Disclaimer: This post is not legal advice. For full information and guidance please see the GDPR site and seek professional legal advise. This is my interpretation of what I have read so far but I am not an expert or a lawyer and as such I can not be held liable for any advice taken from this article.
A bit of a diversion from my normal content today – today’s post is just for bloggers. If you aren’t a blogger you might want to skip this one. If you are, then today’s post is all about GDPR for bloggers. In my ‘proper job’ I’m part of the team responsible for ensuring our organisation complies with GDPR so I’ve a little understanding about it. Most organisations are very much finding their feet with this – even the multi-million pound ones. No one really knows how it’s all going to work once it goes live but based on what I’ve learned at work and what I’ve read online, this is how I think GDPR will be for bloggers.
What is GDPR and why is it important?
GDPR is the General Data Protection Regulations that come into force 25 May 2018. This is a big update to the Data Protection Act 1998.
Anyone processing personal information must register with the Information Commissioners Office and comply by law.
If you are found to have breached GDPR then the fines are EPIC. We are talking fines of an upper limit of €20 million or 4% of annual global turnover – whichever is higher! Fines are also stackable per offence.
Separate to these fines and penalties, individuals will have the right to claim compensation for any damage suffered as a result of violating the GDPR.
Does GDPR apply to me?
It applies to you if you process personal information AND are processing it as part of an enterprise. Article 4(18) defines enterprise as ‘a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity’. So basically, it seems that if you aren’t making any money through your blog you are ok. If you are making any money, then you need to read on…
Processing means: obtaining it, recording it, storing it, updating it or sharing it.
Personal information means any detail about a living individual that can be used on its own or with other data to identify them. For bloggers, this is likely to be named email addresses (brands, PRs and email list subscribers), prize winner addresses and IP addresses.
This site advises that, ‘a simple operation of storing an IP address on your web server logs constitutes processing of personal data of a user. Some usual ways in which a standard WordPress site might collect user data:
- user registrations,
- contact form entries,
- analytics and traffic log solutions,
- any other logging tools and plugins,
- security tools and plugins.
Any plugins that you use will also need to comply with the GDPR rules. As a site owner, it is still your responsibility, though, to make sure that every plugin can export/provide/erase user data it collects in compliance with the GDPR rules.’
If you are in any doubt about whether it all applies to you, then ICO has a self assessment tool that you can take to see if you need to register with them.
Registering with ICO
You must register with Information Commissioners Office (ICO)
Registering with ICO costs £35 a year and should take 15 minutes.
An issue with registering as a blogger is that you will be added to a public register (by law) and your address will be publicly visible. I think that this puts bloggers at risk. I spoke to ICO about it and they said ways around it are to use:
- Your accountants address if you have one
- A PO box address
- A managed office address
For many bloggers who aren’t earning much yet these options may not be affordable or practical, putting them in a position of choosing to put themselves and their families at risk or complying with the law. I find it ironic that a law meant to keep people’s data safe and improving consents procedure is forcing bloggers to put personal information online in this way through coercion. Family bloggers will be worried about people finding their children, travel bloggers will be risking their homes when on press trips. I really hope that ICO re-think this policy. I don’t know why they can’t take addresses but keep that part private. In an instance of a data request, surely an email address will suffice? If you too have an issue with this I would encourage you to also complain to ICO. If anyone finds a decent way around it, do let me know.
Article 5 of the GDPR requires that personal data shall be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
You will be in breach of GDPR if you don’t have a lawful basis in place by 25 May 2018.
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data. The lawful bases that are most likely to apply to bloggers are:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
According to this law firm, ‘ICO acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR.’ Recital 47 of the GDPR actually says that:
“The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” If you use legitimate interests you need to have a Legitimate Interest Assessment (LIA) saved.
However, there is another law that comes into play here for bloggers – Privacy and electronic communications Act (PECR). PECR:
- Covers marketing via email and cookies
- Not just personal information!
- Fines up to £500k and £1000 if you don’t tell ICO about a breach
- Covers unsolicited marketing ‘not specifically requested’ even if someone has opted onto email list
- ‘Consent must be given freely, specified and informed. It must involve some form of positive action (eg ticking box or clicking link) and the person must understand that they are giving consent’.
So in my humble opinion, you may as well use consent as lawful basis for GDPR and cover both bases at the same time. It’s also worth bearing in mind that the next piece of legislation in line for an overhaul is the European directive that forms the basis of the PECR and this will be called the e-Privacy Regulation (e-PR). This was due to come into practice on the same date as GDPR but is running late. It may be that e-privacy has more of an impact on bloggers than GDPR.
If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first principle. Individuals also have the right to erase personal data which has been processed unlawfully. The individual’s right to be informed under Article 13 and 14 requires you to provide people with information about your lawful basis for processing. This means you need to include these details in your privacy notice.
You must determine your lawful basis before starting to process personal data. It’s important to get this right first time. If you find at a later date that your chosen basis was actually inappropriate, you cannot simply swap to a different one. Even if a different basis could have applied from the start.
