GDPR for bloggers – does it apply to you and how to comply

GDPR for bloggers – does it apply to you and how to comply

Disclaimer: This post is not legal advice. For full information and guidance please see the GDPR site and seek professional legal advise. This is my interpretation of what I have read so far but I am not an expert or a lawyer and as such I can not be held liable for any advice taken from this article. 

A bit of a diversion from my normal content today – today’s post is just for bloggers. If you aren’t a blogger you might want to skip this one. If you are, then today’s post is all about GDPR for bloggers. In my ‘proper job’ I’m part of the team responsible for ensuring our organisation complies with GDPR so I’ve a little understanding about it. Most organisations are very much finding their feet with this – even the multi-million pound ones. No one really knows how it’s all going to work once it goes live but based on what I’ve learned at work and what I’ve read online, this is how I think GDPR will be for bloggers.

What is GDPR and why is it important?

GDPR is the General Data Protection Regulations that come into force 25 May 2018. This is a big update to the Data Protection Act 1998.

Anyone processing personal information must register with the Information Commissioners Office and comply by law.

If you are found to have breached GDPR then the fines are EPIC. We are talking fines of an upper limit of €20 million or 4% of annual global turnover – whichever is higher! Fines are also stackable per offence.

Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of violating the GDPR.

Does GDPR apply to me?

It applies to you if you process personal information AND are processing it as part of an enterprise. Article 4(18) defines enterprise as ‘a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity’. So basically, it seems that if you aren’t making any money through your blog you are ok. If you are making any money, then you need to read on…

Processing means: obtaining it, recording it, storing it, updating it or sharing it.

Personal information means any detail about a living individual that can be used on its own or with other data to identify them. For bloggers, this is likely to be named email addresses (brands, PRs and email list subscribers), prize winner addresses and IP addresses.

This site advises that, ‘a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user. Some usual ways in which a standard WordPress site might collect user data:

  • user registrations,
  • comments,
  • contact form entries,
  • analytics and traffic log solutions,
  • any other logging tools and plugins,
  • security tools and plugins.

Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.’

If you are in any doubt about whether it all applies to you, then ICO has a self assessment tool that you can take to see if you need to register with them.

GDPR for bloggers - does it apply to you and how to comply...

Registering with ICO

You must register with Information Commissioners Office (ICO)

Registering with ICO costs £35 a year and should take 15 minutes.

An issue with registering as a blogger is that you will be added to a public register (by law) and your address will be publicly visible. I think that this puts bloggers at risk. I spoke to ICO about it and they said ways around it are to use:

  1. Your accountants address if you have one
  2. A PO box address
  3. A managed office address

For many bloggers who aren’t earning much yet these options may not be affordable or practical, putting them in a position of choosing to put themselves and their families at risk or complying with the law. I find it ironic that a law meant to keep people’s data safe and improving consents procedure is forcing bloggers to put personal information online in this way through coercion. Family bloggers will be worried about people finding their children, travel bloggers will be risking their homes when on press trips. I really hope that ICO re-think this policy. I don’t know why they can’t take addresses but keep that part private. In an instance of a data request, surely an email address will suffice? If you too have an issue with this I would encourage you to also complain to ICO. If anyone finds a decent way around it, do let me know.

Article 5 of the GDPR requires that personal data shall be:

“a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Lawful basis

You will be in breach of GDPR if you don’t have a lawful basis in place by 25 May 2018.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data. The lawful bases that are most likely to apply to bloggers are:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

According to this law firm, ‘ICO acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR.’  Recital 47 of the GDPR actually says that:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” If you use legitimate interests you need to have a Legitimate Interest Assessment (LIA) saved.

PECR/e-Privacy Regulation

However, there is another law that comes into play here for bloggers – Privacy and electronic communications Act (PECR). PECR:

  • Covers marketing via email and cookies
  • Not just personal information!
  • Fines up to £500k and £1000 if you don’t tell ICO about a breach
  • Covers unsolicited marketing ‘not specifically requested’ even if someone has opted onto email list
  • ‘Consent must be given freely, specified and informed. It must involve some form of positive action (eg ticking box or clicking link) and the person must understand that they are giving consent’.

So in my humble opinion, you may as well use consent as lawful basis for GDPR and cover both bases at the same time. It’s also worth bearing in mind that the next piece of legislation in line for an overhaul is the European directive that forms the basis of the PECR and this will be called the e-Privacy Regulation (e-PR).  This was due to come into practice on the same date as GDPR but is running late. It may be that e-privacy has more of an impact on bloggers than GDPR.

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle. Individuals also have the right to erase personal data which has been processed unlawfully. The individual’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing.  This means you need to include these details in your privacy notice.

You must determine your lawful basis before starting to process personal data. It’s important to get this right first time. If you find at a later date that your chosen basis was actually inappropriate, you cannot simply swap to a different one. Even if a different basis could have applied from the start.

You have a one-time opportunity to get these in place now and update processing information you already have. Inform people upfront about your lawful basis for processing their personal data. You need therefore to communicate this information to individuals by 25 May 2018, and ensure that you include it in all future privacy notices.

