GDPR (General Data Protection Regulation) is the European Union’s new privacy law that comes into effect on May 25, 2018. It doesn’t just apply to EU websites and organizations, so here’s an overview of what you need to know.
(If you’re interested in what we’re doing to comply (although it’s more involved than what you need to do as a blogger, so don’t worry!) check out our GDPR and CalOPPA Compliance page).
About this blog post
Disclaimer: The content of this blog post is informational. It does not constitute legal advice and should not be relied upon as such. Please check with your legal counsel when in any doubt about understanding your rights and obligations in order to comply with the law and regulations.
This is a living blog post, which means we try to update it with any changes or additions as we come across them or as we become aware of new legislation amendments or clarification. However, please don’t rely on this blog post alone for news and information about GDPR. We’ve included links to relevant authorities along with a “Further Reading” section for further details.
This blog post looks at the following:
- What is GDPR? Do I need to be GDPR compliant?
- How do I become GDPR compliant?
- Further reading
Note: Within this post we make several references to the ICO (Information Commissioner’s Office), which is a UK organization responsible for issuing information about GDPR. Each EU member state has their own ICO equivalent, which we recommend you refer to if you’re based in another EU country. For the purposes of this post we’ve used the ICO as our main referral and source of information because it is provided in English and a significant proportion of our customers are based in the UK. If you’re based outside the EU/UK, we’d suggest referring to the ICO if your own country isn’t providing official government-led information on GDPR compliance.
What is GDPR, and do I need to comply?
If you’re not sure what GDPR is or if you need to comply (hint: you most likely do!), take a look at these three accordions before moving on to the rest of the post:
What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law designed to improve data protection and privacy for all individuals within the European Union. It also covers the transfer of personal data outside the EU. GDPR's main aim is to ensure individuals have more control over their personal data and to provide one set of clear guidelines for international organisations doing business with the EU. Even if you're based outside the EU, you still need to be familiar with GDPR and will most likely have to be GDPR compliant.
As regards Brexit, the UK will grandfather in these laws so they will still apply.
Summing up the legal bits
The below is to give you a bit of context and reference links for the legal explanations of GDPR. Don't worry about it if you don't quite get it yet, just move on to the next bit.
The main definitions and aspects that need to be on your radar are:
- What constitutes personal data (and sensitive personal data, which is treated a bit differently): we detail this in the paragraph below along with some handy links.
- The 8 Principles of Data Protection.
- The 6 Grounds of Processing Personal Data you can choose from as your reason for processing personal data (an example of processing data is sending a marketing email to someone).
- Data Controllers (a Data Controller determines the purposes and means of processing personal data, e.g. as a blogger, you could be considered a data controller).
- Data Processors (a Data Processor is responsible for processing personal data on behalf of a Data Controller, e.g. if you sent emails to your visitors via MailChimp, MailChimp would be a data processor).
- Data Processing Agreements (DPAs) (a written contract is needed whenever a Controller uses a Processor, setting out the nature and purpose of the processing that they are performing. For example, if you're a Mailchimp user you need to sign a contract with Mailchimp. If you're working with large companies, they will generally amend their terms to incorporate specific Processor terms as standard rather than you having to sign a contract, because having individual Processor agreements with millions of Controllers is impractical).
Note: If all that sounds like way too much to take in, especially the legal wording, don't worry - that's what the rest of this post is for! It's designed to be a series of practical actions rather than confusing legal jargon.
A key part of this regulation is understanding what constitutes personal data. "Personal data" constitutes anything that could realistically be used to identify a person, and includes exactly the things you'd expect, such as:
- A person's name
- A person's email address (even if it's their work email address. firstname.lastname@example.org is personal data, but email@example.com is not)
- A person's IP address
- A photo where a person is obviously recognizable (i.e. it's not a vague crowd shot or of the back of their head)
For a complete list and more details on what constitutes personal data, check out the ICO's explanation.
Beyond that there is a classification of "sensitive personal data" (also covered in the link above), which constitutes things such as someone's religion, sexual preferences, DNA, fingerprints, and so on, which you can also access a full list of via the link above, although it's unlikely you'll be dealing with much sensitive data as a blogger.
