If you are a blogger you probably have recently heard some buzz about something called GDPR.
Anyone who runs a blog, website, or business that deals with customers that live in the European Union will need to pay close attention to this new regulation.
*This post contains affiliate links. Please read my full disclosure policy for further details.
First off, let me start by saying I am NOT a lawyer and any information in this article should NOT be taken as legal advice. This is for informational purposes only and I encourage you to do your own research and/or consult your own attorney for any questions or legal advice. I cannot be held liable for any advice taken from this article. For further details, you can view my full disclaimer.
I realize this new regulation has many bloggers, new and old, worried. I for one, am in that boat. I have done a lot of research on the matter and quite frankly if your not a lawyer, it will leave your head spinning.
I tried breaking down the basic facts and key points to help you. Hopefully, this will help you learn a little about what GDPR is, how it will impact your blog, and what you can do to prepare for the upcoming compliance deadline.
Pin it to save for later!
What Is GDPR?
GDPR stands for General Data Protection Regulation. It is the legal framework that sets guidelines for the collection and processing of personal information of individuals that live in the European Union (EU).
According to eugdpr.org, the EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches.
Anyone processing personal information will need to register with the Information Commissioner’s Office (ICO) and comply by law.
How Did GDPR Come About?
On April 6, 2016, the EU agreed to a major reform of its data protection framework, by adopting the General Data Protection Regulation and replacing the 1995 Data Protection Directive. A two year transition period was given for organizations to comply.
GDPR will come into effect May 25, 2018.
Who Does GDPR Apply To?
GDPR applies to any organization operating in the EU, as well as any organization outside of the EU which over goods or services to customers in the EU.
So here you are running a small blog in the US and wondering how this applies to you. If you offer any type of services on your blog, sell any type of product, or even just collect emails for the purposes of sending out a newsletter, you will still need to comply with this new law.
It doesn’t matter if you consider your blog a true “business” or not. It applies to anyone who processes or stores personal data.
Your blog is out there on the internet for everyone to see, so that means your readers and customers could potentially be from all around the world. There is a good chance one or many of your customers could be a citizen of the EU.
What Is Considered Personal Data Under GDPR?
Personal information means any detail about a living individual that can be used on its own or with other data to identify them.
Some examples of personal information:
- Phone Number
- Email Address
- IP Address
For bloggers, this is likely to be named email addresses from newsletter subscribers, customer addresses, and IP addresses.
GDPR Core Principles
Article 5(1) requires that personal data shall be:
1. Processed lawfully, fairly, & in a transparent manner.
2. Collected for specified explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
4. Accurate, and when necessary, kept up to date.
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
6. Processed in a manner that ensures appropriate security of the personal data.
Article 5(2) adds that:
7. Controller shall be responsible for, and be able to demonstrate compliance with para 1.
*These principles should lie at the heart of your approach to processing personal data.
Lawful Bases For Processing Data
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
The GDPR provides the following rights for individuals:
- The right to be informed of what is done with your data.
- The right of access to all your data that is being processed.
- The right to rectification of any incorrect data.
- The right to erasure of your data.
- The right to restrict processing of your personal data.
- The right to data portability.
- The right to object to the data being processed.
- Rights in relation to automated decision making and profiling.
Right Of Access
The right of access gives individuals the right to obtain a copy of their personal data. They can make a request verbally or in writing. You will have one month to respond to a request.
You also cannot charge a fee to deal with a request in most circumstances. However, if the request is excessive you may charge a “reasonable fee” for the administrative costs of providing further copies.
How Can I Prepare?
For a further in-depth look at the new GDPR regulations, you can read up on it on the ICO website. The ICO (Independent Commissioner’s Office) is the UK’s independent body set up to uphold information rights.
They also have tips on helping you prepare for the new law. ICO head of policy takes about the 12 steps you can take now to get ready for the GDPR in this YouTube video Introduction To GDPR.
Or, if you’re feeling adventurous you can read the Official PDF of GDPR, which contains over 250 pages, consisting of 11 chapters with 99 main articles and 173 recitals.
How Do I Comply?
Accountability is one of the data protection principles – it makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance.
Register With The ICO
You will need to register with the Information Commissioner’s Office (ICO).
Registration costs €35 per year and will take about 15 minutes to register.
If you are still not sure if you need to register you can take this quick self-assessment.
I feel there is an issue that arises from registering and that is you will be added to a public register with your name and address visible for all to see. Oh, the irony with this one!! A law that was set in place to protect a person’s identity is now going to do the exact opposite of what the law is all about.
