Are you a blogger and still trying to figure out exactly what this GDPR stuff is all about and what it means for you? This post breaks down the main points of GDPR, how it affects you as a blogger and what you need to do to comply.
THIS IS MERELY MY TAKE ON GDPR. I AM NOT A LAWYER AND NONE OF WHAT IS WRITTEN HERE SHOULD BE CONSIDERED LEGAL ADVICE IN ANY WAY. PERFORM YOUR OWN DUE DILIGENCE AND CONSULT WITH A REAL LAWYER IF YOU HAVE ANY QUESTIONS!
This post contains affiliate links. I may make a commission if you buy a product or service through such a link. Please see my Affiliate Disclosure for further information.
In a rush? Skip to each of these sections by clicking on the titles below:
- What is GDPR
- What are the main principles of GDPR?
- So what do I need to do about GDPR as a Blogger and website owner?
- GDPR and what it means for freebies and opt-in incentives
- This is so unfair! I have a tiny EU readership!
- Wrapping it up
What is GDPR?
GDPR stands for General Data Protection Regulation. A new, mandatory set of rules governing how EU residents’ Data is handled. Previously, data protection laws fell under each country’s own respective national laws, but GDPR is the single, mutually agreed EU-wide Directive that replaces this. GDPR was actually enacted in 2016 with a grace period of two years to allow for businesses and individuals to comply. May 25th is the final deadline for compliance.
Briefly, here are the key changes to previous Data Protection laws coming into force on the 25th May 2018:
- Increased Territorial Scope (extra-territorial applicability) – The biggest change and why it almost certainly affects you, regardless of where you personally reside in the world. In a nutshell, if you store and process an individual’s personal Data from the EU, you’re liable under GDPR.
- Penalties for non-compliance – fines of up to 4% of annual global turnover or €20 Million (whichever is greater). These are intended for the most serious infringements. In practice there will be a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
- Higher standard of Consent – the conditions for user Consent have been strengthened. Legalese and vague references to ‘third parties’ is no longer acceptable. You’ll need to establish legal grounds for Consent and the purpose for Data processing. It must be “clear and indistinguishable from other matters”. This means you can no longer send marketing or promotional emails to an email address gained when a user has downloaded a freebie opt-in. The user must ‘actively’ consent to you doing so, and this permission must be clearly separate from the freebie (in the form of a separate checkbox). This guide to Consent by the UK’s Information Commissioner’s Office (ICO) is super helpful.
- Breach notification – If a user’s Data has been been compromised in some way and this breach is likely to “result in a risk for the rights and freedoms of individuals” you must notify them within 72 hours. If using 3rd party hosts who process your users’ data (email service providers, web hosts, software and plugin developers) then they are obligated to notify customers “without undue delay” when first becoming aware of a breach.
- Right to access – data subjects are entitled to request confirmation from Data Controllers whether or not their Data is being processed, where and for what purpose. Controllers must provide a copy in electronic format FREE OF CHARGE.
- Right to be forgotten – Data subjects are entitled to have the data controller stop any collection and processing of his/her personal data, and for it to be erased (Data Erasure).
- Data Portability – Data subjects have the right to request their Data in a ‘commonly used and machine readable format‘ so it can be transferred to another Data Controller.
- Privacy by Design – Data Controllers are obligated to ensure adequate measures are undertaken to “implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects” as a holistic part of their organisational process. Not tacked on as an afterthought. Controllers must only collect the minimum of data necessary for processing and performing of its duties and limiting access only to those who are essential for carrying out these duties.
Why the need for GDPR?
To paraphrase Bob Dylan, ‘Times are a changin’. Data is very much the modern equivalent of human labour in the 18th century; the main driver of the industrial revolution (stay with me, folks). It’s what powers much of today’s economy, and a huge wedge of that is our data. It may require less physical effort on our part, but, like our like hard-working forbears, make no mistake: WE ARE THE VALUE.
In this climate giants like Facebook and Google rule the world. People like Mark Zuckerberg build empires – and get exceedingly rich in the process – on the back of our data. As you know, occasionally, things go awry and our Data ends up in the wrong hands.
What’s probably more alarming, however, is the sheer volume of superfluous data just floating around in the ether that we have little control over or access to. Unsurprisingly, there’s a lot of folks increasingly unhappy about this.
GDPR is how the EU aims to tackle the issue; creating more transparency, strengthening an individual’s rights and forcing companies and individuals to adhere to stricter rules concerning the collection and processing of EU citizens’ personal data.
What is ‘Personal Data’?
According to Article 4 of the GDPR, it’s this:
‘personal data‘ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
That’s fairly clear, right?
Think a name, email address, address, IP address, bank details, health records, educational records, basically anything that contains an ‘identifier’ which links in some way to a living, breathing human can be considered personal data.
And what exactly is meant by ‘processing’?