Can I still email people?!
Yes, you can email anyone you have a previous relationship with or who would legitimately expect to receive an email from you with information they need. For example an order confirmation email for a digital product you've sold to someone, you reaching out to a PR you've worked with or had communication before, your subscribers who expect to be notified of your latest blog posts. This kind of thing falls under "legitimate interests" (one of the grounds of lawful data processing as mentioned above). "Legitimate interests" covers a wide range of things to avoid loopholes, for example you can't stop someone chasing you about a debt by claiming you don't want to be contacted by them under GDPR because they have a legitimate basis to contact you.
If you are cold pitching a brand or PR, you can still do this under GDPR as long as you stick to the guidelines. More details can be found here.
What about fines?!
People are concerned about GPDR because there are huge fines involved. Please don't worry about fines; the important part is showing you have made reasonable efforts to comply. It is extremely unlikely, especially as a blogger, that someone is going to slap you with a huge fine. Show you've made the effort to comply and they will work with you to fix the things that aren't quite right. Even big companies with their own legal teams are struggling to interpret and implement everything, so don't worry. Use common sense, document the steps you've taken, check the news and review everything you do regularly, and you've done your best.
"This law is not about fines. It’s about putting the consumer and citizen first." - Elizabeth Denham, ICO Commissioner (source: GDPR: Sorting the facts from the fiction).
You could read about GDPR for weeks, so we don't go into everything here. Our advice is to read the rest of this post, take the relevant actions detailed below, take a deep breath, and don't worry. You don't need to read/watch/buy everything in the world related to GDPR, but we do recommend staying on top of the latest news (see the first two links in the "Further Reading" section at the bottom). Utilize GDPR Facebook groups only when you have a specific question to avoid overwhelm and a million different opinions. This law is still subject to changes and clarification, so you need to be fluid to go along with it. Don't overthink the small stuff, just comply as much as possible.
Do I have to be GDPR compliant?
Yes, if any of the following statements is true:
- You’re based in the EU or UK.
- You process and/or store personal data of EU citizens, even on behalf of someone else (e.g. you do virtual assistant work for a UK-based blogger).
- You’re offering goods or services to EU/UK citizens, even if payment isn’t required (this could be as simple as emailing them your new blog posts when they subscribe).
- You’re monitoring the behaviour of EU/UK citizens (e.g. through cookies, analytics tracking, remarketing or similar).
Non-EU citizens and GDPR compliancy
To clarify, if you’re based in the US or another non-EU country and you have no company presence in the EU, you have to be GDPR compliant if:
1. You’re offering goods or services to EU citizens regardless of if payment is required (e.g. this could be a free PDF or quiz, selling or offering free digital goods, providing value-based emails, and so on). Languages and currency options can also be used as proof to demonstrate that you're offering services to people in the EU.
2. You’re monitoring the behaviour of EU citizens (e.g. through remarketing, cookies, analytics tracking or similar), including profiling a person’s behavior through their attitude, preferences, characteristics, etc. (e.g. behavioral advertising).
Even if you don’t have to be GDPR compliant, this is a good opportunity to learn about it and improve the privacy and security of your website and services while everyone is talking about it. It also means less work to do in the future if you expand on your services or other legislation comes into force, for example in the US.
If your blog has a global audience, it’s not just GDPR/EU citizens to consider. Canada and Australia have specific online privacy laws, as does California with CalOPPA (see the links in the Further Reading section below for more information). Their requirements are largely based around email, and also the right to not be tracked while visiting websites. If you’re interested in reading more, take a look at the ‘Further Reading’ section at the bottom of this post; don't worry, there's a lot less to do for compliancy!
How do I become GDPR compliant?
If you’re in the UK, in addition to complying with GDPR you may also need to register with the ICO (although it’s unlikely if you just have a standard blog). It’s a yearly cost of £35, and you can take this quiz to find out if you need to register. If you’re based in another EU member state, check with your ICO equivalent to see if there’s a similar equivalent you need to register for.
