GDPR For Bloggers

What is GDPR?

The General Data Protection Regulation (GDPR) is a regulation in EU law designed to improve data protection and privacy for all individuals within the European Union. It also covers the transfer of personal data outside the EU. GDPR's main aim is to ensure individuals have more control over their personal data and to provide one set of clear guidelines for international organisations doing business with the EU. Even if you're based outside the EU, you still need to be familiar with GDPR and will most likely have to be GDPR compliant.

As regards Brexit, the UK will grandfather in these laws so they will still apply.

Summing up the legal bits

The below is to give you a bit of context and reference links for the legal explanations of GDPR. Don't worry about it if you don't quite get it yet, just move on to the next bit.

The main definitions and aspects that need to be on your radar are:

• What constitutes personal data (and sensitive personal data, which is treated a bit differently): we detail this in the paragraph below along with some handy links.

• The Principles of Data Protection.

• Definitions of Data Controllers and Data Processors. A Data Controller determines the purposes and means of processing personal data, e.g. as a blogger, you could be considered a data controller. A Data Processor is responsible for processing personal data on behalf of a Data Controller, e.g. if you sent emails to your visitors via MailChimp, MailChimp would be a data processor.
• Data Processing Agreements (DPAs) (a written contract is needed whenever a Controller uses a Processor, setting out the nature and purpose of the processing that they are performing. For example, if you're a Mailchimp user you need to sign a contract with Mailchimp. If you're working with large companies, they will generally amend their terms to incorporate specific Processor terms as standard rather than you having to sign a contract, because having individual Processor agreements with millions of Controllers is impractical).

Note: If all that sounds like way too much to take in, especially the legal wording, don't worry - that's what the rest of this post is for! It's designed to be a series of practical actions rather than confusing legal jargon.

Personal data

A key part of this regulation is understanding what constitutes personal data. "Personal data" constitutes anything that could realistically be used to identify a person, and includes exactly the things you'd expect, such as:

• A person's name
• A person's email address (even if it's their work email address. john.smith@xyzpr.xyz is personal data, but contact@xyzpr.xyz is not)
• A person's IP address
• A photo where a person is obviously recognizable (i.e. it's not a vague crowd shot or of the back of their head)

For a complete list and more details on what constitutes personal data, check out the ICO's explanation.

Beyond that there is a classification of "sensitive personal data" (also covered in the link above), which constitutes things such as someone's religion, sexual preferences, DNA, fingerprints, and so on, which you can also access a full list of via the link above, although it's unlikely you'll be dealing with much sensitive data as a blogger.

Can I still email people?!

Yes, you can email anyone you have a previous relationship with or who would legitimately expect to receive an email from you with information they need. For example an order confirmation email for a digital product you've sold to someone, you reaching out to a PR you've worked with or had communication before, your subscribers who expect to be notified of your latest blog posts. This kind of thing falls under "legitimate interests" (one of the grounds of lawful data processing as mentioned above). "Legitimate interests" covers a wide range of things to avoid loopholes, for example you can't stop someone chasing you about a debt by claiming you don't want to be contacted by them under GDPR because they have a legitimate basis to contact you.

If you are cold pitching a brand or PR, you can still do this under GDPR as long as you stick to the guidelines. More details can be found here.

What about fines?!

People are concerned about GPDR because there are huge fines involved. Please don't worry about fines; the important part is showing you have made reasonable efforts to comply. It is extremely unlikely, especially as a blogger, that someone is going to slap you with a huge fine. Show you've made the effort to comply and they will work with you to fix the things that aren't quite right. Even big companies with their own legal teams are struggling to interpret and implement everything, so don't worry. Use common sense, document the steps you've taken, check the news and review everything you do regularly, and you've done your best.

"This law is not about fines. It’s about putting the consumer and citizen first." - Elizabeth Denham, ICO Commissioner (source: Federation of Small Businesses).

Getting started

You could read about GDPR for weeks, so we don't go into everything here. Our advice is to read the rest of this post, take the relevant actions detailed below, take a deep breath, and don't worry. You don't need to read/watch/buy everything in the world related to GDPR, but we do recommend staying on top of the latest news (see the first two links in the "Further Reading" section at the bottom). Utilize GDPR Facebook groups only when you have a specific question to avoid overwhelm and a million different opinions. This law is still subject to changes and clarification, so you need to be fluid to go along with it. Don't overthink the small stuff, just comply as much as possible.