‘processing‘ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
That’s a little less clear, but essentially ‘processing’ boils down to the collection and storage of data as a digital or physical record (so on a computer or a filing cabinet etc) with the intention of it being used in some way, either by an individual, company or public authority etc. This even covers notebooks or folders containing an individual’s personal data lying around on your desk.
What are the main principles of GDPR?
There are six main principles. Article 5 of the GDPR requires that the handling of personal data involves (notes in black are mine):
a) Lawfulness, fairness and transparency – processed lawfully, fairly and in a transparent manner in relation to individuals;
– You must have clear, lawful grounds for processing Data and let people know exactly how you’ll do it
b) Purpose limitations – collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
– Do exactly what you say you’re going to do with the Data, and nothing more.
c) Data Minimisation – adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
– Collect only the Data which is absolutely necessary for processing, and nothing more.
d) Accuracy – accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
– Have a due process in place for auditing and maintaining Data along with the ability to erase or amend any which is inaccurate.
e) Storage limitations – kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
– Only store Data for as long as is absolutely necessary and have a process in place for deleting Data no longer required.
f) Integrity and confidentiality – processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
– As the ‘Data Controller’ it’s on your head to ensure adequate steps are being taken to secure and protect online and offline Data.
There’s a lot that remains to be seen about GDPR and how it will be enforced in reality, but it’s best to err on the side of caution. Assume that, if you’re blogging and own a website, a newsletter or an online store you probably collect user personal data in some way, even if it’s tracking your visitor’s IP address.
So what do I need to do about GDPR as a Blogger and website owner?
1. First and foremost, you must perform a Data audit. This sounds scary and official but it’s really, really really important you do this. Even if you have a basic website and think you’re not collecting or storing personal data in any way.
You’ll need to figure out all the points where user Data is collected and stored. Then you’ll need to figure out if you have user’s permission to do so. Were they clearly informed of the specific purposes for using their data and of their right to withdraw consent at any time?
While it’s pretty obvious if you own a blog or website offering freebie downloads, products or services, or have a newsletter or subscription aspect, you’re almost certainly collecting and processing personal data in some way. What’s less obvious is the other ways you may be unwittingly processing visitors’ data.
Here are some of the ways bloggers and website owners process visitor data via third party software and plugins:
Plugins – a third party piece of software containing a group of functions added to a WordPress website to add functionality and extended features. The issue in relation to GDPR is if you’re using plugins which collect, store or pass on data to third parties. Think Wordfence, Pretty Links, Akismet, Jetpack and Contact Forms7, many of which use what is called ‘anonymonized’ tracking to store IP addresses and track visitor behaviour. Contact forms are a more obvious point of data collection and processing, but less obvious are things like security plugins which field spam and brute force attacks. As the Data controller, it’s your responsibility to ensure your plugins are GDPR compliant. DO NOT assume!
Website analytics – Visitor tracking software, usually inserted via a piece of html code into your website’s header. Think Google, Bing, Statcounter, Kissmetrics, Pinterest Analytics etc. At the basic level, these services store and track visitor IPs and subsequent behaviour on your site. If you have things like Google Demographics & Interests activated, these extrapolate much more detailed information about your visitors such as age, sex and interests.
Blog Comments – Most blog commenting systems store user data in some way – be that an email address and name, or a link to a social media profile. Users will need to consent to their Data being processed.
Order Forms or web store (Woocommerce etc) – If you operate an online shop it’s likely you have 3rd party software such as Woocommerce or Shopify powering it, along with a payment processor such as Paypal. These points of Data Collection will need to be GDPR compliant.
Forums or message boards – Similar to comment forms, if you host a forum or message board on your site and visitors are required to provide a name and / or email address, this falls under GDPR.
Chatbots – If you use a Chatbot like Drift (see bottom left of this site) you’ll need to ensure it’s also GDPR compliant and that you’ve gained the appropriate ‘active’ consent via a checkbox or similar on the Bot itself.
Facebook / Twitter / Pinterest / Linkedin re-targeting Pixels – Similar to web analytics software, if you’re running ads on any of these networks, and have installed a tracking pixel to ‘retarget’ visitors on those social networks, you guessed it, you’re processing visitor Data and therefore under obligation to be GDPR compliant when it comes to EU visitor Data.
2. Create a document outlining what personal data you hold, where it came from and who you share it with. Determine which of these are not absolutely necessary and delete all records contained within them.
Remember: users must be able to access your website freely without consenting to cookies!
5. Establish a data policy. Again, sounds scary and official, but if you’re audited, you must be able to prove the where, why and how long of how you store and process personal data, along with how you handle and report possible data breaches, which must be recorded and reported. Ensure you’re aware of how to contact third party suppliers in the event of a request for information, or request to be forgotten. Willow Consulting’s post GDPR for ecommerce goes into lots of helpful detail on this.