Note: There are a ton of aspects to GDPR compliancy, so we’re only covering the ones that we think are most relevant to bloggers. If you have employees, keep paper records, process or store sensitive data, need to appoint a Data Protection Officer, or otherwise have a ‘bigger’ business, you’ll want to investigate further to see what else you need to do. If you use freelancers or virtual assistants, they will also need to be GDPR compliant to work with you.
Note: You can’t avoid GDPR requirements by blocking all EU IP addresses or serving them a different version of your website, because this doesn’t account for people using proxy IPs and so on.
We suggest starting by downloading the 12 step ICO checklist. This gives a good basic overview of what to consider without being overwhelming.
There’s a common misconception that you can just install a plugin for WordPress and you’ll be compliant. Unfortunately there’s a lot more to it than that, but there are some free GDPR plugins in the WordPress Plugin Directory that are worth browsing. They may be able to help you with some of the points listed below, but there are no guarantees that third party plugins meet GDPR compliancy requirements, so always exercise caution, and research further where possible. Please read the below before installing any plugins, so you know what you need.
After you’ve checked if you need to register and downloaded the checklist, you’ll need to review and action the following points in the accordions below (depending on how many are relevant to your blog). Please read all the information below before starting work on GDPR compliancy to avoid unnecessary work and stress!
1. Make a list of all the third parties you use
You can only be GDPR compliant if the companies and services you use for storing, processing, or subprocessing personal data for your website and email (and any other aspects of your blog) are also GDPR compliant. Only servers based in the EU, approved third countries, and under the EU-US Privacy Shield can be GDPR compliant. The good news is that all our servers are, so by default you have that part of your website (and webmail) covered.
We recommend making a list of all the other companies and services you use, for example Google Analytics, Mailchimp, Mediavine, Facebook advertising, payment gateways, and so on. Go through them one by one and research whether they will be GDPR compliant and if there’s anything you need to do.
You will need to have Data Processing Agreements (DPA) with all the data processors in your list (e.g. Mailchimp, Google, etc.). If you're working with large companies they will generally amend their terms to incorporate specific Processor terms as standard rather than entering into individual data processing agreements with each of their millions of users. You should confirm with each company whether that is the case or whether they will need a specific DPA with you.
You don't need a Data Processing Agreement with your hosting company.
Note: Many companies and services are releasing fresh updates for GDPR compliance, for example WordPress, so it's even more important to keep on top of updates for any self-hosted software you use. If you use WordPress, there's a list of their GDPR updates here.
Some companies have already stated they will not be GDPR compliant, for example Unroll.me, in which case you have no choice but to stop using them and find an alternative if needed.
Note: If the company or service does not process or store the personal data of EU citizens, you can continue to use that service even if they aren't GDPR compliant for as long as they don't process or store personal data. For example, a lot of WordPress plugin developers don't store or process personal data themselves; this is all done within the plugin on your own website, so it's only your website that needs to be compliant.
2. Data Storage & General Data Security
Make a list of all the areas you store personal data, for example:
- In emails (both automatic notification-based and from EU citizens)
- On your website (in the form of comments and other visitor/customer information in your database)
- Cloud storage providers such as Dropbox, Google Drive, Mailchimp or OneDrive
Work through them and check if the providers are GDPR compliant, if you need Data Processing Agreements with them (as detailed in point 1 above).
Make sure you review and remove any unnecessary personal data you have on your website, and get consent where you use personal data. For example, if you have photos on your blog where other people (EU citizens) are clearly identifiable, you want to get written permission from them that they agree to you using the photo of them and they are clear that they can withdraw consent at any time. For children under 16 you will need their parents' permission, and then when they reach 16 you will need to get reconsent from the child (yes, that includes your own!). For stock photos of people, we recommend either using non-EU citizen sources or seeking written permission from the website/photographer.
Under GDPR you have more of a conscious responsibility for keeping data secure, so now's the time to review everything. This could involve using a compliant password manager, two factor authentication, a safe for physical copies, etc. This part is up to you, but it's always a good thing to secure data as much as possible, especially as you need to report any data breaches (in the UK, they must be reported to the ICO within 72 hours).
