12 min read(Last Updated On: May 9, 2018)

GDPR explained for bloggersThe new GDPR EU general data protection regulation comes into effect on the 25 of May. This affects you wherever you are – especially if you’re a blogger or run a website of any sort.

In this article, I’m going to clarify everything you need to know to protect yourself.

Let’s do this.

A Quick GDPR Overview and how it affects bloggers and website owners

Essentially, if you run a website that collects visitor data, GDPR applies to you and you need to be compliant. Bloggers and marketers in particular often collect data about their visitors via various mechanisms (I’ll get into these in a moment) but, in reality, any website that runs tracking code such as Google Analytics or a Facebook pixel is collecting data.

So, even if you’re not collecting subscribers, you’re still collecting data about your visitors, and that could, in theory, violate their privacy. That’s what the EU GDPR is all about.

And here’s the thing…

Even if you’re not in the EU (European Union) you’re still affected because this law protects EU citizens wherever they happen to be in the world (in or out of Europe).

Ok, so let’s dive in deeper and look at what you need to do in practical terms to cover your derriere.

Allow me to be professional about this and point out that (as if you didn’t know) I’m not a lawyer and therefore everything I say or write is not legal advice and should be taken as entertainment.

Seriously?

Yep. That’s the kind of world we live in today. One has to say crazy things sometimes.

Ok, let’s get serious. Let me tell you what I know about the GDPR legislation, from the beginning.

What does GDPR stand for and what is it?

If you didn’t already know, the meaning of GDPR is general data protection regulation. It’s essentially an update to the data protection act.

Think of it as the new data protection act 2018.

What is data protection about?

In summary, data protection law was created to protect consumers. The UK government’s website has this to say about it:

“The Data Protection Act controls how your personal information is used by organisations, businesses or the government.”
ref: gov.uk

So why are they making these data protection changes?

Well, the big issue is that the old data protection policy was last updated before the Interweb as we know it was around. This means that there’s no provision in the legislation for the things that companies do when it comes to collecting and using visitor data.

Let’s be real for a moment: I don’t think that I’m the only one to assume that the new GDPR regulation is mostly about targeting big corporates.

Yes, I’m talking about big companies like Google and Facebook as well as those companies that collect our data and then – maybe – share it with somebody else, or worse, sell it.

Ever opted in for something, or bought something and given your details, only to start receiving very similar or related offers from companies you’ve never heard of before, as if by magic?

I have. And I didn’t consent to whoever I gave my data to in the first place to share my information with anybody else.

And that’s what many think this is really all about. At least, on the surface.

So changes to the old data protection act were needed, and that’s what the GDPR is (a new data protection policy that covers web users).

OK, let’s continue and tackle the obvious question:

Does GDPR apply to me?

Although I believe that the legislation is aimed at big data controllers (that’s the snazzy name given to a company that holds user data), it doesn’t differentiate between a corporate and a little blogger. So it affects everybody running a website.

What If I’m not compliant and I don’t care?

Ah. That’s a tricky question to answer (I can’t believe you asked me that!).

I’ve heard plenty of people so far say things like: “I’m in the US so the EU can’t touch me,” and “I don’t give a s***”. I see the point, of course. How is the EU going to chase millions of people (potentially) that are in breach of the GDPR regulation?

You’d think that the EU has bigger fish to fry, right?

But still…

I personally think that it’s better to play it safe. And here’s why:

The ICO (who are the UK body that deals with data privacy) issued fines to Honda UK and Flybe even before the GDPR came into effect, for a collective £83,000 (that’s over $100,000).

Do you know what Honda UK and Flybe allegedly did?

They emailed their subscribers to ask them if they were OK with still receiving emails.

Whaaaa?

Yep. That’s ‘all’ they did, from what I’ve read and heard.

I believe they were being proactive before GDPR kicked in and wanted to make sure that all their subscribers were OK with receiving emails.

But apparently, the ICO deems that to be a marketing email, although the companies in question, as well as myself and just about anybody I’ve asked, thought of those emails as customer support because they weren’t exactly marketing anything.

Click here for the full story.

You may be tempted to think that somebody somewhere wanted to make an example for the rest of us to fall in line.

On that note, the GDPR fines are set to be 4% of your annual revenue or 2 million euros, whichever is the highest.

And this is exactly my point: do you really want to breach the GDPR policy when the risk is this big?

Yes, it may be a pain in the butt for bloggers and marketers to have to implement GDPR, and it could arguably affect your conversion rate, but seriously, the alternative is not very attractive.

So let’s talk implementation.

How do you start applying GDRP to make sure you’re compliant?

Put simply, if you collect or store any visitor data at all, then you need to be GDPR compliant.

For bloggers and Internet marketers and anybody selling online, this means looking at where and how you capture data.

This can include:

  • contact forms
  • opt-in forms
  • checkout pages
  • tracking software such as Google Analytics
  • blog comments

If you run a forum or a membership site, you probably also hold information about your users (so this applies to you too).

The GDPR requirements are about transparency. So, in essence, you need to do the following:

  • let the visitor know what data you are capturing and why
  • let the visitor know why you need that data and what you plan to do with it
  • allow the visitor the option to opt out of whatever mechanism enables you to capture their data
  • allow the visitor to ask for a copy of all data you have on them
  • allow the visitor to edit or delete their data

Easier said than done eh? The issue for bloggers in particular is that a lot of the mechanisms that capture data are third party tools that we don’t have full control of, and some of the things that the GDPR requires us to do – like enabling a user to edit their data – gets tricky when it comes to things like user comments on a blog.

