those cookies collect personal data in the form of identifiers.
As such, you need to make people aware of – and get them to opt-in to – cookies.
Not only that. You need to tell users what cookies you are using, what data they collect, what you use those cookies and that data for, and how people can delete their cookies, if they don’t want any data collected.
For those using Blogger, Google has already made changes to this effect, and you’ll notice a big pop up banner at the top of your site if you clear your cookies.
For those using WordPress, there are a number of simple, free plugins you can use to set this up. These are:
Well, you’re compliant anyway.
SUBJECT ACCESS REQUESTS
Under the new GDPR laws, any user can request to see the information a blogger or organisation holds on them (known as ‘Rights to Access‘).
That means diving into WordPress or Blogger, looking back over comments and contact forms, checking your email marketing provider, and – most complicated of all – finding their session data within Google Analytics.
Thankfully Google has made several big changes over the last few weeks to help businesses and bloggers comply with GDPR, such as data retention. These can be viewed here for Google Analytics – https://support.google.com/analytics/answer/7667196.
They have created a way for you to delete data that is no longer processed, and created a way for you to find and delete data on a particular user. This allows you to manage the deletion of all data associated with an individual user (e.g. site visitor) from your Google Analytics. Check back here under ‘User Deletion API’ – https://developers.google.com/analytics/#apis-for-reporting-and-configuration.
Once you have all the information on the data subject, you then need to share it with them in a secure way. This could be a password protected zip file, for example.
DATA BREACHES AND GDPR
Last but not least is arguably the most important part of GDPR: data breaches.
If, for example, your Mailchimp account or WordPress account is hacked, there are certain steps you need to take to notify both your data subjects and the ICO, then do everything in your power to secure the data.
Interestingly, under GDPR, is there is a breach in, say Facebook, Mailchimp or Google, and it had nothing to do with you, technically your data subjects data is at risk. So not only are those third party providers liable, so are you.
As such, if you process a lot of user data, it’s worth checking if you need some kind of insurance, and to what level. This is the main reason you’ll have seen new privacy policies flying around your inbox over the last month or so from various email and software providers.
REGISTRATION WITH THE ICO
I’ve read in a couple of other posts, that bloggers need to register with the ICO. This will apply to some bloggers, and not to others. The ICO has a simple self assessment tool that you can use in order to work out whether you need to register – https://ico.org.uk/for-organisations/register/self-assessment/.
I’ve used the tool a couple of times, and have come up with the following summary:
- If you don’t decide how the personal data you collect is processed, then you don’t have to register. But, in the majority of blogger cases, you decide to use Google Analytics and Mailchimp, so you do decide how the data is processed
- If you process information for the use of advertising or marketing for others (for example, you put an affiliate ad or a discount code into your newsletter), then you have to register
Registration with the ICO costs £35. For more information, see the registration page here – https://ico.org.uk/for-organisations/register/.
Frustratingly, once you have registered, you are treated like a company, which means you’re private information is on public display in a data register. That means if you’re a blogger that works from home and you use your home address for registration, everyone can see it. Here’s Facebook’s entry for example – https://ico.org.uk/ESDWebPages/Entry/ZA265194
Given we’re trying to comply with all these new privacy laws, surely this is stupidly ironic and slightly dangerous to provide the ICO with details which are then put on public display?!
As such, my personal feeling and suggestion is that bloggers who think they need to register should contact the ICO directly and ask for advice before registering.
Hopefully this is one area that will become clearer over the next few weeks.
Judging by the response on Twitter, and through chatting to other bloggers, it seems as though quite a few bloggers know what GDPR is, and know when it is coming, but aren’t sure how they are affected. But the majority don’t know about GDPR, and don’t know what it affects them, which is incredibly worrying.
To add another layer of complication, cookies and email marketing also fall under the upcoming new ePrivacy Regulation (ePR), which will overlap with GDPR. This still requires consent, although I’m hoping any updates to this initiative will help bloggers, rather than hinder their progress.
Take time to make sure your blog is compliant, especially if you are a full time blogger. The penalties for non-compliance are financial, so the impact could be serious. Here are all the useful links again:
- ICO links (for all the main GDPR information and advice) – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
- Google Analytics (data retention) – https://support.google.com/analytics/answer/7667196
- Google Analytics (general privacy) – https://support.google.com/analytics/topic/2919631
- Google AdSense (blog post about how they are working with publishers to help compliance) – https://adwords.googleblog.com/2018/03/changes-to-our-ad-policies-to-comply-with-the-GDPR.html
- Facebook (general privacy) – https://developers.facebook.com/docs/privacy/
- Mailchimp (GDPR help) – https://blog.mailchimp.com/gdpr-tools-from-mailchimp/
As a summary, here are the steps bloggers need to take in order to be compliant with the GDPR laws coming into force:
- Create opt-in mechanisms for email subscribers and blog commenters
- Be able to evidence and date stamp opt-in permissions
- Reference which platforms you use to run adverts on your site, or through Facebook ad targeting, and again explain how and why personal data is collected and used
- Check whether you need to register with the ICO
- Create a process document for all the personal data that is collected, from which sources, who processes the data, and how you will comply with rights of access (and deletion if required) of that data (handy template from the ICO here)
To re-iterate again, I’m not a legal or data privacy expert, and can only give advice from my own personal learnings in digital marketing.
So why haven’t you made the changes to your blog, Simon? Well, aside from cookie banners (which are covered by Google as this blog is powered by Blogger), I don’t have an email subscriber database. I still need to cover blog comments and contact form requests though.
In addition, by the time you read this and by the time the 25th May comes around, you may well land on my new blog, which will be compliant….more to follow! Good luck with GDPR!