You have a one-time opportunity to get these in place now and update processing information you already have. Inform people upfront about your lawful basis for processing their personal data. You need therefore to communicate this information to individuals by 25 May 2018, and ensure that you include it in all future privacy notices.
It is your responsibility to ensure that you can demonstrate which lawful basis applies to the particular processing purpose. You need therefore to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies. I’m going to add a column to my email contact spreadsheets with this information.
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build customer trust and engagement, and enhance your reputation. Explicit consent requires a very clear and specific statement of consent. Keep evidence of consent – who, when, how, and what you told people. You will need this if you are investigated from a complaint. Avoid making consent to processing a precondition of a service (for example, opt-in freebies to get email addresses for mailing lists will not comply with GDPR).
You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.
Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.
Europe also has a separate law – the Privacy and Electronic Communications Directive (or e-Privacy Directive), these rules require opt-in consent for e-mail marketing, unless an individual’s contact details were collected in the context of a sale and the individual was given the ability to opt-out at that time.
How should you obtain, record and manage consent?
Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:
- the name of your organisation;
- the name of any third party controllers who will rely on the consent;
- why you want the data;
- what you will do with it; and
- that individuals can withdraw consent at any time.
Under the transparency provisions of the GDPR, the information you need to give people includes:
- your intended purposes for processing the personal data; and
- the lawful basis for the processing.
This applies whether you collect the personal data directly from the individual or you collect their data from another source.
Some of the other things you need may need to include in your privacy notice includes (not limited to):
- Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer
- Purpose of the processing and the lawful basis for the processing
- The legitimate interests of the controller or third party, where applicable
- Categories of personal data
- Any recipient or categories of recipients of the personal data
- Retention period or criteria used to determine the retention period
- The existence of each of data subject’s rights
- The right to withdraw consent at any time, where relevant
- The right to lodge a complaint with a supervisory authority
- The source the personal data originates from and whether it came from publicly accessible sources
- The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. Bloggers really need to start thinking more carefully about how they keep people’s personal data secure. If you have a security breach like a hack then you are liable under GDPR.
Does it apply to brand to brand marketing?
The key here is the definition of personal data under the GDPR. If a business email address is personal data it will fall under the scope of the Regulation. Article 4.1 of the GDPR states:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’
It will remain a choice between using consent or legitimate interests for sending electronic B2B communications. For more information on this I found this article helpful.
What bloggers need to stop doing:
- Auto opt ins
- Opt in freebies to get email addresses for one purpose then use them for another. If you gained email addresses this way you should go out to gain consent or you may be in breach of GDPR
- Share data with anyone else who wasn’t named at the point where data was provided, for example, a brand who asks for the email addresses of giveaway entrants
- Stop collecting data where not necessary, for example, contact form/comments
- Sharing named brand PR contacts without permission
Things bloggers need to start doing:
- Displaying a privacy notice anytime they collect data
- Have a data processing and security policy
- Be able to evidence permissions
- Have robust security anywhere data is processed
Summary suggested approach to ensuring compliance with GDPR
- Register with ICO
- Review all processing activities – what do you do that obtains or uses information that can identify individuals? For example, receiving emails, email database, running giveaways etc.
- Choose a lawful basis for each processing activity e.g. legitimate interest or consent. Create a document, save and date it.
- ICO have just launched this really helpful guidance template spreadsheet that you can complete. It includes helpful examples. It looks daunting at first but it isn’t as bad as it seems initially. I will be using it to ensure I comply with GDPR and will update it annual. I recommend you do the same.
- Bring your processing in line – clearly document lawful basis, inform people upfront about your lawful basis for processing their personal information. Go out to your emailing list to get consent if necessary (for example if you have a bunch of email addresses gained from one purpose and then used for another from auto opt ins or opt in freebies). I’ve heard of big companies scrapping their entire email database to ensure compliance. You might notice that you start getting emails from companies being proactive and asking you to opt-in.
- Develop a privacy notice (and implement it each time personal data is processed).
- Develop a security policy and make sure you are keeping data as securely as possible. I’m personally going to go through my emails and delete ones with personal data I no longer require, eg prize winner addresses so that I’m reducing risks there. Do you have the best encryptions and passwords? Have you made the change to https? Are you keeping plug-ins up to date to reduce hacks, deleting plugins you don’t use etc. Are you using security software?
If you are anything like me then now you are panicking and thinking this is a minefield! It’s got me wanting to get rid of all the personal data I use so I don’t have to do it but I’m sure we will all figure it out as it goes along. I guess it’s now a question of going away, doing your research and deciding on your plan for ensuring compliance.
All in all, GDPR is good for us all and I believe it’s a necessary step in our increasingly online world. After all, the online world is pretty far removed from 1998 now isn’t it? I see this being like disclosure – you can either see it as a pain or a way to have a better relationship with those who interact with your business giving them more transparency and clarity. Once I’ve developed my privacy notice I will share that with you as well so you can copy and adapt.