Thus, you need to be using tools that provide this functionality. In short: not just you, but the data-capturing plugins and software you use needs to be GDPR compliant.

Are there GDPR compliant plugins for WordPress?

Yes. There are a few on offer already and no doubt there will be more popping up as time goes by. WordPress themselves are going to release some new core functionality that will enable users of your WP site to access their data and even download it, which will make you compliant.

Here is a list of GDRP plugins:

How to present your lead magnets and how to ask your visitors to opt-in to your mailing list the right way

One thing to be aware of is that the old way of presenting a lead magnet in exchange for an email address and then automatically adding that user to your mailing list is no longer acceptable. The reason is simple: that use didn’t explicitly consent to being added to your mailing list: the only thing you can be sure that they wanted is your lead magnet.

What you should be doing instead, is separating the two things.

This is a catch 22 for bloggers and marketers of course. The whole point of offering a lead magnet is to build your mailing list. That’s what’s going to enable you to build a business and pay the bills.

But under the new legislation, you need to make joining your list a separate proposition. One way of doing this could be to present a checkbox in your opt-in form to enable the visitor to opt into your mailing list.

This is what I was talking about earlier when I said that we will probably all see a drop in conversions.

The sad part of all this is that many people will opt in to get the freebie but never tick that box to join your mailing list. Which makes me wonder if lead magnets may evolve into something else (because nobody wants to give away their hard work for nothing!)

Note that you cannot make your mailing list a part of the condition for receiving the magnet. For instance, you can’t say something like ‘join my mailing list and get this freebie’ or ‘get this freebie and stay up to date with my content’.

OK, so let’s get down to some practical steps you can implement.

What not to do

  • don’t have automatic opt-ins. When somebody submits their email address, send them another email to ask them if they’re really sure they want to opt in. I find this ridiculous, but it’s a necessity now. Also, make use of this opportunity to explain to your potential subscriber very clearly everything they may want to know about their data and your handling of it.
  • don’t share data. This is pretty self-explanatory. If somebody gives you an email address, don’t pass it on to somebody else. And this also means don’t pass it from one of your lists to another, even if you think the new list is relevant. The subscriber didn’t explicitly request to be added to the new list.
  • don’t store data on your server if you can avoid doing so. This is a biggie. Some opt-in software and some contact forms collect and store data on the server. My advice is to stop using that software and switch to something else. Use contact forms that email you directly and don’t store the user’s email in the database. If not, then you need to make sure your visitors have a way to access the data that you’re holding on the server, as well as the ability to edit it or delete it, or at the very least request you to do so.

What to do

  • use an up-to-date privacy policy on your website.
  • include a link to your privacy policy on any form that captures data. For example, on an ecommerce checkout page or an opt-in form.
  • use SSL. If you don’t use SSL, then you’re failing to protect your website visitors by not encrypting their data. This could be a breach of the general data protection act.
  • make sure all your plugins and software are GDPR compliant. If it isn’t or if you’re not sure, email the software providers and ask.
  • get seriously good at backing up. If you do store any visitor data, you need to make sure you’re backing it up so that you have it available if requested.
  • use a checkbox on any form that captures or asks for data. For example, a checkbox and some text that explains that checking the box means the visitor has read and agrees to your terms of usage and your privacy policy. Preferably, have a link to your privacy policy next to the checkbox.
  • make sure you have the ability to record the fact that a visitor checked the box to opt-in to your mailing list (or anything else). Remember you need to be able to prove that they did. This comes down to using good software tools that enable you to do this.

Is there a full compliance checklist I can look at?

Is there a PDF I can download?

Yep. You can get a PDF from the ICO website here

What if you or your company collects a lot of user data?

If this is the case, then you need to designate a data protection officer. That is, a person in charge of data protection who deals with all privacy matters.

I would also suggest you look online for some training on GDPR implementation and also consider getting accreditation.

When is the GDPR deadline?

The new data protection bill comes into effect on the 25 of May 2018.

General data protection regulation summary

To summarise, the new regulation is not necessarily bad. If anything, it was long overdue, because there was nothing protecting web users specifically from big corporations who are data controllers and who have, up til now, been able to do pretty much anything they wanted with our data.

For bloggers and individuals who have websites, it means we need to jump through a hoop or two to stay on the right side of the law.

Is anything concrete? What do lawyers say?

I’ve spent considerable time looking into, reading materials and listening to podcasts. Here’s the thing that struck me:

Law is shaped by court cases and lawsuits.

That means that the new regulation may well be shaped after somebody or some organisation gets sued. The lawyers I heard in various interviews were very slippery when it came to providing concrete answers.

So here’s the bottom line: if lawyers won’t commit to giving their full interpretation of the new act, then neither can anybody – and that includes me.

The general advice is to do everything you can to be compliant and stay on the right side of the legislation. If in doubt, don’t do it.

Here’s my video summary: GDPR explained in 10 minutes

My aim in writing this article was to give you the information that took me weeks to find and learn, as well as some resources to help you protect yourself. I hope you found this useful and I hope you share it with others!