GDPR for Bloggers + Checklist
by Hoz
GDPR affects bloggers as well as anybody with an online presence.
If you're a blogger or run a website, then there are a few things you need to know to cover your back.
In this article, I'm going to clarify everything you need to know to protect yourself.
Let's do this.
How GDPR affects bloggers and website owners
Essentially, if you run a website that collects visitor data, GDPR applies to you and you need to be compliant. Bloggers and marketers in particular often collect data about their visitors via various mechanisms (I'll get into those in a moment) but, in reality, any website that runs tracking code such as Google Analytics or a Facebook pixel is collecting data.
So, even if you're not collecting subscribers, you're still collecting data about your visitors, and that could, in theory, violate GDPR privacy.
That's what the EU GDPR is all about.
And here's the thing...
Even if you're not in the EU (European Union) you're still affected because this law protects EU citizens wherever they happen to be in the world (in or out of Europe).
Ok, so let's dive in deeper and look at what you need to do in practical terms to cover your derriere.
Allow me to be professional about this and point out that (as if you didn't know) I'm not a lawyer and therefore everything I say or write is not legal advice and should be taken as entertainment.
In fact, assume I'm crazy.
Ok, let's continue. Let me tell you what I know about the GDPR legislation, from the beginning.
What is GDPR?
If you didn't already know, the meaning of GDPR is general data protection regulation. It's essentially an update to the data protection act.
Think of it as the new data protection act 2018.
What is data protection about?
In summary, data protection law was created to protect consumers. The UK government's website has this to say about it:
"The Data Protection Act controls how your personal information is used by organisations, businesses or the government."
ref: gov.uk
So why are they making these data protection changes?
Well, the big issue is that the old data protection policy was last updated before the Interweb as we know it was around. This means that there's no provision in the legislation for the things that companies do when it comes to collecting and using visitor data online.
Let's be real for a moment: I don't think that I'm the only one to assume that the new GDPR regulation is mostly about targeting big corporates.
I'm talking about big companies like Google and Facebook as well as those companies that collect our data and then - 'maybe' - share it with somebody else, or worse, sell it.
Ever opted in for something, or bought something and given your details, only to start receiving very similar or related offers from companies you've never heard of before, as if by magic?
I have. And I didn't consent to whoever I gave my data to in the first place to share my information with anybody else. Or sell it. Let's be honest here, data is big business.
And that's what many think this is really all about. At least, on the surface.
So changes to the old data protection act were needed, and that's what the GDPR is (a new data protection policy that covers web users).
OK, let's continue and tackle the obvious question:
Does GDPR apply to me?
Although I personally believe that the legislation is aimed at big data controllers (that's the snazzy name given to a company that holds user data), it doesn't differentiate between a corporate and a little blogger. So it affects everybody running a website.
What If I'm not GDPR compliant and I don't care?
Ah. That's a tricky question to answer (I can't believe you asked me that!).
I've heard plenty of people so far say things like: "I'm in the US, so the EU can't touch me," and "I don't give a s***". I see their point, of course. How is the EU going to chase millions of people (potentially) that are in breach of the GDPR regulation?
You'd think that the EU has bigger fish to fry, right?
But still...
I personally think that it's better to play it safe.
And here's why:
The ICO (who are the body that deals with data privacy in the UK) issued fines to Honda UK and Flybe even before the GDPR came into effect, for a collective £83,000 (that's over $100,000).
Do you know what Honda UK and Flybe allegedly did?
They emailed their subscribers to ask them if they were OK with still receiving emails.
Whaaaa?
Yep. That's 'all' they did, from what I've read and heard. They were being proactive before GDPR kicked in and wanted to make sure that all their subscribers were OK with receiving emails.
But apparently, the ICO deems that to be a marketing email, although the companies in question, as well as myself and just about anybody I've asked, thought of those emails as customer service, because they weren't exactly marketing anything.
Click here for the full story.
You may be tempted to think that somebody somewhere wanted to make an example for the rest of us to fall in line.
On that note, the GDPR fines are set to be 4% of your annual revenue or 2 million euros, whichever is the highest.
And this is exactly my point: do you really want to breach the GDPR policy when the risk is this big?
Yes, it may be a pain in the butt for bloggers and marketers to have to implement GDPR, and it could arguably affect your conversion rate, but seriously, the alternative is not very attractive.
So let's talk implementation.
How do you start applying GDRP to make sure you're compliant?
Put simply, if you collect or store any visitor data at all, then you need to be GDPR compliant.
For bloggers and Internet marketers and anybody selling online, this means looking at where and how you capture data.
This can include:
contact forms
opt-in forms
checkout pages
tracking software such as Google Analytics
blog comments
If you run a forum or a membership site, you probably also hold information about your users (so this applies to you too).
The GDPR requirements are about transparency. So, in essence, you need to do the following:
let the visitor know what data you are capturing and why
let the visitor know why you need that data and what you plan to do with it
allow the visitor the option to opt out of whatever mechanism enables you to capture their data
allow the visitor to ask for a copy of all data you have on them
allow the visitor to edit or delete their data
Easier said than done eh? The issue for bloggers in particular is that a lot of the mechanisms that capture data are third party tools that we don't have full control of, and some of the things that the GDPR requires us to do - like enabling a user to edit their data - gets tricky when it comes to things like user comments on a blog.