Do I have to be GDPR compliant?

Yes, if any of the following statements is true:

• You’re based in the EU or UK.
• You process and/or store personal data of EU citizens, even on behalf of someone else (e.g. you do virtual assistant work for a UK-based blogger).
• You’re offering goods or services to EU/UK citizens, even if payment isn’t required (this could be as simple as emailing them your new blog posts when they subscribe).
• You’re monitoring the behaviour of EU/UK citizens (e.g. through cookies, analytics tracking, remarketing or similar).

Non-EU citizens and GDPR compliancy

To clarify, if you’re based in the US or another non-EU country and you have no company presence in the EU, you have to be GDPR compliant if:

1. You’re offering goods or services to EU citizens regardless of if payment is required (e.g. this could be a free PDF or quiz, selling or offering free digital goods, providing value-based emails, and so on). Languages and currency options can also be used as proof to demonstrate that you're offering services to people in the EU.

or

2. You’re monitoring the behaviour of EU citizens (e.g. through remarketing, cookies, analytics tracking or similar), including profiling a person’s behavior through their attitude, preferences, characteristics, etc. (e.g. behavioral advertising).

Even if you don’t have to be GDPR compliant, this is a good opportunity to learn about it and improve the privacy and security of your website and services while everyone is talking about it. It also means less work to do in the future if you expand on your services or other legislation comes into force, for example in the US.

If your blog has a global audience, it’s not just GDPR/EU citizens to consider. Canada and Australia have specific online privacy laws, as does California with CalOPPA (see the links in the Further Reading section below for more information). Their requirements are largely based around email, and also the right to not be tracked while visiting websites. If you’re interested in reading more, take a look at the ‘Further Reading’ section at the bottom of this post; don't worry, there's a lot less to do for compliancy!

1. Make a list of all the third parties you use

You can only be GDPR compliant if the companies and services you use for storing, processing, or subprocessing personal data for your website and email (and any other aspects of your blog) are also GDPR compliant. Only servers based in the EU, approved third countries, and under the EU-US Privacy Shield can be GDPR compliant. The good news is that all our servers are, so by default you have that part of your website (and webmail) covered.

We recommend making a list of all the other companies and services you use, for example Google Analytics, Mailchimp, Mediavine, Facebook advertising, payment gateways, and so on. Go through them one by one and research whether they will be GDPR compliant and if there’s anything you need to do.

You will need to have Data Processing Agreements (DPA) with all the data processors in your list (e.g. Mailchimp, Google, etc.). If you're working with large companies they will generally amend their terms to incorporate specific Processor terms as standard rather than entering into individual data processing agreements with each of their millions of users. You should confirm with each company whether that is the case or whether they will need a specific DPA with you.

You don't need a Data Processing Agreement with your hosting company.

Note: Many companies and services are releasing fresh updates for GDPR compliance, for example WordPress, so it's even more important to keep on top of updates for any self-hosted software you use. If you use WordPress, there's a list of their GDPR updates here.

Non-compliant companies

Some companies have already stated they will not be GDPR compliant, for example Unroll.me, in which case you have no choice but to stop using them and find an alternative if needed.

Note: If the company or service does not process or store the personal data of EU citizens, you can continue to use that service even if they aren't GDPR compliant for as long as they don't process or store personal data. For example, a lot of WordPress plugin developers don't store or process personal data themselves; this is all done within the plugin on your own website, so it's only your website that needs to be compliant.

2. Data Storage & General Data Security

Make a list of all the areas you store personal data, for example:

• In emails (both automatic notification-based and from EU citizens)
• On your website (in the form of comments and other visitor/customer information in your database)
• Cloud storage providers such as Dropbox, Google Drive, Mailchimp or OneDrive

Work through them and check if the providers are GDPR compliant, if you need Data Processing Agreements with them (as detailed in point 1 above).