This is quite upsetting and doesn’t make much sense. The only way around this would be to use your accountant’s address if possible, get a P.O. Box, or a virtual mailbox.
This is probably a good idea anyway considering if you have a newsletter on your blog and someone signs up, your address is shown to anyone who subscribes, that is due to anti-spam laws.
Personally, I don’t feel comfortable having my address put out there publicly. I think everyone needs to take caution with this. There are too many weirdos out there! You just never know, and it’s better to be safe than sorry.
I prefer to use a virtual mailbox and would highly recommend to any bloggers out there to do the same. If for some reason you do receive a piece a mail here and there it eliminates the hassle of having to drive to the post office to check your P.O. Box. The price per year is practically the same.
I researched all the virtual mailbox companies and found that iPostal1 has the best deal for the money and you can pick from a wide variety of addresses across the U.S.
Everyone with a blog needs one, make sure it is visible on every page. I put my legal pages in the footer of my blog.
- Mention what data you collect
- What you use the data for
- Who you share the data with
- How long you keep the data
- How you protect the data
- How users can request the data held on them
- How users can request their data to be deleted
Adjust Your Email List Requirements
I have personally been receiving many re-consent emails from newsletters I have been subscribed too. Whether you need to do this or not if you have already used the double opt-in when your readers joined, I’m not sure.
I’ve heard of many people just scrapping everything and starting over to be on the safe side. This could be devasting to some I know.
Going forward just make sure to use the double opt-in option on your newsletter. This is where after your reader subscribes to your newsletter they receive an email having to verify that they subscribed.
All email automation services should have this feature, just make sure it is enabled.
Also, be sure to include a one-click unsubscribe button. Once again, every email automation service should be including this since it’s required under U.S. law anyway.
Lastly, stop collecting information you don’t need. You don’t need a birthday or even a person’s last name for your email list, a first name and email should be sufficient.
Important: If you offer a freebie on your blog (for example a course or checklist) you cannot automatically add someone to your email list. Once you send the freebie the communication ends there. However, you can offer them the option to sign up for your email list in the email in which you send your freebie.
Review Third-Party Plug-Ins And Apps
You need to check your hosting provider, plugins, apps, or any other software that you use with your blog to make sure they are GDPR compliant.
You may have already seen many notices on your blog’s dashboard or have received emails about this. If you can’t clearly find anything send them an email and ask.
Make Your Website Secure
- Never share your login information with anyone.
- Use super strong passwords.
- Remove the default “admin” user account on WordPress blogs.
- Use a reputable security plugin like Wordfence Security.
- Purchase an SSL certificate if you do not already have one. This will give you the HTTPS instead of the HTTP in your website address. If you do not have a blog yet and plan on starting one, Bluehost offers a free SSL certificate with their web hosting plan.
Display Cookie Notification
Install The GDPR Plugin
The GDPR Plugin is meant to assist a Controller, Data Processor, and Data Protection Officer (DPO) with efforts to meet the obligations and rights enacted under the GDPR.
WordPress 4.9.6 has made some GDPR compliant changes. Under Tools, you can now export personal data for specific users or erase personal data for users.
Personal Data Breach
The GDPR introduces a duty on all organizations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
National authorities must assess fines for specific data protection violation.
For the most severe violations, you can be fined up to €20 million or 4% of the businesses total global turnover in the prior fiscal year, whichever is higher.
Separate to the fines and penalties, individuals will have the right to claim compensation for any for any damage suffered as a result of violating the GDPR.
Important: Anyone can file a complaint with the ICO concerning your information rights practices. This is why it so important to make sure you comply with this new law. You never know who is watching or who is out to get you.
Once again, I am not a lawyer and none of this information provided in this article should be taken as legal advice. This information was gathered through my own research and is for informational purposes only.
I encourage you to do your own research and/or seek your own legal counsel to determine if you are taking all the necessary steps to be GDPR compliant.
The GDPR is long, complex, and appears to still have some gray areas. I think we can all agree that we are all struggling to interpret many details of this new regulation.
As you can see, this new regulation is extremely important and should not be ignored. No matter how big or small your blog is, if I were you, I would look into this new law further and take action. Why take the chance?
Fellow bloggers, how are you handling this issue? Any comments to add to my interpretation of the GDPR? I look forward to hearing from anyone who has any further information. Thanks for reading!
✨If you are new to my blog, my main focus here is to help you make and save more money. One of the best ways I have found to make extra money online is by starting a blog. I love helping other people with tips and tricks on how to build a blog. Be sure to check out the Blogging Tips section for more useful information and the Blogging Tools sections of my Resources page to assist you further.✨