If you don't already have an SSL certificate installed for your website, now there's even more of a reason to install one. We offer them free to all Lyrical Host customers who have a hosting plan with us, and full instructions are provided here (or contact our support team if you need help).
Remember, if you aren't storing people's personal data there (e.g. you use Dropbox but only for storing flatlay photos), you don't have to worry if the provider in question is GDPR compliant.
You are responsible for ensuring data you store and process is kept up to date. Where necessary, check in every so often with the people whose data you hold to make sure it is still up to date.
There are many options out there for declaring cookie use on your website and allowing people to manage cookies, opt-out, and consent. Currently the ICO themselves use one called Cookie Control, which you can download for free at https://www.civicuk.com/cookie-control. If you need help installing/configuring it on your website, we're currently offering this as a very affordable service for both Lyrical Host customers and non-customers. Book it in here; if your website is relatively simple and it takes us less than half an hour, we'll do it free (subject to availability); otherwise we estimate it will cost approximately £30/$40 USD. There are also plenty of simpler WordPress plugins available, but we recommend doing the research first to make sure they’re properly GDPR compliant (we can also install your choice of plugin via the booking link above if you prefer).
Note: The EU cookie law is due to be overhauled in 2019 under PECR, so we suggest not making a permanent decision on what to use until that happens and we know what, if any, changes to cookie requirements will be made. In the meantime a GDPR compliant cookie tool is fine!
4. Submission Forms & Fields
It's likely you have various submission forms on your blog, including a contact form and a box for people to subscribe to your emails or grab a freebie. Under GDPR, you need to be very specific about what subscribers can expect from submitting their personal data to you, how their data will be used, and how they can unsubscribe (if they are subscribing to something). So for example, you couldn't say "Subscribe to my blog posts" and then send people who subscribed your latest affiliate offers as well as your blog posts.
You also need to provide unsubscribe functionality that makes it just as easy to unsubscribe as it was to subscribe. For example, you couldn't let someone subscribe from your website but then require them to send you mail to unsubscribe.
GDPR also prioritizes "granularity of consent", which basically means you need to break down your intentions and the user's options into an appropriate number of different form checkboxes that aren't mandatory. For example, instead of having a blog subscribe box which says something like, "By subscribing to my blog you agree to receiving newsletters and special offers from me", you need to break it down into two checkboxes: "Tick to receive my newsletter" and "Tick to receive special offers from me". A user could leave both boxes unchecked and still subscribe to your blog.
No consent boxes should ever be pre-checked; the user needs to perform the check action themselves of their own free will.
You don’t need a tick box for a contact form unless you’re going to send the submitter marketing emails, or any other emails they wouldn't naturally expect to receive based on how you've described your form. If you use an off-site cloud service to store form submission data as well as sending it to your email address, you need to make sure the data is stored on EEA servers (servers in the European Economic Area), in approved third countries, or by EU-US Privacy Shield compliant companies (see the "Further Reading" section below for more information).
Your email provider (e.g. us, Gmail) also needs to be GDPR compliant.
If you use plugins or third parties like Mailchimp to provide this functionality, it's likely they will have options available for checkboxes and compliancy, so check with them.
Note: As stated elsewhere in this post, WordPress is introducing GDPR-compliant commenting functionality in version 4.9.6.
"Do I need to ask my existing subscribers to resubscribe to my mailing list?" has been one of the most hotly debated questions of GDPR. The latest consensus is that if you're confident the subscribers on your list opted in in a GDPR compliant way (they knew what they were signing up to, you've always provided an unsubscribe link and so on), you don't need to ask them for reconsent. See the Raising the Bar blog post for more information.
If you think maybe parts of your list are fine but others are a bit of a grey area (e.g. you have one opt-in on your site that isn't GDPR compliant), your email service provider (for example Mailchimp) should be able to list where your subscribers originally came from so you can email the relevant part of your list asking for reconsent.
Note: If you don't need to send reconsent emails, we strongly recommend not sending them. People are indundated with them and will most likely just ignore them. If you ask them for reconsent and they ignore your email, you have to delete them from your list, you can't use it as a "just in case" situation because your fresh consent request overrides any previous consent acceptance.