It is your responsibility to ensure that you can demonstrate which lawful basis applies to the particular processing purpose. You need therefore to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies. I’m going to add a column to my email contact spreadsheets with this information.

GDPR for bloggers - does it apply to you and how to comply...

Consent

Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation. Explicit consent requires a very clear and specific statement of consent. Keep evidence of consent – who, when, how, and what you told people. You will need this if you are investigated from a complaint. Avoid making consent to processing a precondition of a service (for example, opt-in freebies to get email addresses for mailing lists will not comply with GDPR).

You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.

Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.

Europe also has a separate law – the Privacy and Electronic Communications Directive (or e-Privacy Directive), these rules require opt-in consent for e-mail marketing, unless an individual’s contact details were collected in the context of a sale and the individual was given the ability to opt-out at that time.

How should you obtain, record and manage consent?

Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:

  • the name of your organisation;
  • the name of any third party controllers who will rely on the consent;
  • why you want the data;
  • what you will do with it; and
  • that individuals can withdraw consent at any time.

Privacy notice

Under the transparency provisions of the GDPR, the information you need to give people includes:

  • your intended purposes for processing the personal data; and
  • the lawful basis for the processing.

This applies whether you collect the personal data directly from the individual or you collect their data from another source.

Some of the other things you need may need to include in your privacy notice includes (not limited to):

  • Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer
  • Purpose of the processing and the lawful basis for the processing
  • The legitimate interests of the controller or third party, where applicable
  • Categories of personal data
  • Any recipient or categories of recipients of the personal data
  • Retention period or criteria used to determine the retention period
  • The existence of each of data subject’s rights
  • The right to withdraw consent at any time, where relevant
  • The right to lodge a complaint with a supervisory authority
  • The source the personal data originates from and whether it came from publicly accessible sources
  • The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences

Security

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. Bloggers really need to start thinking more carefully about how they keep people’s personal data secure. If you have a security breach like a hack then you are liable under GDPR.

GDPR for bloggers - does it apply to you and how to comply...

Does it apply to brand to brand marketing?

The key here is the definition of personal data under the GDPR.  If a business email address is personal data it will fall under the scope of the Regulation.  Article 4.1 of the GDPR states:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’

I’m taking this to mean that named brand emails will be personal data eg jane.doe@brand.com but say help@disney.com wouldn’t be.

It will remain a choice between using consent or legitimate interests for sending electronic B2B communications. For more information on this I found this article helpful.

What bloggers need to stop doing:

  • Auto opt ins
  • Opt in freebies to get email addresses for one purpose then use them for another. If you gained email addresses this way you should go out to gain consent or you may be in breach of GDPR
  • Share data with anyone else who wasn’t named at the point where data was provided, for example, a brand who asks for the email addresses of giveaway entrants
  • Stop collecting data where not necessary, for example, contact form/comments
  • Sharing named brand PR contacts without permission

Things bloggers need to start doing:

  • Displaying a privacy notice anytime they collect data
  • Have a data processing and security policy
  • Be able to evidence permissions
  • Have robust security anywhere data is processed

Summary suggested approach to ensuring compliance with GDPR

  1. Register with ICO
  2. Review all processing activities – what do you do that obtains or uses information that can identify individuals? For example, receiving emails, email database, running giveaways etc.
  3. Choose a lawful basis for each processing activity e.g. legitimate interest or consent. Create a document, save and date it.
  4. ICO have just launched this really helpful guidance template spreadsheet that you can complete. It includes helpful examples. It looks daunting at first but it isn’t as bad as it seems initially. I will be using it to ensure I comply with GDPR and will update it annual. I recommend you do the same.
  5. Bring your processing in line – clearly document lawful basis, inform people upfront about your lawful basis for processing their personal information. Go out to your emailing list to get consent if necessary (for example if you have a bunch of email addresses gained from one purpose and then used for another from auto opt ins or opt in freebies). I’ve heard of big companies scrapping their entire email database to ensure compliance. You might notice that you start getting emails from companies being proactive and asking you to opt-in.
  6. Develop a privacy notice (and implement it each time personal data is processed).
  7. Develop a security policy and make sure you are keeping data as securely as possible. I’m personally going to go through my emails and delete ones with personal data I no longer require, eg prize winner addresses so that I’m reducing risks there. Do you have the best encryptions and passwords? Have you made the change to https? Are you keeping plug-ins up to date to reduce hacks, deleting plugins you don’t use etc. Are you using security software? 

Next steps

If you are anything like me then now you are panicking and thinking this is a minefield! It’s got me wanting to get rid of all the personal data I use so I don’t have to do it but I’m sure we will all figure it out as it goes along. I guess it’s now a question of going away, doing your research and deciding on your plan for ensuring compliance.

All in all, GDPR is good for us all and I believe it’s a necessary step in our increasingly online world. After all, the online world is pretty far removed from 1998 now isn’t it? I see this being like disclosure – you can either see it as a pain or a way to have a better relationship with those who interact with your business giving them more transparency and clarity. Once I’ve developed my privacy notice I will share that with you as well so you can copy and adapt.