Make sure you review and remove any unnecessary personal data you have on your website, and get consent where you use personal data. For example, if you have photos on your blog where other people (EU citizens) are clearly identifiable, you want to get written permission from them that they agree to you using the photo of them and they are clear that they can withdraw consent at any time. For children under 16 you will need their parents' permission, and then when they reach 16 you will need to get reconsent from the child (yes, that includes your own!). For stock photos of people, we recommend either using non-EU citizen sources or seeking written permission from the website/photographer.

Under GDPR you have more of a conscious responsibility for keeping data secure, so now's the time to review everything. This could involve using a compliant password manager, two factor authentication, a safe for physical copies, etc. This part is up to you, but it's always a good thing to secure data as much as possible, especially as you need to report any data breaches (in the UK, they must be reported to the ICO within 72 hours).

If you don't already have an SSL certificate installed for your website, now there's even more of a reason to install one. We offer them free to all Lyrical Host customers who have a hosting plan with us, and full instructions are provided here (or contact our support team if you need help).

Remember, if you aren't storing people's personal data there (e.g. you use Dropbox but only for storing flatlay photos), you don't have to worry if the provider in question is GDPR compliant.

You are responsible for ensuring data you store and process is kept up to date. Where necessary, check in every so often with the people whose data you hold to make sure it is still up to date.

3. Cookies

There are many options out there for declaring cookie use on your website and allowing people to manage cookies, opt-out, and consent.

You also need a cookie policy on your website detailing the cookies that you use. Here are some guidelines on how to see what cookies your website uses. You can also download a free cookie policy sample template.

Note: The EU cookie law is due to be overhauled in 2019 under PECR, so we suggest not making a permanent decision on what to use until that happens and we know what, if any, changes to cookie requirements will be made. In the meantime a GDPR compliant cookie tool is fine!

Note: If your blog is bilingual, trilingual, etc., you need to provide your cookies controls and Cookie Policy in all the languages you utilize.

4. Submission Forms & Fields

It's likely you have various submission forms on your blog, including a contact form and a box for people to subscribe to your emails or grab a freebie. Under GDPR, you need to be very specific about what subscribers can expect from submitting their personal data to you, how their data will be used, and how they can unsubscribe (if they are subscribing to something). So for example, you couldn't say "Subscribe to my blog posts" and then send people who subscribed your latest affiliate offers as well as your blog posts.

You also need to provide unsubscribe functionality that makes it just as easy to unsubscribe as it was to subscribe. For example, you couldn't let someone subscribe from your website but then require them to send you mail to unsubscribe.

GDPR also prioritizes "granularity of consent", which basically means you need to break down your intentions and the user's options into an appropriate number of different form checkboxes that aren't mandatory. For example, instead of having a blog subscribe box which says something like, "By subscribing to my blog you agree to receiving newsletters and special offers from me", you need to break it down into two checkboxes: "Tick to receive my newsletter" and "Tick to receive special offers from me". A user could leave both boxes unchecked and still subscribe to your blog.

No consent boxes should ever be pre-checked; the user needs to perform the check action themselves of their own free will.

You don’t need a tick box for a contact form unless you’re going to send the submitter marketing emails, or any other emails they wouldn't naturally expect to receive based on how you've described your form. If you use an off-site cloud service to store form submission data as well as sending it to your email address, you need to make sure the data is stored on EEA servers (servers in the European Economic Area), in approved third countries, or by EU-US Privacy Shield compliant companies (see the "Further Reading" section below for more information).

Your email provider (e.g. us, Gmail) also needs to be GDPR compliant.

If you use plugins or third parties like Mailchimp to provide this functionality, it's likely they will have options available for checkboxes and compliancy, so check with them.

Note: As stated elsewhere in this post, WordPress is introducing GDPR-compliant commenting functionality in version 4.9.6.

"Do I need to ask my existing subscribers to resubscribe to my mailing list?" has been one of the most hotly debated questions of GDPR. The latest consensus is that if you're confident the subscribers on your list opted in in a GDPR compliant way (they knew what they were signing up to, you've always provided an unsubscribe link and so on), you don't need to ask them for reconsent. See the Raising the Bar blog post for more information.

If you think maybe parts of your list are fine but others are a bit of a grey area (e.g. you have one opt-in on your site that isn't GDPR compliant), your email service provider (for example Mailchimp) should be able to list where your subscribers originally came from so you can email the relevant part of your list asking for reconsent.

