GDPR affects bloggers as well as anybody with an online presence.
If you're a blogger or run a website, then there are a few things you need to know to cover your back.
In this article, I'm going to clarify everything you need to know to protect yourself.
Let's do this.
Essentially, if you run a website that collects visitor data, GDPR applies to you and you need to be compliant. Bloggers and marketers in particular often collect data about their visitors via various mechanisms (I'll get into those in a moment) but, in reality, any website that runs tracking code such as Google Analytics or a Facebook pixel is collecting data.
So, even if you're not collecting subscribers, you're still collecting data about your visitors, and that could, in theory, violate GDPR privacy.
That's what the EU GDPR is all about.
And here's the thing...
Even if you're not in the EU (European Union) you're still affected because this law protects EU citizens wherever they happen to be in the world (in or out of Europe).
Ok, so let's dive in deeper and look at what you need to do in practical terms to cover your derriere.
Allow me to be professional about this and point out that (as if you didn't know) I'm not a lawyer and therefore everything I say or write is not legal advice and should be taken as entertainment.
In fact, assume I'm crazy.
Ok, let's continue. Let me tell you what I know about the GDPR legislation, from the beginning.
If you didn't already know, the meaning of GDPR is general data protection regulation. It's essentially an update to the data protection act.
Think of it as the new data protection act 2018.
In summary, data protection law was created to protect consumers. The UK government's website has this to say about it:
"The Data Protection Act controls how your personal information is used by organisations, businesses or the government."
Well, the big issue is that the old data protection policy was last updated before the Interweb as we know it was around. This means that there's no provision in the legislation for the things that companies do when it comes to collecting and using visitor data online.
Let's be real for a moment: I don't think that I'm the only one to assume that the new GDPR regulation is mostly about targeting big corporates.
I'm talking about big companies like Google and Facebook as well as those companies that collect our data and then - 'maybe' - share it with somebody else, or worse, sell it.
Ever opted in for something, or bought something and given your details, only to start receiving very similar or related offers from companies you've never heard of before, as if by magic?
I have. And I didn't consent to whoever I gave my data to in the first place to share my information with anybody else. Or sell it. Let's be honest here, data is big business.
And that's what many think this is really all about. At least, on the surface.
So changes to the old data protection act were needed, and that's what the GDPR is (a new data protection policy that covers web users).
OK, let's continue and tackle the obvious question:
Although I personally believe that the legislation is aimed at big data controllers (that's the snazzy name given to a company that holds user data), it doesn't differentiate between a corporate and a little blogger. So it affects everybody running a website.
Ah. That's a tricky question to answer (I can't believe you asked me that!).
I've heard plenty of people so far say things like: "I'm in the US, so the EU can't touch me," and "I don't give a s***". I see their point, of course. How is the EU going to chase millions of people (potentially) that are in breach of the GDPR regulation?
You'd think that the EU has bigger fish to fry, right?
I personally think that it's better to play it safe.
And here's why:
The ICO (who are the body that deals with data privacy in the UK) issued fines to Honda UK and Flybe even before the GDPR came into effect, for a collective £83,000 (that's over $100,000).
Do you know what Honda UK and Flybe allegedly did?
They emailed their subscribers to ask them if they were OK with still receiving emails.
Yep. That's 'all' they did, from what I've read and heard. They were being proactive before GDPR kicked in and wanted to make sure that all their subscribers were OK with receiving emails.
But apparently, the ICO deems that to be a marketing email, although the companies in question, as well as myself and just about anybody I've asked, thought of those emails as customer service, because they weren't exactly marketing anything.
You may be tempted to think that somebody somewhere wanted to make an example for the rest of us to fall in line.
On that note, the GDPR fines are set to be 4% of your annual revenue or 2 million euros, whichever is the highest.
And this is exactly my point: do you really want to breach the GDPR policy when the risk is this big?
Yes, it may be a pain in the butt for bloggers and marketers to have to implement GDPR, and it could arguably affect your conversion rate, but seriously, the alternative is not very attractive.
So let's talk implementation.
Put simply, if you collect or store any visitor data at all, then you need to be GDPR compliant.
For bloggers and Internet marketers and anybody selling online, this means looking at where and how you capture data.
This can include:
If you run a forum or a membership site, you probably also hold information about your users (so this applies to you too).
The GDPR requirements are about transparency. So, in essence, you need to do the following:
Easier said than done eh? The issue for bloggers in particular is that a lot of the mechanisms that capture data are third party tools that we don't have full control of, and some of the things that the GDPR requires us to do - like enabling a user to edit their data - gets tricky when it comes to things like user comments on a blog.
Thus, you need to be using tools that provide this functionality. In short: not just you, but the data-capturing plugins and software you use needs to be GDPR compliant.
On that note, WordPress were quick to implement a GDPR compliant mechanism whereby your users can download their data. It's already integrated into WordPress.
They should be by now. I cannot image otherwise, unless the plugin is years old and hasn't been updated - so always check.
One thing to be aware of is that the old way of presenting a lead magnet in exchange for an email address and then automatically adding that user to your mailing list is no longer acceptable.
The reason is simple: that use didn't explicitly consent to being added to your mailing list. The only thing you can be sure that they wanted is your lead magnet.
What you should be doing instead, is separating the two things.
This is a catch 22 for bloggers and marketers of course. The whole point of offering a lead magnet is to build your mailing list. That's what's going to enable you to build a business and pay the bills.
But under the new legislation, you need to make joining your list a separate proposition. One way of doing this is to present a checkbox in your opt-in form to enable the visitor to opt into your mailing list.
This is what I was talking about earlier when I said that we will probably all see a drop in conversions.
The sad part of all this is that many people will opt in to get the freebie but never tick that box to join your mailing list. Which makes me wonder if lead magnets may evolve into something else (because nobody wants to give away their hard work for nothing!)
Note that you cannot make your mailing list a part of the condition for receiving the magnet. For instance, you can't say something like 'join my mailing list and get this freebie' or 'get this freebie and stay up to date with my content'.
OK, so let's get down to some practical steps you can implement.
Yep. You can get a PDF from the ICO website here
If this is the case, then you need to designate a data protection officer. That is, a person in charge of data protection who deals with all privacy matters.
I would also suggest you look online for some training on GDPR implementation and maybe also consider getting accreditation if applicable.
The new data protection bill came into effect on the 25 of May 2018.
To summarise, the new regulation is not necessarily bad. If anything, it was long overdue, because there was nothing protecting web users specifically from big corporations who are data controllers and who have, up til now, been able to do pretty much anything they wanted with our data.
For bloggers and individuals who have websites, it means we need to jump through a hoop or two to stay on the right side of the law.
I've spent considerable time looking into, reading materials and listening to podcasts.
Here's the thing that struck me:
Law is shaped by court cases and lawsuits.
That means that the new regulation may well be shaped after somebody or some organisation gets sued. The lawyers I heard in various interviews were very slippery when it came to providing concrete answers.
So here's the bottom line: if lawyers won't commit to giving their full interpretation of the new act, then neither should anybody else - and that includes me.
The general advice is to do everything you can to be compliant and stay on the right side of the legislation. If in doubt, don't do it.
My aim in writing this article was to give you the information that took me weeks to find and learn, as well as some resources to help you protect yourself. I hope you found this useful and I hope you share it with others!