TOP TIP – INSTALLING A GDPR PLUGIN ON YOUR WORDPRESS WEBSITE WILL HELP YOU TO COMPLY – My fave is the free and imaginatively titled ‘WP GDPR Compliance’ which adds checkboxes to your contact forms, comments etc and has a neat feature enabling users to request an email notifying what Data is collected via your website (Note: activating any GDPR plugin does not automatically guarantee compliance).
GDPR and what it means for freebies and opt-in incentives
Perhaps the biggest change for bloggers concerns the strengthened area of Consent, and specifically how this relates to opt-in freebies, incentives and downloads. Basically, if you’re building an email list and offering incentives to encourage people to sign up, intending to market to them down the line or even contact them again in any way, GDPR is almost certainly going to affect how you do this going forward.
GDPR states that consent can no longer be ‘implied’, it must be explicit. This is obtained from a clear, affirmative user action or:
“another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.”
To help understand this idea better, let’s get visual. Here’s an example of a fairly typical opt-in form:
The user is encouraged to sign up to access the free download. So far, so simple, something for nothing, awesome!
Not so fast. There’s no such thing as a free lunch, right? We all know that by providing our details – our DATA – the implication is that the blogger or marketer now has permission to contact us again. Even though we’ve not given a clear, express permission for them to do so. This is an example of implied consent. This is a now a big fat no-no under GDPR.
How about this one (spot the difference):
Less ambiguous? This seems pretty reasonable. You’re under no illusion that, by entering your details and hitting the button, you’re signing up for a newsletter and will be contacted again. On the face of it, this looks like a clear example of a GDPR-compliant opt-in form, doesn’t it?
WRONG!! There are a few things wrong with this latter form in the post-GDPR blogging world:
- The permission to join the mailing list is BUNDLED in with a requirement to provide personal data in order to access the free download. The user is not able to FREELY access the download without being forced to hand over data AND subsequently receive further email communications. This is called a ‘permission wall’ and is not GDPR compliant. Under GDPR the user must be able to access the download without being forced to receive further communications from you. More importantly they must ACTIVELY and separately provide their consent for you to contact them again via email.
If you don’t get their permission you can’t email or contact them again! Got that? Yes, really!
In a truly GDPR-friendly world, the form should probably look something a bit like this:
There is no ambiguity here, no bundled permissions. The user has access to the free download but has to actively tick a separate check-box to indicate they are happy to receive further communication from you (note: never, ever pre-check boxes – this is a big no-no under GDPR). These separated permissions are referred to as getting ‘granular’ consent. Under GDPR, the more granular the better. If in any doubt, it probably needs a separate permission.
While this could be construed as ‘implied’ consent, there’s still much confusion surrounding the issue of whether to gain a separate, granular permission regarding your website privacy policies and T&Cs. When things become clearer, and a more universal protocol is adopted – I’ll amend my forms accordingly and will update this post.
I’ve seen some really bad advice doing the rounds recently, specifically from a well-known theme and plug-in developer (who I usually rate highly and admire). A recent blog post on how to make your email marketing GDPR compliant suggests it’s OK to re-word your opt-in forms to say something along the lines of “sign up for the newsletter and get instant access to the PDF”.
This is simply NOT correct. This is a bundled permission and is a big no-no under GDPR. The user must be able to access the download without signing up to a newsletter. Yes, it sucks, but that’s just the way it is. While it’s very tempting to want to re-interpret the law in our favour, please don’t listen to this advice!
What about forms that only invite users to do one thing – such as sign-up to a newsletter – do I still need a checkbox?
You won’t need a separate checkbox. Wording along the lines of ‘by hitting submit you agree to receive our newsletter’ should suffice. It’s a clear, affirmative action pertaining to a single, unambiguous permission.
However, it’s best practice, and in the spirit of GDPR, to be absolutely clear, right there on the form, if you intend to include promotional or marketing-related content as part of that newsletter (think affiliate links or promotional content alongside tips and news within the same newsletter).
I’ve spoken at length to the UK’s GDPR helpline and they’ve confirmed it’s not necessary to have separate permissions in these instances. You would likely need separate permissions, however, if you operate two distinct newsletters (one promotional and one strictly covering news).
I view this disclosure as a way to be upfront about what people will actually get from me. It also acts as a positive screening for anyone who isn’t likely to be engaged with my content.
Here’s the wording I currently use on forms to disclose what my newsletter content will contain:
Blogyoucademy will use the information you enter on this form to provide regular newsletter updates containing tips, news and occasional promotional content about relevant products and services which may be of benefit to your blogging journey.
Is Double Opt-in compulsary under GDPR?
No, the wording suggests double opt-in is not a compulsory requirement of GDPR but it’s probably best practice to use it. If you’re audited, it’s yet more clear and unambiguous proof your subscribers actively elected to receive your emails.