Good luck!!

GDPR for bloggers - does it apply to you and how to comply

Follow:

Never Miss a Post

Click here to subscribe to our mailing list

105 Comments

  1. February 1, 2018 / 14:13

    This was really informative I didn’t know about this at all so thanks for sharing. I think that it’s really important to remain compliant with these laws for data handling! Cheers Nyomi

  2. February 1, 2018 / 14:26

    Great concise post, it really is a minefield for everyone.

    • February 1, 2018 / 14:26

      It really is. It got me down writing it – I was thinking about jacking it in to save myself the headache!

  3. February 1, 2018 / 15:12

    Thank you for sharing. This is very informative and definitely something bloggers need to think about x

  4. emmaology
    February 1, 2018 / 19:24

    My head is battered! I need to reread this when I’m a bit more alert! Thanks for putting together all this info, I had no idea about any of it…

    • February 1, 2018 / 19:25

      Thanks – you’re welcome, it’s a lot isn’t it

  5. February 1, 2018 / 19:58

    so this means when people comment on our blog like I am on yours and it is collecting my name/email and blog that I need to be registered for that?
    I suppose this will cover rafflecopter/gleam competitions as well then.
    Guess this will see a lot of us hobby bloggers disappear, I probably will if commenting is covered.

    • February 1, 2018 / 20:00

      I’m actually not sure about the comments on blogs actually. Potentially! I know some people say it does but I’m not 100%. You could turn them off?

      • May 14, 2018 / 11:51

        If you collect or require email addresses in order for someone to comment, then it would cover email addresses as well. And for anyone using any sort of analytics or visitor counters that collect personal information, that’s also an issue that would fall under the GDPR.

        Where you say the GDPR is good for all of us? … I rather tend to disagree.

        It’s not good for anyone outside the EU or EEA boundaries.

        I don’t mind privacy requirements (easily complied with the original “cookie consent”), but they have gone too far … and in the end may find they’ve gone so far that people living in those countries could lose access to a lot of services or information that is outside of those EU boundaries because people (individuals) are unable to comply.

        Many bloggers are just planning on blocking those from the countries involved from visiting their sites. Lots of blogging platforms haven’t provided bloggers the ability to use any sort of controls, leaving them hanging in the wind. If you can’t implement the requirements because of site functionality, your only other choice is to quit.

        Personally, I don’t see why some other country can or should be able to tell me whether I can blog or not, and whether or not I can make a few dollars by using ads or affiliate links. Even the option to turn off personalized advertising that’s been provided by AdSense is not sufficient to comply with the GDPR requirements. It’s just a starting point.

        It’s a huge mess still, and the GDPR guidelines are open to different interpretations, so most likely until it’s operational and complaints roll in, there may be no one who has made a fully correct interpretation 🙁

        Pretty frustrating overall.

        • May 18, 2018 / 12:13

          It makes one wonder what the real agenda is. If it’s truly about protecting the consumer, the law would be easy for bloggers to comply. Clearly it isn’t. Obviously it’s already a revenue stream if bloggers must register and pay. I agree that it’s a huge mess, and it’s frustrating bloggers worldwide.

          BTW I think I read your comment on the Blogger Forum, and I quoted you on my blog. I’m thinking about making my blog private because it isn’t monetized. I wonder if that would cover consent, but then again readers would be required to enter their emails each time they access my blog. This is giving me the biggest headache!

  6. February 1, 2018 / 21:07

    Hmm, so actually I think I might stop blogging then, and switch my blog to private. Because £35 is actually a lot each year, and the hassle, all because of a few comments on blog posts? Nah man. This is massive. I don’t have an email list of subscribers, and I’m fairly good at clearing out my inbox so I don’t hold information on prize draw winners.
    Game changer.

    • February 2, 2018 / 12:36

      A lot of people have said this. I felt like it too. People are focussing on the comments but I see comments as the least of the problem. Brand emails fall under this, as do google analytics etc. See how it develops though, I don’t think it will be as bad as we think.

    • April 6, 2018 / 16:35

      Most bloggers will not have to register and pay, but they still need to be compliant. There are only certain types of groups that do need to pay, and once you complete the questionnaire, you will see it does not relate to the vast majority of bloggers.

  7. Isabel
    February 1, 2018 / 21:12

    Thank you for this – so valuable!

  8. February 1, 2018 / 21:24

    Awesome post. Christ how long did it take to write because it took ages to read! 😀 Thank you so much for going to the bother – it’s greatly appreciated 🙂

  9. February 1, 2018 / 22:59

    Thanks so much for putting all this in blogging terms, it’s a massive help!

    I do think though that it will sound the death knell for many small-time and hobby bloggers – it all seems a little overboard for those who don’t have email subscription lists, for example. Plus £35 is a big expense if you only blog as a hobby… Not convinced about ICO displaying our personal information either (I agree, doesn’t that negate the whole point of data protection and privacy?!)

