What is GDPR?
The General Data Protection Regulation (GDPR) is a regulation in EU law designed to improve data protection and privacy for all individuals within the European Union. It also covers the transfer of personal data outside the EU. GDPR's main aim is to ensure individuals have more control over their personal data and to provide one set of clear guidelines for international organisations doing business with the EU. Even if you're based outside the EU, you still need to be familiar with GDPR and will most likely have to be GDPR compliant.
As regards Brexit, the UK will grandfather in these laws so they will still apply.
Summing up the legal bits
The below is to give you a bit of context and reference links for the legal explanations of GDPR. Don't worry about it if you don't quite get it yet, just move on to the next bit.
The main definitions and aspects that need to be on your radar are:
- What constitutes personal data (and sensitive personal data, which is treated a bit differently): we detail this in the paragraph below along with some handy links.
- The 8 Principles of Data Protection.
- The 6 Grounds of Processing Personal Data you can choose from as your reason for processing personal data (an example of processing data is sending a marketing email to someone).
- Data Controllers (a Data Controller determines the purposes and means of processing personal data, e.g. as a blogger, you could be considered a data controller).
- Data Processors (a Data Processor is responsible for processing personal data on behalf of a Data Controller, e.g. if you sent emails to your visitors via MailChimp, MailChimp would be a data processor).
- Data Processing Agreements (DPAs) (a written contract is needed whenever a Controller uses a Processor, setting out the nature and purpose of the processing that they are performing. For example, if you're a Mailchimp user you need to sign a contract with Mailchimp. If you're working with large companies, they will generally amend their terms to incorporate specific Processor terms as standard rather than you having to sign a contract, because having individual Processor agreements with millions of Controllers is impractical).
Note: If all that sounds like way too much to take in, especially the legal wording, don't worry - that's what the rest of this post is for! It's designed to be a series of practical actions rather than confusing legal jargon.
A key part of this regulation is understanding what constitutes personal data. "Personal data" constitutes anything that could realistically be used to identify a person, and includes exactly the things you'd expect, such as:
- A person's name
- A person's email address (even if it's their work email address. email@example.com is personal data, but firstname.lastname@example.org is not)
- A person's IP address
- A photo where a person is obviously recognizable (i.e. it's not a vague crowd shot or of the back of their head)
For a complete list and more details on what constitutes personal data, check out the ICO's explanation.
Beyond that there is a classification of "sensitive personal data" (also covered in the link above), which constitutes things such as someone's religion, sexual preferences, DNA, fingerprints, and so on, which you can also access a full list of via the link above, although it's unlikely you'll be dealing with much sensitive data as a blogger.
Can I still email people?!
Yes, you can email anyone you have a previous relationship with or who would legitimately expect to receive an email from you with information they need. For example an order confirmation email for a digital product you've sold to someone, you reaching out to a PR you've worked with or had communication before, your subscribers who expect to be notified of your latest blog posts. This kind of thing falls under "legitimate interests" (one of the grounds of lawful data processing as mentioned above). "Legitimate interests" covers a wide range of things to avoid loopholes, for example you can't stop someone chasing you about a debt by claiming you don't want to be contacted by them under GDPR because they have a legitimate basis to contact you.
If you are cold pitching a brand or PR, you can still do this under GDPR as long as you stick to the guidelines. More details can be found here.
What about fines?!
People are concerned about GPDR because there are huge fines involved. Please don't worry about fines; the important part is showing you have made reasonable efforts to comply. It is extremely unlikely, especially as a blogger, that someone is going to slap you with a huge fine. Show you've made the effort to comply and they will work with you to fix the things that aren't quite right. Even big companies with their own legal teams are struggling to interpret and implement everything, so don't worry. Use common sense, document the steps you've taken, check the news and review everything you do regularly, and you've done your best.
"This law is not about fines. It’s about putting the consumer and citizen first." - Elizabeth Denham, ICO Commissioner (source: GDPR: Sorting the facts from the fiction).
You could read about GDPR for weeks, so we don't go into everything here. Our advice is to read the rest of this post, take the relevant actions detailed below, take a deep breath, and don't worry. You don't need to read/watch/buy everything in the world related to GDPR, but we do recommend staying on top of the latest news (see the first two links in the "Further Reading" section at the bottom). Utilize GDPR Facebook groups only when you have a specific question to avoid overwhelm and a million different opinions. This law is still subject to changes and clarification, so you need to be fluid to go along with it. Don't overthink the small stuff, just comply as much as possible.
Do I have to be GDPR compliant?
Yes, if any of the following statements is true:
- You’re based in the EU or UK.
- You process and/or store personal data of EU citizens, even on behalf of someone else (e.g. you do virtual assistant work for a UK-based blogger).
- You’re offering goods or services to EU/UK citizens, even if payment isn’t required (this could be as simple as emailing them your new blog posts when they subscribe).
- You’re monitoring the behaviour of EU/UK citizens (e.g. through cookies, analytics tracking, remarketing or similar).
Non-EU citizens and GDPR compliancy
To clarify, if you’re based in the US or another non-EU country and you have no company presence in the EU, you have to be GDPR compliant if:
1. You’re offering goods or services to EU citizens regardless of if payment is required (e.g. this could be a free PDF or quiz, selling or offering free digital goods, providing value-based emails, and so on). Languages and currency options can also be used as proof to demonstrate that you're offering services to people in the EU.
2. You’re monitoring the behaviour of EU citizens (e.g. through remarketing, cookies, analytics tracking or similar), including profiling a person’s behavior through their attitude, preferences, characteristics, etc. (e.g. behavioral advertising).