Note: If you don't need to send reconsent emails, we strongly recommend not sending them. People are indundated with them and will most likely just ignore them. If you ask them for reconsent and they ignore your email, you have to delete them from your list, you can't use it as a "just in case" situation because your fresh consent request overrides any previous consent acceptance.

If you do have to send reconsent emails, we recommend sending several, using very catchy subject lines (based on your previous most popular ones), and being clear on what they are subscribing to and providing adequate options to opt in/out.

If you don't already use double opt ins for your list, we strongly recommend it so you have a record of express consent that the people in question definitely signed up for your mailing list. Express consent for email communication is also a requirement of Australian and Canadian laws, as well as CANSPAM, so double opt-in can cover you in multiple jurisdictions.

6. Review Your Plugins

If you use WordPress or another CMS, make a list of all the plugins on your site.

Then check off any that don’t store personal data or process personal data off of your website, e.g. Yoast SEO – those are all fine.

Next, check the other plugins you use that do process and/or store personal data off of your website, e.g. Akismet will be using EU servers to comply with GDPR according to this thread. If you're unsure, check with the plugin developer. If a plugin states it will be compliant but isn't yet, make a note to check it later. If a plugin is not GDPR compliant and does process and/or store personal data off of your website, you'll need to find a replacement. Remember, IP addresses are considered personal data.

7. Analytics and tracking

If you use Google Analytics, you'll need to anonymize IP addresses in order to comply with GDPR. If you use any other analytics tracking, including JetPack/WordPress, please check with them to see if there's anything you need to do.

If you use remarketing or advertising on your website, for example through Google, Facebook, Mediavine or another advertising network, those companies are responsible for processing personal data in a compliant way, and should form part of your list to investigate for GDPR compliancy as per point 1 of this accordion.

Remember that social media sharing tools, automatic logins, and plugins also need to be checked.

8. Right to Access, Retaining, & Deleting Data

Under GDPR you need to:

• Provide people with a copy of all the personal data you hold about them on their request.
• Not store data any longer than you reasonably need to.
• Delete any personal data you hold about someone on their request (other than the minimum amount of information you need to hold to remember to forget them (!!) e.g. their name and email address). This is officially known as the "right to be forgotten".

When you're working with company-based email addresses, it is still considered personal data if it identifies a person. For example, if you have emails from John Smith at XYZ PR, you hold personal data in the form of his name, John Smith, and his email address, john.smith@xyzpr.xyz, as a bare minimum.

Actions people have chosen to do, e.g. email you or leave a comment, are fine – just make sure it's clear to them what you're planning to do with their details before you submit, and be proactive securing and storing the data as detailed above.

Have a strategy in place for how you'd provide someone's personal data to them if they asked (this must be done within 30 days for standard requests), or how you'd delete their personal data and provide proof of that if asked. Again, if you're a WordPress user, there are plugins available plus future updates to WordPress that cover this.

Delete data when it's no longer needed; it's up to you to decide a reasonable timeframe, but two years of non-use is a good rule of thumb. If a law requires you to hold data for a certain amount of time, e.g. financial records have to be stored for 7 years in the UK, that overrides GDPR.

9. Update your Privacy Policy

This is one of the most important aspects of being GDPR compliant, and it's also one of the biggest tasks, which is why we've left it to the end.

For your GDPR privacy policy to be compliant, it needs to include various elements, which are listed here: How to write a privacy notice

Your Privacy Policy must also include the date you last updated it (save a copy every time you change it, so you have a record of when you changed it and what it said at the time).

You can buy a number of GDPR compliant policies online, or use free privacy policy generators and templates. Here are a couple of our favorite free ones (in our opinion; as with all the links we've mentioned, we can't guarantee how compliant they are).

• Build Your Own GDPR Privacy Notice (Word Doc template - very intentional).
• Free Privacy Policy Generator (you'll need to cancel the free trial if you don't want a legal docs membership)

WordPress is introducing some updates to make listing plugin compliancy easier in your privacy policy. Again, exercise caution and do the research to make sure you're as covered as possible by your terms. It's definitely worth investing in an affordable GDPR compliant privacy policy and/or advice from a legal expert if you're concerned.

Note: If your blog is bilingual, trilingual, etc., you need to provide your Privacy Policy in all the languages you utilize.