If you do have to send reconsent emails, we recommend sending several, using very catchy subject lines (based on your previous most popular ones), and being clear on what they are subscribing to and providing adequate options to opt in/out.
If you don't already use double opt ins for your list, we strongly recommend it so you have a record of express consent that the people in question definitely signed up for your mailing list. Express consent for email communication is also a requirement of Australian and Canadian laws, as well as CANSPAM, so double opt-in can cover you in multiple jurisdictions.
6. Review Your Plugins
If you use WordPress or another CMS, make a list of all the plugins on your site.
Then check off any that don’t store personal data or process personal data off of your website, e.g. Yoast SEO – those are all fine.
Next, check the other plugins you use that do process and/or store personal data off of your website, e.g. Akismet will be using EU servers to comply with GDPR according to this thread. If you're unsure, check with the plugin developer. If a plugin states it will be compliant but isn't yet, make a note to check it later. If a plugin is not GDPR compliant and does process and/or store personal data off of your website, you'll need to find a replacement. Remember, IP addresses are considered personal data.
7. Analytics and tracking
If you use Google Analytics, you'll need to anonymize IP addresses in order to comply with GDPR. If you use any other analytics tracking, including JetPack/WordPress, please check with them to see if there's anything you need to do.
If you use remarketing or advertising on your website, for example through Google, Facebook, Mediavine or another advertising network, those companies are responsible for processing personal data in a compliant way, and should form part of your list to investigate for GDPR compliancy as per point 1 of this accordion.
Remember that social media sharing tools, automatic logins, and plugins also need to be checked.
8. Right to Access, Retaining, & Deleting Data
Under GDPR you need to:
- Provide people with a copy of all the personal data you hold about them on their request.
- Not store data any longer than you reasonably need to.
- Delete any personal data you hold about someone on their request (other than the minimum amount of information you need to hold to remember to forget them (!!) e.g. their name and email address). This is officially known as the "right to be forgotten".
When you're working with company-based email addresses, it is still considered personal data if it identifies a person. For example, if you have emails from John Smith at XYZ PR, you hold personal data in the form of his name, John Smith, and his email address, firstname.lastname@example.org, as a bare minimum.
Actions people have chosen to do, e.g. email you or leave a comment, are fine – just make sure it's clear to them what you're planning to do with their details before you submit, and be proactive securing and storing the data as detailed above.
Have a strategy in place for how you'd provide someone's personal data to them if they asked (this must be done within 30 days for standard requests), or how you'd delete their personal data and provide proof of that if asked. Again, if you're a WordPress user, there are plugins available plus future updates to WordPress that cover this.
Delete data when it's no longer needed; it's up to you to decide a reasonable timeframe, but two years of non-use is a good rule of thumb. If a law requires you to hold data for a certain amount of time, e.g. financial records have to be stored for 7 years in the UK, that overrides GDPR.
This is one of the most important aspects of being GDPR compliant, and it's also one of the biggest tasks, which is why we've left it to the end.
- Build Your Own GDPR Privacy Notice (Word Doc template - very intentional).
Help! I feel overwhelmed!
Don’t panic, or overthink it! Just break it down one step at a time.
List 1: What you need to do for GDPR (use the “How do I become GDPR compliant?” accordions above to get started, removing any parts that aren’t relevant to your blog).
List 2: A list of all third party services (including plugins) you use that collect personal data. Then go through and Google/contact them all to see if they are GDPR compliant.
List 3: Create a document with the research you’ve done and steps you’ve taken to comply. This will help you identify any holes, and also show proof of the effort you’ve made to co-operate if needed.
List 4: Any questions you have, any companies you’re unsure of, and any grey areas you need to research further.
Do the best you can, and don’t worry – you’ve got this!
- Information Commissioner’s Office
- ICO News Blog
- GDPR: Sorting the fact from the fiction
- Approved third countries for data transfers
- Mailchimp’s take on the GDPR
- An overview of the Privacy Shield
- GDPR vs Australian Data Privacy Regulations: 5 Key Differences
- Email Opt-in laws for Canada, European Union countries, and Australia
- All about cookies
- What is a data controller? What is a data processor?
Pin for later: