GDPR for bloggers – does it apply to you and how to comply

GDPR for bloggers – does it apply to you and how to comply

Disclaimer: This post is not legal advice. For full information and guidance please see the GDPR site and seek professional legal advise. This is my interpretation of what I have read so far but I am not an expert or a lawyer and as such I can not be held liable for any advice taken from this article. 

A bit of a diversion from my normal content today – today’s post is just for bloggers. If you aren’t a blogger you might want to skip this one. If you are, then today’s post is all about GDPR for bloggers. In my ‘proper job’ I’m part of the team responsible for ensuring our organisation complies with GDPR so I’ve a little understanding about it. Most organisations are very much finding their feet with this – even the multi-million pound ones. No one really knows how it’s all going to work once it goes live but based on what I’ve learned at work and what I’ve read online, this is how I think GDPR will be for bloggers.

What is GDPR and why is it important?

GDPR is the General Data Protection Regulations that come into force 25 May 2018. This is a big update to the Data Protection Act 1998.

Anyone processing personal information must register with the Information Commissioners Office and comply by law.

If you are found to have breached GDPR then the fines are EPIC. We are talking fines of an upper limit of €20 million or 4% of annual global turnover – whichever is higher! Fines are also stackable per offence.

Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of violating the GDPR.

Does GDPR apply to me?

It applies to you if you process personal information.

Processing means: obtaining it, recording it, storing it, updating it or sharing it.

Personal information means any detail about a living individual that can be used on its own or with other data to identify them. For bloggers, this is likely to be named email addresses (brands, PRs and email list subscribers), prize winner addresses and IP addresses.

This site advises that, ‘a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user. Some usual ways in which a standard WordPress site might collect user data:

  • user registrations,
  • comments,
  • contact form entries,
  • analytics and traffic log solutions,
  • any other logging tools and plugins,
  • security tools and plugins.

Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.’

GDPR for bloggers - does it apply to you and how to comply...

Registering with ICO

You must register with Information Commissioners Office (ICO)

Registering with ICO costs £35 a year and should take 15 minutes.

An issue with registering as a blogger is that you will be added to a public register (by law) and your address will be publicly visible. I think that this puts bloggers at risk. I spoke to ICO about it and they said ways around it are to use:

  1. Your accountants address if you have one
  2. A PO box address
  3. A managed office address

For many hobby bloggers or bloggers who aren’t earning much yet these options may not be affordable or practical, putting them in a position of choosing to put themselves and their families at risk or complying with the law. I find it ironic that a law meant to keep people’s data safe and improving consents procedure is forcing bloggers to put personal information online in this way through coercion. Family bloggers will be worried about people finding their children, travel bloggers will be risking their homes when on press trips. I really hope that ICO re-think this policy. I don’t know why they can’t take addresses but keep that part private. In an instance of a data request, surely an email address will suffice? If you too have an issue with this I would encourage you to also complain to ICO. If anyone finds a decent way around it, do let me know.

Article 5 of the GDPR requires that personal data shall be:

“a) processed lawfully, fairly and in a transparent manner in relation to individuals;

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Lawful basis

You will be in breach of GDPR if you don’t have a lawful basis in place by 25 May 2018.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data. The lawful bases that are most likely to apply to bloggers are:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

According to this law firm, ‘ICO acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR.’  Recital 47 of the GDPR actually says that:

“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

This means, for example, that if a blogger wishes to send postal marketing to its customer base, it can often do so in reliance on its ‘legitimate interests’ – it generally does not need its customers’ consent to this mailing.  It will, however, always need to offer them an opt-out (Art 21(2)).’

If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle. Individuals also have the right to erase personal data which has been processed unlawfully. The individual’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing.  This means you need to include these details in your privacy notice.

You must determine your lawful basis before starting to process personal data. It’s important to get this right first time. If you find at a later date that your chosen basis was actually inappropriate, you cannot simply swap to a different one. Even if a different basis could have applied from the start.

You have a one-time opportunity to get these in place now and update processing information you already have. Inform people upfront about your lawful basis for processing their personal data. You need therefore to communicate this information to individuals by 25 May 2018, and ensure that you include it in all future privacy notices.

It is your responsibility to ensure that you can demonstrate which lawful basis applies to the particular processing purpose. You need therefore to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies. I’m going to add a column to my email contact spreadsheets with this information.

GDPR for bloggers - does it apply to you and how to comply...

Consent

Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation. Explicit consent requires a very clear and specific statement of consent. Keep evidence of consent – who, when, how, and what you told people. You will need this if you are investigated from a complaint. Avoid making consent to processing a precondition of a service (for example, opt-in freebies to get email addresses for mailing lists will not comply with GDPR).

You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.

Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.

Europe also has a separate law – the Privacy and Electronic Communications Directive (or e-Privacy Directive), these rules require opt-in consent for e-mail marketing, unless an individual’s contact details were collected in the context of a sale and the individual was given the ability to opt-out at that time.

How should you obtain, record and manage consent?

Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:

  • the name of your organisation;
  • the name of any third party controllers who will rely on the consent;
  • why you want the data;
  • what you will do with it; and
  • that individuals can withdraw consent at any time.

Privacy notice

Under the transparency provisions of the GDPR, the information you need to give people includes:

  • your intended purposes for processing the personal data; and
  • the lawful basis for the processing.

This applies whether you collect the personal data directly from the individual or you collect their data from another source.

Some of the other things you need may need to include in your privacy notice includes (not limited to):

  • Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer
  • Purpose of the processing and the lawful basis for the processing
  • The legitimate interests of the controller or third party, where applicable
  • Categories of personal data
  • Any recipient or categories of recipients of the personal data
  • Retention period or criteria used to determine the retention period
  • The existence of each of data subject’s rights
  • The right to withdraw consent at any time, where relevant
  • The right to lodge a complaint with a supervisory authority
  • The source the personal data originates from and whether it came from publicly accessible sources
  • The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences

Security

The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. Bloggers really need to start thinking more carefully about how they keep people’s personal data secure. If you have a security breach like a hack then you are liable under GDPR.

GDPR for bloggers - does it apply to you and how to comply...

Does it apply to brand to brand marketing?

The key here is the definition of personal data under the GDPR.  If a business email address is personal data it will fall under the scope of the Regulation.  Article 4.1 of the GDPR states:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’

I’m taking this to mean that named brand emails will be personal data eg jane.doe@brand.com but say help@disney.com wouldn’t be.

It will remain a choice between using consent or legitimate interests for sending electronic B2B communications. For more information on this I found this article helpful.

What bloggers need to stop doing:

  • Auto opt ins
  • Opt in freebies to get email addresses for one purpose then use them for another. If you gained email addresses this way you should go out to gain consent or you may be in breach of GDPR
  • Share data with anyone else who wasn’t named at the point where data was provided, for example, a brand who asks for the email addresses of giveaway entrants
  • Stop collecting data where not necessary, for example, contact form/comments
  • Sharing named brand PR contacts without permission

Things bloggers need to start doing:

  • Displaying a privacy notice anytime they collect data
  • Have a data processing and security policy
  • Be able to evidence permissions
  • Have robust security anywhere data is processed

Summary suggested approach to ensuring compliance with GDPR

  1. Register with ICO
  2. Review all processing activities – what do you do that obtains or uses information that can identify individuals? For example, receiving emails, email database, running giveaways etc.
  3. Choose a lawful basis for each processing activity e.g. legitimate interest or consent. Create a document, save and date it.
  4. Bring your processing in line – clearly document lawful basis, inform people upfront about your lawful basis for processing their personal information. Go out to your emailing list to get consent if necessary (for example if you have a bunch of email addresses gained from one purpose and then used for another from auto opt ins or opt in freebies). I’ve heard of big companies scrapping their entire email database to ensure compliance. You might notice that you start getting emails from companies being proactive and asking you to opt-in.
  5. Develop a privacy notice (and implement it each time personal data is processed).
  6. Develop a security policy and make sure you are keeping data as securely as possible. I’m personally going to go through my emails and delete ones with personal data I no longer require, eg prize winner addresses so that I’m reducing risks there. Do you have the best encryptions and passwords? Have you made the change to https? Are you keeping plug-ins up to date to reduce hacks, deleting plugins you don’t use etc. Are you using security software? 