Even if you don’t have to be GDPR compliant, this is a good opportunity to learn about it and improve the privacy and security of your website and services while everyone is talking about it. It also means less work to do in the future if you expand on your services or other legislation comes into force, for example in the US.
If your blog has a global audience, it’s not just GDPR/EU citizens to consider. Canada and Australia have specific online privacy laws, as does California with CalOPPA (see the links in the Further Reading section below for more information). Their requirements are largely based around email, and also the right to not be tracked while visiting websites. If you’re interested in reading more, take a look at the ‘Further Reading’ section at the bottom of this post; don't worry, there's a lot less to do for compliancy!
GDPR (General Data Protection Regulation) is the European Union’s new privacy law that comes into effect on May 25, 2018. It doesn’t just apply to EU websites and organizations, so here’s an overview of what you need to know.
(If you’re interested in what we’re doing to comply (although it’s more involved than what you need to do as a blogger, so don’t worry!) check out our GDPR and CalOPPA Compliance page).
About this blog post
Disclaimer: The content of this blog post is informational. It does not constitute legal advice and should not be relied upon as such. Please check with your legal counsel when in any doubt about understanding your rights and obligations in order to comply with the law and regulations.
This is a living blog post, which means we try to update it with any changes or additions as we come across them or as we become aware of new legislation amendments or clarification. However, please don’t rely on this blog post alone for news and information about GDPR. We’ve included links to relevant authorities along with a “Further Reading” section for further details.
This blog post looks at the following:
- What is GDPR? Do I need to be GDPR compliant?
- How do I become GDPR compliant?
- Further reading
Note: Within this post we make several references to the ICO (Information Commissioner’s Office), which is a UK organization responsible for issuing information about GDPR. Each EU member state has their own ICO equivalent, which we recommend you refer to if you’re based in another EU country. For the purposes of this post we’ve used the ICO as our main referral and source of information because it is provided in English and a significant proportion of our customers are based in the UK. If you’re based outside the EU/UK, we’d suggest referring to the ICO if your own country isn’t providing official government-led information on GDPR compliance.
What is GDPR, and do I need to comply?
If you’re not sure what GDPR is or if you need to comply (hint: you most likely do!), take a look at these three accordions before moving on to the rest of the post:
How do I become GDPR compliant?
If you’re in the UK, in addition to complying with GDPR you may also need to register with the ICO (although it’s unlikely if you just have a standard blog). It’s a yearly cost of £35, and you can take this quiz to find out if you need to register. If you’re based in another EU member state, check with your ICO equivalent to see if there’s a similar equivalent you need to register for.
Note: There are a ton of aspects to GDPR compliancy, so we’re only covering the ones that we think are most relevant to bloggers. If you have employees, keep paper records, process or store sensitive data, need to appoint a Data Protection Officer, or otherwise have a ‘bigger’ business, you’ll want to investigate further to see what else you need to do. If you use freelancers or virtual assistants, they will also need to be GDPR compliant to work with you.
Note: You can’t avoid GDPR requirements by blocking all EU IP addresses or serving them a different version of your website, because this doesn’t account for people using proxy IPs and so on.
We suggest starting by downloading the 12 step ICO checklist. This gives a good basic overview of what to consider without being overwhelming.
There’s a common misconception that you can just install a plugin for WordPress and you’ll be compliant. Unfortunately there’s a lot more to it than that, but there are some free GDPR plugins in the WordPress Plugin Directory that are worth browsing. They may be able to help you with some of the points listed below, but there are no guarantees that third party plugins meet GDPR compliancy requirements, so always exercise caution, and research further where possible. Please read the below before installing any plugins, so you know what you need.
After you’ve checked if you need to register and downloaded the checklist, you’ll need to review and action the following points in the accordions below (depending on how many are relevant to your blog). Please read all the information below before starting work on GDPR compliancy to avoid unnecessary work and stress!
Help! I feel overwhelmed!
Don’t panic, or overthink it! Just break it down one step at a time.
List 1: What you need to do for GDPR (use the “How do I become GDPR compliant?” accordions above to get started, removing any parts that aren’t relevant to your blog).
List 2: A list of all third party services (including plugins) you use that collect personal data. Then go through and Google/contact them all to see if they are GDPR compliant.
List 3: Create a document with the research you’ve done and steps you’ve taken to comply. This will help you identify any holes, and also show proof of the effort you’ve made to co-operate if needed.
List 4: Any questions you have, any companies you’re unsure of, and any grey areas you need to research further.
Do the best you can, and don’t worry – you’ve got this!
- Information Commissioner’s Office
- ICO News Blog
- GDPR: Sorting the fact from the fiction
- Approved third countries for data transfers
- Mailchimp’s take on the GDPR
- An overview of the Privacy Shield
- GDPR vs Australian Data Privacy Regulations: 5 Key Differences
- Email Opt-in laws for Canada, European Union countries, and Australia
- All about cookies
- What is a data controller? What is a data processor?
Pin for later:
? it’s so hard to understand!!
I don’t have a clue.
Drop us a ticket any time Em, and we’ll do our best to help you 🙂
do you offer services to have it all implemented??
I am trying to do the update for Google Analytics but I am not too sure where to put the extra code and when I click on the plugin itself it takes me to the Pro Upgrade first and I wonder – do I need to pay for it to be compliant??
Hey Annika! Replied to you via FB 🙂
Pingback: The Five Pages Every Small Business Website Must Have - A guest post by Paula Hickey
Pingback: Blogging 101: Legal Essentials For Your Blog - Lyrical Host