Thus, you need to be using tools that provide this functionality. In short: not just you, but the data-capturing plugins and software you use needs to be GDPR compliant.
On that note, WordPress were quick to implement a GDPR compliant mechanism whereby your users can download their data. It's already integrated into WordPress.
Are plugins for WordPress GDPR compliant?
They should be by now. I cannot image otherwise, unless the plugin is years old and hasn't been updated - so always check.
How to present your lead magnets and how to ask your visitors to opt-in to your mailing list in a way that is GDPR compliant
One thing to be aware of is that the old way of presenting a lead magnet in exchange for an email address and then automatically adding that user to your mailing list is no longer acceptable.
The reason is simple: that use didn't explicitly consent to being added to your mailing list. The only thing you can be sure that they wanted is your lead magnet.
What you should be doing instead, is separating the two things.
This is a catch 22 for bloggers and marketers of course. The whole point of offering a lead magnet is to build your mailing list. That's what's going to enable you to build a business and pay the bills.
But under the new legislation, you need to make joining your list a separate proposition. One way of doing this is to present a checkbox in your opt-in form to enable the visitor to opt into your mailing list.
This is what I was talking about earlier when I said that we will probably all see a drop in conversions.
The sad part of all this is that many people will opt in to get the freebie but never tick that box to join your mailing list. Which makes me wonder if lead magnets may evolve into something else (because nobody wants to give away their hard work for nothing!)
Note that you cannot make your mailing list a part of the condition for receiving the magnet. For instance, you can't say something like 'join my mailing list and get this freebie' or 'get this freebie and stay up to date with my content'.
OK, so let's get down to some practical steps you can implement.
What not to do (this would make you non GDPR compliant)
don't have automatic opt-ins. When somebody submits their email address, send them another email to ask them if they're really sure they want to opt in. I find this ridiculous, but it's a necessity now. Also, make use of this opportunity to explain to your potential subscriber very clearly everything they may want to know about their data and your handling of it.
don't share data. This is pretty self-explanatory. If somebody gives you an email address, don't pass it on to somebody else. And this also means don't pass it from one of your lists to another, even if you think the new list is relevant. The subscriber didn't explicitly request to be added to the new list.
don't store data on your server if you can avoid doing so. This is a biggie. Some opt-in software and some contact forms collect and store data on the server. My advice is to stop using that software and switch to something else. Use contact forms that email you directly and don't store the user's email in the database. If not, then you need to make sure your visitors have a way to access the data that you're holding on the server, as well as the ability to edit it or delete it, or at the very least request you to do so.
What to do (to stay GDPR compliant)
use an up-to-date privacy policy on your website.
include a link to your privacy policy on any form that captures data. For example, on an ecommerce checkout page or an opt-in form.
use SSL. If you don't use SSL, then you're failing to protect your website visitors by not encrypting their data. This could be a breach of the general data protection act.
make sure all your plugins and software are GDPR compliant. If it isn't or if you're not sure, email the software providers and ask.
get seriously good at backing up. If you do store any visitor data, you need to make sure you're backing it up so that you have it available if requested.
use a checkbox on any form that captures or asks for data. For example, a checkbox and some text that explains that checking the box means the visitor has read and agrees to your terms of usage and your privacy policy. Preferably, have a link to your privacy policy next to the checkbox.
make sure you have the ability to record the fact that a visitor checked the box to opt-in to your mailing list (or anything else). Remember you need to be able to prove that they did. This comes down to using good software tools that enable you to do this.
Is there a full GDPR compliance checklist I can look at?
there's a compliance checklist website that I found here: GDPR checklist
section 3 explains the new rights individuals have under the new legislation: here
Is there a PDF I can download?
Yep. You can get a PDF from the ICO website here
What if you or your company collects a lot of user data?
If this is the case, then you need to designate a data protection officer. That is, a person in charge of data protection who deals with all privacy matters.
I would also suggest you look online for some training on GDPR implementation and maybe also consider getting accreditation if applicable.
When was the GDPR deadline?
The new data protection bill came into effect on the 25 of May 2018.
General data protection regulation summary
To summarise, the new regulation is not necessarily bad. If anything, it was long overdue, because there was nothing protecting web users specifically from big corporations who are data controllers and who have, up til now, been able to do pretty much anything they wanted with our data.
For bloggers and individuals who have websites, it means we need to jump through a hoop or two to stay on the right side of the law.
Is anything concrete? What do lawyers say?
I've spent considerable time looking into, reading materials and listening to podcasts.
Here's the thing that struck me:
Law is shaped by court cases and lawsuits.
That means that the new regulation may well be shaped after somebody or some organisation gets sued. The lawyers I heard in various interviews were very slippery when it came to providing concrete answers.
So here's the bottom line: if lawyers won't commit to giving their full interpretation of the new act, then neither should anybody else - and that includes me.
The general advice is to do everything you can to be compliant and stay on the right side of the legislation. If in doubt, don't do it.
Here's my video summary: GDPR explained in 10 minutes
My aim in writing this article was to give you the information that took me weeks to find and learn, as well as some resources to help you protect yourself. I hope you found this useful and I hope you share it with others!