Next steps

If you are anything like me then now you are panicking and thinking this is a minefield! It’s got me wanting to get rid of all the personal data I use so I don’t have to do it but I’m sure we will all figure it out as it goes along. I guess it’s now a question of going away, doing your research and deciding on your plan for ensuring compliance.

All in all, GDPR is good for us all and I believe it’s a necessary step in our increasingly online world. After all, the online world is pretty far removed from 1998 now isn’t it? I see this being like disclosure – you can either see it as a pain or a way to have a better relationship with those who interact with your business giving them more transparency and clarity. Once I’ve developed my privacy notice I will share that with you as well so you can copy and adapt.

Good luck!!

GDPR for bloggers - does it apply to you and how to comply

Follow:

Never Miss a Post

32 Comments

  1. February 1, 2018 / 14:13

    This was really informative I didn’t know about this at all so thanks for sharing. I think that it’s really important to remain compliant with these laws for data handling! Cheers Nyomi

  2. February 1, 2018 / 14:26

    Great concise post, it really is a minefield for everyone.

    • February 1, 2018 / 14:26

      It really is. It got me down writing it – I was thinking about jacking it in to save myself the headache!

  3. February 1, 2018 / 15:12

    Thank you for sharing. This is very informative and definitely something bloggers need to think about x

  4. emmaology
    February 1, 2018 / 19:24

    My head is battered! I need to reread this when I’m a bit more alert! Thanks for putting together all this info, I had no idea about any of it…

    • February 1, 2018 / 19:25

      Thanks – you’re welcome, it’s a lot isn’t it

  5. February 1, 2018 / 19:58

    so this means when people comment on our blog like I am on yours and it is collecting my name/email and blog that I need to be registered for that?
    I suppose this will cover rafflecopter/gleam competitions as well then.
    Guess this will see a lot of us hobby bloggers disappear, I probably will if commenting is covered.

    • February 1, 2018 / 20:00

      I’m actually not sure about the comments on blogs actually. Potentially! I know some people say it does but I’m not 100%. You could turn them off?

  6. February 1, 2018 / 21:07

    Hmm, so actually I think I might stop blogging then, and switch my blog to private. Because £35 is actually a lot each year, and the hassle, all because of a few comments on blog posts? Nah man. This is massive. I don’t have an email list of subscribers, and I’m fairly good at clearing out my inbox so I don’t hold information on prize draw winners.
    Game changer.

    • February 2, 2018 / 12:36

      A lot of people have said this. I felt like it too. People are focussing on the comments but I see comments as the least of the problem. Brand emails fall under this, as do google analytics etc. See how it develops though, I don’t think it will be as bad as we think.

  7. Isabel
    February 1, 2018 / 21:12

    Thank you for this – so valuable!

  8. February 1, 2018 / 21:24

    Awesome post. Christ how long did it take to write because it took ages to read! 😀 Thank you so much for going to the bother – it’s greatly appreciated 🙂

  9. February 1, 2018 / 22:59

    Thanks so much for putting all this in blogging terms, it’s a massive help!

    I do think though that it will sound the death knell for many small-time and hobby bloggers – it all seems a little overboard for those who don’t have email subscription lists, for example. Plus £35 is a big expense if you only blog as a hobby… Not convinced about ICO displaying our personal information either (I agree, doesn’t that negate the whole point of data protection and privacy?!)

    • February 2, 2018 / 12:34

      I totally agree Lorna, I’m hoping ICO realises and makes it more practical.

  10. February 2, 2018 / 04:38

    Thank you so much for this article. I have no idea! I must register now!

  11. February 2, 2018 / 07:38

    This is super helpful Nyomi, well done for pulling it all together in such a concise way!! I know these changes are all being made for the right reasons but it certainly does turn blogging, something that should be fun, in to something rather stressful!!

    • February 2, 2018 / 12:33

      Thanks Rachel. I totally know what you mean. I’m sure companies will be bringing out plug ins and products that make it easier for us. I know WordPress and jet pack are actively working on stuff at the mo.

  12. February 2, 2018 / 08:38

    This is super helpful! My first thought though is to just jack in blogging. I make no money and don’t want to fork out for the ICO and have my address made public all for the sake of some comments. The protection of my family come first.