    • February 2, 2018 / 12:34

      I totally agree Lorna, I’m hoping ICO realises and makes it more practical.

  10. February 2, 2018 / 04:38

    Thank you so much for this article. I have no idea! I must register now!

  11. February 2, 2018 / 07:38

    This is super helpful Nyomi, well done for pulling it all together in such a concise way!! I know these changes are all being made for the right reasons but it certainly does turn blogging, something that should be fun, in to something rather stressful!!

    • February 2, 2018 / 12:33

      Thanks Rachel. I totally know what you mean. I’m sure companies will be bringing out plug ins and products that make it easier for us. I know WordPress and jet pack are actively working on stuff at the mo.

  12. February 2, 2018 / 08:38

    This is super helpful! My first thought though is to just jack in blogging. I make no money and don’t want to fork out for the ICO and have my address made public all for the sake of some comments. The protection of my family come first.

    • February 2, 2018 / 12:32

      Thank you. I felt like that too to be honest but give it a little while, I doubt it will be as bad as we fear it could be.

  13. February 2, 2018 / 12:22

    Thanks for this. Really clear (as much as it can be). I gripe about the ICO public address – but there’s nowhere on their website when live chat is unavailable to actually complain about that.

    My concern is comments – there’s a plugin which is meant to put a check box for people to confirm they’re fine leaving their details before commenting. But it doesn’t work on my blog. But then to have to do that 12 monthly? It’s insane.

    Competitions I’m pretty clear on – I’m hoping rafflecopter will do something to encrypt things – and I’ve already gone through and deleted confirmed giveaways once prize winners have their prizes. And my newsletter is fine because I’ve always had double opt in and point out the unsubscribe button everytime I send a newsletter.

    I’m confused about freebie opt ins though. As long as people know they’re signing up to a fortnightly newsletter, there’s the option to unsubscribe after they’ve downloaded the freebie, and the freebie is almost a reward, I don’t see how that’s falsely gaining email addresses for another purpose?

    I guess I’ll need to pay the money before the price goes up, and I need to get changing wording on my blogs at point of comments (might turn them off on my dance blog because noone ever comments, they all comment on FB).and writing documentation for everything. It’s a lot of work and expense for something that if everyone knows in advance what they’re adding their name and email to, it shouldn’t be an issue for people who don’t send emails on to others.

    • February 2, 2018 / 12:30

      I think for the opt in freebies it depends on the wording used. So if you’ve said ‘sign up to my mailing list to get X’ then that’s fine BUT if you’ve said ‘get this free product here etc’ then that’s not ok. The purpose of providing the email in that case is to send the free item, not to subscribe to a mailing list and get marketing emails iykwim. So as long as you’ve made it clear that they are subscribing to a mailing list/you will be using their email for a mailing list then you are ok. That’s my understanding of it anyway.

      • February 2, 2018 / 12:33

        Phew that makes sense. Thanks. Our work did a session on this a while back and are making changes but I’m removed from it,

      • April 3, 2018 / 16:54

        Yes, they haven’t replied yet. I emailed a while back.

  14. February 3, 2018 / 08:26

    This has gotten me really worried. I only started blogging in January as a hobby to document my children’s lives and tips etc. I follow many other bloggers and we comment on each other’s posts. Does this now mean I’m going to have to stop or pay the money? I’m don’t want my address public at all. I use WordPress to blog, youtube to vlog and that’s it. Is this GDPR going to affect me? Thanks so much for this post, I would really appreciate any further information.

    • April 2, 2018 / 11:13

      Me too Jemma. I’m a hobby blogger as well, using a free site. I’ve commented below about my concerns.

  15. February 5, 2018 / 10:59

    Thank you so much for this post! I hadn’t even considered how GDPR would impact bloggers and while I will admit I am panicking slightly now, you’ve definitely laid all of this out in a really helpful way!

    • February 5, 2018 / 11:07

      Thank you! I panicked too but I’m sure as the months unfold it will start to become clearer

  16. tomcwilliams
    February 5, 2018 / 16:41

    I have just signed up with MailerLite specifically because that was supposed to mean that they handled the data registration element of a mailing list. Are you saying that this information is incorrect?

    I have come across the “just register, it’s only £35,” argument before, but you do need to be aware that is £35 a year and that once you are registered it’s going to be very difficult to deregister without closing down your blog and that the price of this kind of thing seems to keep edging up. And I’ll believe it only takes 15 minutes when I see a Jamie Oliver 15 minute dish that I can cook in a quarter of an hour. That’s even before we get into the whole question of my personal address being published.

    If you’re right (and you may well be) this seems like a very good reason for scrapping newsletters and limiting the information that you might collect from your blog. Of course, if you have a massive and profitable online sales base, that would be different. But most of us don’t.

    • February 7, 2018 / 20:27

      GDPR has a online test you can take to see if it applies to you.

      • May 11, 2018 / 20:39

        That’s my worry too. I signed up to a virtual office plus business address twelve years ago, when it was really cheap and saved a passle of problems. It is now around £400 a year, but the problems inherent in changing a business address (even a tiny business) kind of have me held hostage. Think carefully before you commit!

  17. February 6, 2018 / 02:58

    As a blogger, if you collect data, it’s most likely through an autoresponder or email engine like Maillchimp, Aweber, etc.. Since you have no direct control over how that data is collected, stored and secured, surely the onus is not on you to pay the annual fee, or indeed fear noncompliance. That is the responsibility of the service you use.

    • February 7, 2018 / 20:26

      Unfortunately GDRP specifically states it’s on you both. You have to make sure anyone you use complies. If they don’t, you are responsible too.

  18. March 16, 2018 / 20:17

    Thank you for this post! It was super informative but it scared me a little. I decided to delete all of my plugins that help with my email list and have made the decision not to have one. I’m not sure how to avoid collecting data through comments (do I disable them?) and I’m going to delete my contact form. It’s too much for my to understand so I’d rather be safe!

    Em ~ thisisemsworld.com

    • March 16, 2018 / 20:18

      I’m hoping companies develop things that make it easier – we don’t need to get email addresses for comments for example so would be better to just stop!

  19. March 22, 2018 / 14:23

    Hi actually some of this information is a tad incorrect. It is not compulsory for all bloggers to register for the ICO. I’ve spoken to the ICO personally and there is an online test you can take to determine if you should join: https://ico.org.uk/for-organisations/register/self-assessment/ . Also to previous comments. Being a member doesn’t absolve any ongoing responsibility or preclude you from making sure you are fully GDPR compliant. It is YOUR responsibility to ensure ALL data collected on YOUR website via subscriber opt-ins, plugins etc is handled correctly. YOU choose the email service provider therefore you must make sure they are GDPR compliant too. Ignorance of the law is no excuse. You are solely responsible for the way data is collected and handled via your website. Don’t bury your head in the sand, the penalties are not worth it!

    • March 25, 2018 / 21:15

      Hi Samantha, I didn’t say all bloggers have to register, I said it applies if they process personal information. I can’t think of any bloggers that wouldn’t do that though.

      • Kelly Martin
        May 24, 2018 / 14:37

        I am still confused after reading mountains of GDPR stuff. I am a blogger and process information via Google Analytics and other plugins, simply for site stats etc… but when I filled in the assessment it said I did not have to register. So this is more confusing to me.

  20. March 23, 2018 / 12:50

    This was really helpful! I had no idea about the ICO registration part! And your tips for what we can do to comply with GDPR has been helpful in prepping my checklist… yes, I’ve left it a bit late. But thankfully investigating everything now 🙂

  21. March 24, 2018 / 00:14

    Great post, Nyomi … this GDPR malarkey is such a minefield. It’s a great way to clear the crap out and like you say the internet has come a long, long way and needs to be policed and monitored in so many more ways than I guess I think anyone ever envisioned. It’ll be interesting to see how it all pans out after May.

  22. April 2, 2018 / 11:10

    I’m a hobby blogger who uses WordPress. I don’t do comps or other giveaways and I don’t send out a newsletter. I do wish that here was some clarification regarding comments on blogs and the option to subscribe. In my case, I have the WP supplied subscribe button and Bloglovin’s on my site. Does that constitute me gathering personal data? It doesn’t seem to be a clear yes or no. What happens after we leave the EU? Will GDPR no longer be applicable?

    Thanks to Samantha for posting the ICO link to see if I needed to register and it would appear I don’t, but I would still love clarification about comments and the subscribe option on dinky little blogs like mine.

    • April 3, 2018 / 07:32

      It’s my understanding that if you aren’t getting paid at all then you are ok – give ICO a call

    • April 3, 2018 / 07:32

      After we leave the EU, we will still follow GDPR apparently

  23. April 12, 2018 / 10:29

    Thanks for this indepth article…. ive only just heard about the GDPR and you’re right it does seem a bit daunting.
    do you know of any templates for bloggers ro general templates that can be used such as pircacy policy etc?
    Cheers
    Sam

  24. April 18, 2018 / 11:35

    I was thinking about doing a post on GDPR for bloggers too. It’s a pretty insane topic right now and still so many questions open. For me my biggest concern is about Google Analytics. In theory, we need to give users the right to opt out of being tracked as soon as they come on the website. Similar to the cookie notice, except with a lot more data and without the “if you continue…you agree to cookies”. I don’t see myself living without analytics, so this feels so annoying.

    • April 20, 2018 / 12:18

      This is the biggest issue I’m struggling with too is how to handle analytics data. The best I’ve come up with so far is that you can modify the way you’ve implemented Google Analytics to anonymize IP addresses of visitors. So instead of 123.456.789.012 you would have 123.456.XXX.XXX.

  25. April 20, 2018 / 09:36

    Thanks for writing this nice blog. Sql database security help to protect important data from the database and it barrier the harmful threat in the database.

  26. April 25, 2018 / 07:05

    Nice post! This is a very nice blog. Thanks for informative post.

  27. April 27, 2018 / 11:34

    Very useful post. This is my first visit here. I found so many interesting stuff in your blog Truly, its great article. will look forward to read more articles.

  28. Michael
    April 28, 2018 / 07:18

    Hello Nyomi, first of all top work on the article, it’s incredibly informative.

    I’m also a little bit confused in respect to Google Analytics.

    If I may ask, let’s say I run a blog where there is no login, no registration, no comments section but I have Google Analytics, am I right in assuming that I don’t have to register with ICO but it’s Google which has to do so? And that my task is just to make it clear to the customer that data is being collected given them an option to opt-out?

    • May 1, 2018 / 14:08

      If I’m honest I’m not sure on that Michael, might be worth phoning ICO to clarify, pop back and let me know if you get clarity!

  29. Jessica
    April 28, 2018 / 22:55

    No, I can’t even get through this. You made this so difficult to read and understand. I’ll have to find someplace that explains it in a clear, concise, easy-to-understand way.

  30. May 1, 2018 / 10:53

    Hi, I did the quiz on ICO it says I don’t need to register? I’m wondering whether to do it voluntarily or not. I collect emails via convertkit and giveaways.

    • May 1, 2018 / 14:07

      That’s interesting Jenny. I know they recently changed the quiz so now you don’t have to register if you aren’t being paid. They do change things without fanfare. I’ll go recheck myself.

    • May 1, 2018 / 14:17

      So it has changed AGAIN Jenny, you are right. It seems whether we have to register or not seems to be whether bloggers fall under ‘journalism and media’ or not. I’ll need to call ICO to clarify but if not then it looks like bloggers do not need to register but we still do need to ensure we are complying with GDPR.

    • May 1, 2018 / 14:45

      Ok, so it seems the key is if you are paid to advertise for someone else, and you send that out to your mailing list then you do need to register. If you don’t do that then you might be ok. I’m personally considering scrapping my mailing list.

  31. May 1, 2018 / 14:06

    I am going to remove all comments on my blog and close down comments entirely. That seems to be the wisest nuclear option for me.

  32. May 1, 2018 / 19:27

    This is an EU thing correct? If i am out the EU and my blog is out of the EU, then as I understand it there is no problem.

    • May 1, 2018 / 19:29

      It is an EU thing but my understanding is if you process people from the EU’s personal data then you have to comply. So it depends if any of your site visitors are based in the EU

  33. May 3, 2018 / 05:04

    Oh my goodness, I’m literally just coming up. I’ve not made the first cent off of my blog yet. But I don’t want to give it up. I’ve been going for two months, almost, and am averaging 15 people a day. (Definitely isn’t much, nor do I have much monitizing options up), I do want to be compliant, but no, I’m not into sharing my home address. Seriously, I keep running into brick walls… Guess I better learn to climb…

  34. May 3, 2018 / 13:53

    Thanks for this informative post.
    About the registration for ICO, from the assessment it turned out that I don’t need to register, which is good.
    About collecting emails by offering freebies – my understanding is, that if a person to receive a freebie, needed to click the button that said they subscribe to travel newsletter it should be fine? I’ve always used double opt-in on my website, so after filling in the information for subscription, the person was receiving the email sent by Mailchimp where they needed to select “subscribe for travel newsletter” button and therefore giving me consent to subscribe them to the mailing list. And only then they will receive the confirmation of subscription and a link to a freebie. Do I still need to re-confirm the subscriptions?

    Right now, I added a box, that person needs to check in, that says that they agree with my Privacy Policy and links to it. I am just not entirely sure, that I’ve included everything that was needed for the Privacy Policy.
    I don’t quite understand the “lawful basis” for processing data – how exactly this needs to be explained? Do you have an example related to the email lists?

    Many thanks for your help,
    Aga

  35. Suzy McCullough
    May 4, 2018 / 05:41

    The ICO have a series of questions you answer to find out if you need to register with them. I have a monetised blog and don’t need to register. Please could you change that bit of information above as it’s a bit misleading? Not all bloggers have to register. Thanks. Also you need to have a cookie policy and that needs to be on a separate page as well informing your readers how they can opt out of cookies. Also people should no longer be required to leave an email address on a reply on your website. I get you are trying to help but this post is a long way from accurate. Sorry

  36. May 5, 2018 / 02:00

    Awesome details. It was really helpful to understand the laws which was made to secure the information. I wish to have such kind of law for world wide users too, so everyone’s data will be safe.

  37. May 7, 2018 / 03:22

    First off what exactly can a European court do to United states citizen civilly? Worst case scenarios……..judgement, fine you, convict you. BUT there is no way legally for them to carry this out.

    1st- they cant add black Mark’s to ur credit report
    2nd-cant levy ur bank account
    3rd-cant issue a cease n assist order
    4th- cant seize your website
    5th -this isn’t for small time bloggers. This is focused solely on 7 figure bloggers, email marketers, phishing scams, funnel artists n affiliate marketing black hat methods AND ***********SOCIAL MEDIA PLATFORMS LIKE FACEBOOK********** >>>>>do u really think the EU is going to hand down a 20 million dollar fine to someone using a free website builder & $4/month hosting costs????