For tons more helpful information and tips on GDPR for small businesses and entrepreneurs check out UK lawyer Suzanne Dibble’s GDPR related blog posts. She also has a dedicated GDPR facebook group.
Why your email service or third party providers matter to your GDPR compliance
Despite GDPR coming into effect back in 2016 (with a two year grace period to allow businesses to implement compliance), it appears even large companies and third party service providers (think plugins, software and app developers) have been caught off guard when it comes to GDPR compliance.
In particular, how existing products will be adapted for GDPR compliance so we as customers – as Data Controllers – can be confident of also being fully GDPR compliant.
I’ve contacted quite a few support teams over the course of the last few weeks requesting specifics. With approximately two weeks to go, answers are all too often still worryingly vague: “we plan to be fully GDPR compliant by the 25th” is a pretty standard and unhelpful response.
The checkbox is your friend!
This is problematic for us as bloggers and website owners as the last thing any of us need is a last-minute scramble to update or re-design opt-in forms or find potential replacements for non-compliant website plugins or software. Not to mention figuring out potential new workflows or automations based on the newly required permissions. If we don’t know how products will actually function, or if updates haven’t been forthcoming at this late stage, this is going to have a knock-on effect on our time and resources.
To give an example, As Data Controllers, we need absolute control over how consent is gained. Here, the checkbox is your friend and it’s likely you’ll want full control over where these are placed on your opt-in forms, and how many, depending on granularity and number of separate permissions required. Sadly, I’ve noticed even major blogger-focused ESPs are failing their customers in this respect, requiring them to fudge things with ‘workarounds’ or have them edit code. Not ideal given the length of time since GDPR was enacted.
Happily, ActiveCampaign gives you full control over your check boxes and forms, thanks to its easy ‘drag and drop’ form builder. You also have the ability to tag and segment subscribers along with double opt-in. No need to fiddle with code or hire a developer to create branded, GDPR-compliant forms!
Remember, any installed plugins or third party software storing and processing user data from your site needs to be fully GDPR-compliant, and if not based in the EU (or use servers based outside of the EU), have membership to the Privacy Shield agreement.
If they can’t provide you with assurances or the tools or amendments necessary to help YOU become GDPR-compliant at this late stage, it’s perhaps time to push back harder, or reconsider other suppliers.
This is so unfair! I have a tiny EU readership!
It’s true not everyone is happy about GDPR. If you have a tiny EU user base it probably seems like a heck of a lot of extra work for seemingly little benefit. And the new rules governing opt-ins and freebies are likely going to send more than a few ripples through the blogging community. We’re going to have to work harder to win that tick on the check box.
The alternative? Well it’s possible to take the drastic measure of blocking European users, but this seems like a very bad idea when GDPR is really just the formalisation of a ‘best practices’ shift in online culture generally. The genie is out of the bottle and it’s best not to bury your head in the sand and pretend it isn’t happening.
I liken it to the U.S-instigated changes to Affiliate Disclosures a few years back – many outside of the U.S balked at these seemingly draconian requirements to disclose affiliate links up-front. But, gradually, it was seen as a good thing and was more formally adopted in other jurisdictions around the world.
Inevitably, you’re going to get a ton of ‘freeloaders’. I’ve already noticed a worrying amount of sign-ups grabbed my freebies, but didn’t tick the checkbox. Ouch. So much so, that I’ve ditched my opt-in incentive altogether. In truth, GDPR doesn’t stop people from grabbing your freebies and immediately unsubscribing now anyway, but GDPR requirements are going to make it a whole lot easier for them to hit and run.
While I’m personally all about a clean newsletter list of engaged followers who actively want to hear from me, I can see how this is going to be a problem for email marketers and bloggers who rely on their lists to generate income.
If viewed through the lens of the benefits it will bring to us all as end users, however, GDPR is a slightly easier pill to swallow. Sure, it’s going to require some up-front work; opt-in forms will need to be tweaked and checkboxes added, privacy policies amended along with the tedious task of a Data audit. But the result will be a more transparent internet and a move away from spammy marketing practices where our Data is treated carelessly.
Wrapping it up
GDPR doesn’t have to be a big, scary deal. Don’t stress out if you’ve pushed it aside and are panicking about complying. I’m still working my way through my list of ‘To Dos’. If you haven’t crossed all the t’s and dotted the i’s, it’s highly unlikely anyone is going to come after you!
Check out my recent post ‘8 Tools To Help Bloggers Nail GDPR Compliance‘
However, it makes sense to start the ball rolling sooner rather than later and implement the necessary changes. If you’re in any doubt, seek legal advice from a professional. In the meantime, follow these steps and you’ll be well on your way to compliance:
Hop over to Iubenda – it’s super easy to use and allows you to tailor your policy according to what plugins, third party services and affiliate programs you use to collect and process visitor data.