    • February 2, 2018 / 12:32

      Thank you. I felt like that too to be honest but give it a little while, I doubt it will be as bad as we fear it could be.

  13. February 2, 2018 / 12:22

    Thanks for this. Really clear (as much as it can be). I gripe about the ICO public address – but there’s nowhere on their website when live chat is unavailable to actually complain about that.

    My concern is comments – there’s a plugin which is meant to put a check box for people to confirm they’re fine leaving their details before commenting. But it doesn’t work on my blog. But then to have to do that 12 monthly? It’s insane.

    Competitions I’m pretty clear on – I’m hoping rafflecopter will do something to encrypt things – and I’ve already gone through and deleted confirmed giveaways once prize winners have their prizes. And my newsletter is fine because I’ve always had double opt in and point out the unsubscribe button everytime I send a newsletter.

    I’m confused about freebie opt ins though. As long as people know they’re signing up to a fortnightly newsletter, there’s the option to unsubscribe after they’ve downloaded the freebie, and the freebie is almost a reward, I don’t see how that’s falsely gaining email addresses for another purpose?

    I guess I’ll need to pay the money before the price goes up, and I need to get changing wording on my blogs at point of comments (might turn them off on my dance blog because noone ever comments, they all comment on FB).and writing documentation for everything. It’s a lot of work and expense for something that if everyone knows in advance what they’re adding their name and email to, it shouldn’t be an issue for people who don’t send emails on to others.

    • February 2, 2018 / 12:30

      I think for the opt in freebies it depends on the wording used. So if you’ve said ‘sign up to my mailing list to get X’ then that’s fine BUT if you’ve said ‘get this free product here etc’ then that’s not ok. The purpose of providing the email in that case is to send the free item, not to subscribe to a mailing list and get marketing emails iykwim. So as long as you’ve made it clear that they are subscribing to a mailing list/you will be using their email for a mailing list then you are ok. That’s my understanding of it anyway.

      • February 2, 2018 / 12:33

        Phew that makes sense. Thanks. Our work did a session on this a while back and are making changes but I’m removed from it,

  14. February 3, 2018 / 08:26

    This has gotten me really worried. I only started blogging in January as a hobby to document my children’s lives and tips etc. I follow many other bloggers and we comment on each other’s posts. Does this now mean I’m going to have to stop or pay the money? I’m don’t want my address public at all. I use WordPress to blog, youtube to vlog and that’s it. Is this GDPR going to affect me? Thanks so much for this post, I would really appreciate any further information.

  15. February 5, 2018 / 10:59

    Thank you so much for this post! I hadn’t even considered how GDPR would impact bloggers and while I will admit I am panicking slightly now, you’ve definitely laid all of this out in a really helpful way!

    • February 5, 2018 / 11:07

      Thank you! I panicked too but I’m sure as the months unfold it will start to become clearer

  16. tomcwilliams
    February 5, 2018 / 16:41

    I have just signed up with MailerLite specifically because that was supposed to mean that they handled the data registration element of a mailing list. Are you saying that this information is incorrect?

    I have come across the “just register, it’s only £35,” argument before, but you do need to be aware that is £35 a year and that once you are registered it’s going to be very difficult to deregister without closing down your blog and that the price of this kind of thing seems to keep edging up. And I’ll believe it only takes 15 minutes when I see a Jamie Oliver 15 minute dish that I can cook in a quarter of an hour. That’s even before we get into the whole question of my personal address being published.

    If you’re right (and you may well be) this seems like a very good reason for scrapping newsletters and limiting the information that you might collect from your blog. Of course, if you have a massive and profitable online sales base, that would be different. But most of us don’t.

    • February 7, 2018 / 20:27

      GDPR has a online test you can take to see if it applies to you.

  17. February 6, 2018 / 02:58

    As a blogger, if you collect data, it’s most likely through an autoresponder or email engine like Maillchimp, Aweber, etc.. Since you have no direct control over how that data is collected, stored and secured, surely the onus is not on you to pay the annual fee, or indeed fear noncompliance. That is the responsibility of the service you use.

    • February 7, 2018 / 20:26

      Unfortunately GDRP specifically states it’s on you both. You have to make sure anyone you use complies. If they don’t, you are responsible too.

Leave a Reply