    Does the IRS go after ppl that cheat them out of$2000 ? The answer is no! Do police arrest every minor age drunk? The answer is no. It’s a law but its focus is not you.

    Now think about google analytics knowing how old you are n geographical location n gender delivering that nfo yo a billion websites a day for free without consent. You think googles going to take a $20M x 1 billion fine without a fight.

    So even if this does find away to effect United states google b Facebook’s wallet will fight this in ur favor long before it comes knocking on ur door.

  38. May 11, 2018 / 10:56

    Really helpful article, thanks so much for all this helpful information.

  39. May 11, 2018 / 12:33

    Thank you so much for this information. It has helped me more than any other article, you have explained it very well. I now feel like I have the necessary information to make my business fully compliant. I also emailed ICO like you mentioned. Thank you!

  40. May 12, 2018 / 17:22

    Very informative article!

    I thank you for taking the time to share this important information; I feel better prepared to do what is necessary for my blog.

    Blessings!

  41. May 16, 2018 / 12:33

    Holy moly, what a farce…

    Thank you so much for putting up this information, I can see it must have been a real headache to wade through everything and try to compile it into something generally useful. And plenty of the comments here clearly show a total disregard for that effort you’ve made on THEIR behalf.

    It may well not be entirely correct (and only a lawyer could have written it that way anyway), but I’d like to see how many of them are willing to wade through all the information on the ICO website just to try to help others who may be struggling with it (or indeed be totally unaware, as I was just a few days ago!).

    I tried my best to read through the “12 steps you need to take now” doc and that was enough for me. I don’t need to register, and I have a fairly good idea of what to do to make sure I’m as compliant as I can possibly be, without getting a freaking lawyer to read through all of it and then go through my blog to cross-reference.

    Aowanders makes some good points about making ourselves crazy for nothing – chances are we’ll never actually have to worry about it unless the service providers we use are found to be seriously in breach of GDPR… But seriously dude, if that’s how you write your blog, you never need to worry about gaining people’s information. Whatever happened to basic grammar?

    For anyone who may be panicking, here’s a checklist I’ve made for my blog that may help you (including the steps I’ve taken today beforehand):

    ~ Take the self-assesment test Nyomi links to above (you will probably be told you don’t need to register like the rest of the commenters here have found)

    ~ Read through (as best you can) the 12 Steps document offered at the end of that

    ~ Send out an email to your entire list – however big or small it may be and regardless of where they live in the world, just to be safe – and get them to click a link that clearly says they want to remain on your mailing list and are happy to receive newsletters etc from you.
    Any that haven’t responded by the 25th, remove them permanently from your list just to be safe. You could check to see what country they hail from first and only remove non-responders from the EU if that makes sense I guess.

    ~ Check any and all opt-ins on your site for correct wording – remember that consent must be freely given, specific, informed, unambiguous, opt-in (no pre-ticked boxes for instance), clear, prominent, properly documented and easily withdrawn.

    ~ Check your thank you pages to ensure they get exactly what they opted in for (eg free PDF) and that they clearly have the option to unsub immediately if they wish to. Also be sure to clearly show your unsub option in your newsletters and other emails.

    ~ Contact your service providers / search their databases for info regarding their GDPR status.

    ~ Ensure visitors to your site can clearly see and opt-into or OUT OF use of cookies. Not sure yet how this will work – something to get right though for sure.

    ~ Check comment functions to see if data is collected, and if so, if it can be removed. If you use a plugin or app (I have a Wix website and everything is added via apps) and it has no option to remove data collection, either change it for a different one, or remove it altogether if necessary. If you can find out how they process that information, then perhaps you can add a notice where commentators will clearly see how it works and have the option to go ahead or not based on it.

    ~ Check google analytics and see if you can anonymize people’s IP addresses as Robert Partridge suggested.

    I have no idea if this checklist is complete or correct, but it feels right to me and if, by some freak of nature they pick on my tiny blog for whatever reason and want to fine me millions, they can go ahead and try! I have nothing but the equity in my house, and family who will take us in if it ever came to it – they’ll get a couple of hundred grand out of me at best.

    It wouldn’t be worth it for them and it wouldn’t be the worst thing that ever happened to me anyway. Unless they put me behind bars… But again, for the sake of the relatively tiny amount of money they’ll get out of me it wouldn’t be worth it and I’m pretty sure a judge will take my side if I show my efforts to comply to the best of my ability to understand their corporate jargon.

    I wish you all the best of luck, and for God’s sake, stop throwing in the towel so easily! It’s just a bit of brain-ache, not the end of the world (yet). If you’re ready to jack it all in for the sake of not having to read some heavy stuff, then you weren’t really in it for the right reasons anyway.

    Thanks again Nyomi. Much love from Kent
    ~ Tam x x

    coloursofyourtruth.com

  42. May 17, 2018 / 13:08

    I think this is too strict. Even small bloggers making $10-50 a month wil need registration? Seriously? Maybe it’s just better to put up a banner that says visitors from EU may do so at their own risk and under no circumstances shal the administrator be responsible for any instances that may be considered violation of GDPR. Will that work? Its better to focus on non EU traffic.. no?

  43. May 17, 2018 / 15:21

    Very helpful. I’ve just finished writing my Privacy Policy based on the information you’ve supplied (mostly) and on what (little) I’ve found elsewhere. The whole GDPR is still complicated to get your head around (as all European policies are….), especially with plug-ins and links that a blog has, and who knows if they store any data, etc… But I’ve made progress. And I’m not so stressed out about it all. THANK YOU FOR TAKING THE TIME TO WRITE THIS UP – IT COULDN’T HAVE BEEN A BREEZE!

  44. Misty
    May 19, 2018 / 17:56

    It’s pure and utter madness. Nobody wants this, except some bloodthirsty unelected government officials. Whenever government gets involved things become very difficult for us the little people. I will NOT follow this BS. I suggest that if enough people simply won’t comply then there is nothing they can do. What are they gonna do? Go after 1 billion website owners and pass out fines? LOL

  45. May 21, 2018 / 15:31

    Thanks Nyomi thanks for putting all this information together I really appreciate it.

  46. May 24, 2018 / 19:04

    honestly i don’t know to how this issue i think how put a banner “public notes our blog has plugins that collect personal information so by visiting this you agree, that your data will be used by our site to send emails……OR ‘simply say if you are the EU stay away from my blogs” hehehehe

  47. May 24, 2018 / 20:24

    Oh,
    Such an awesome post to read on GDPR. This is my first visit your blog and I think that you are really doing a great job.
    Although, I am really fed up with the people who gave away our data and emails which troubles a lot.
    Although, Thanks for the amazing post.
    Have a good day ahead.

  48. John M.
    May 28, 2018 / 12:34

    Good piece of information. Thanks alot. We should build a trend.

  49. Christian
    May 30, 2018 / 22:21

    Great post!

    I have a question regarding the comments.
    I’m writing mine but I have no idea how my name and my email are processed by this blog. How we can handle comments then?

    Thanks.

  50. May 31, 2018 / 15:20

    Can you provide us a sample for GDPR compliance privacy policy for a simple blog with comment form only. Thanks !

  51. Dado
    June 1, 2018 / 11:26

    Does GDPR apply to OLD blog comments, the one made before 25 May 18?
    Should those be deleted, anonymized or it doesn’t matter?

    • June 7, 2018 / 20:13

      I think it does, that’s my understanding.

  52. June 3, 2018 / 17:29

    Hi haven’t yet made my website gdpr compliant but I’m a small blogger just started out. Really confused what to do. But thanks fro this post.

  53. June 5, 2018 / 00:57

    Nice post on GDPR on blogger.Now you can protect your data with our and get the GDPR templates kit.

  54. Amrit Sen
    June 19, 2018 / 14:07

    Good information about GDPR. We should know everything about the new general data protection regulations. Yes, GDPR is a new set of rules designed by EU citizens to more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.

  55. June 21, 2018 / 07:46

    Great insight there, quite an helpful piece of information that covered all basis. i just came across this amazing website that helps you monitor security controls, policies and can prove that your regulatory compliances are in place. Securing gives you bird eye view of your IT environment, You can detect, investigate and actively respond to cyber attacks in real time. Also provides Best log management tool for small business

  56. June 25, 2018 / 11:01

    The work of dynamic data masking is to protect personally identifiable data. Dynamic data masking does not require any additional server resources.

  57. June 26, 2018 / 09:49

    Good information and thanks for sharing it. This GDPR has the great impact on the American business because it provides protection to EU citizen no matter of their data travels. This means the EU citizen is bounded by its rules. So ultimately all the business are affected whether it is small or large from multi to micro all the under this regulation no one is exempt.

  58. June 27, 2018 / 17:17

    Thanks for sharing wonderful information, But European Union forcing the companies to intensify privacy-specific policies, instead of implementing a separate GDPR-friendly policy for EU countries.

  59. June 29, 2018 / 12:22

    This is really somewhat very interesting. As GDPR launched, we should follow their rules and the rules are quite good. Keep Posting like this.

  60. July 30, 2018 / 09:44

    It was a pretty good blog. And it was good too that new set of rules on GDPR came up. Every company should be GDPR Compliant. You can also learn through different courses on which has a valid certification to make you aware of the GDPR.
    Looking for more such posts.

  61. September 21, 2018 / 11:31

    This is kind of confusion, whether I make money from my blog or not but appreciate your effort in explaining it. Does this not meant for European nations?

Leave a Reply

Your email address will not be published.

The following GDPR rules must be read and accepted:
This form collects your name, email and content so that we can keep track of the comments placed on the website. For more info check our privacy policy where you will get more info on where, how and why we store your data.

This site uses Akismet to reduce spam. Learn how your comment data is processed.