What the Heck is GDPR? (and How to Make Sure Your Blog Is Compliant)

What the Heck is GDPR? (and How to Make Sure Your Blog Is Compliant)

by Paul Long

on

Ever get that feeling that something’s just waiting to bite you on the ass?

A disturbance in the force that you just can’t put your finger on?

You’re sure it’s not your anniversary?

Your kid’s piano recital?

Maybe it’s the cable bill.

Dammit.

You can’t place what it is, but something’s waving a red flag.

For bloggers, that brain worm might just be the GDPR.

Niggling away at you like an unscratchable itch.

In a way, that’s good: You know enough about GDPR to be worried.

But in case you’re in the category of “blissfully unaware,” we’ll take a look at what the GDPR is all about.

And why it absolutely CAN affect you and your blog.

Disclaimer: I’m not a lawyer. The information below is absolutely not legal advice. But it might just save you a ton of worry and expense.

GDPR 101

GDPR is currently taking Europe by storm.

It’s the General Data Protection Regulation — a new data privacy law being introduced by the European Union — and it’s a bit of a game-changer.

It came into force on May 25, 2018.

Yep, that looming deadline might just be lighting up your radar.

It affects people across the globe, not just in Europe. And some forward-thinking folks have been working on preparing themselves for the last year or two.

Well done them. Straight to the top of the class.

But the truth of the matter is that many people have been just the slightest bit “mañana, mañana” about the whole thing.

Now that the countdown can be measured in days, some people are getting a touch, well, panicky.

It’s like that school assignment that you had a year to write.

Here you are, “T-minus-one and counting,” and you’re staring at a blank page.

And that’s due, in no small part, to the fact that GDPR appears complex, and there are still some gray areas.

We are all struggling to interpret some of the details of the regulation.

But some things are clear — so in case GDPR is entirely new to you, let’s hit the basics.

The Five GDPR Basics You Absolutely Must Know

  1. It applies to anyone who processes “personal data” — Most obviously, that’s things like names, email addresses and other types of “personally identifiable information”;
  2. It creates significant new responsibilities — If you process personal data, you are now truly responsible and accountable for its security and the way it is used;
  3. It has a global reach — It might be an EU law, but it can apply to anyone, regardless of their location;
  4. It doesn’t just apply to traditional businesses — The principles are concerned with what you do with other people’s data, not who you are or why you do it;
  5. There are eye-watering fines for non-compliance — up to €20 million ($24m) or 4% of global revenue, whichever is higher.

So the GDPR’s scope is surprisingly wide-ranging. It could easily apply to you.

It gives data regulators powers to apply unprecedented financial penalties.

And crucially, it’s becoming extremely high-profile. The Facebook/Cambridge Analytica scandal alone has elevated the subject of data privacy to mainstream debate.

So it’s worth spending a little time to try to understand the key principles that the GDPR is attempting to achieve.

The Six GDPR Core Principles

The central principles of the GDPR are not new.

They expand on existing European Union data protection regulations, and most folks might generally consider them to fall into the category of “quite a good idea, really” (from the consumer perspective, at least).

So let’s break them down one by one.

Principle #1: Lawfulness, Fairness and Transparency


You must process personal data in a way that is lawful, fair and transparent.

“Lawfulness” has a specific meaning under the GDPR. There are six legitimate, lawful grounds for processing personal data. You must satisfy at least one of these six criteria before your data processing is “lawful.”

The first and most obvious lawful basis for processing personal data is consent — that is, where the individual has specifically agreed (usually via one or more checkable boxes) that you may use their data in a specific way. More on consent later.

The majority of the other lawful grounds will be less relevant to bloggers. They include situations where it is essential for you to process personal data to fulfill a contract with the consumer, or if you are required by law to collect specific data (such as information required for tax records).

But the sixth and final lawful basis is relevant:

It can be lawful to process personal data without the individual’s consent if it is in your legitimate interest as a Controller to do so.

This is the subject of heated debate — because it appears to provide a convenient catch-all for controllers. (More on controllers later, but assume for now that the controller is you!)

Well it’s certainly not that, but it is an acknowledgement that data privacy is not absolute.

There should be a balance between the individual’s right to data privacy and the controller’s legitimate interest in running their blog, business or whatever.

“Legitimate interest” is most likely to be used where consent is not appropriate or feasible.

Examples might include:

  • Storing IP addresses in server logs for the detection and prevention of fraud.
  • Using non-privacy-intrusive cookies (such as Google Analytics).
  • Storing personal data in backups to allow a blog to be restored following a technical issue.

These scenarios highlight that in some situations (such as preventing fraud), consumers must not be permitted to prevent processing. In others, it would simply be unworkable to try to gain consent in advance.

It will typically apply where your data processing involves minimal risk or impact to the individual’s privacy, and it is of a type that the individual might reasonably expect you to undertake.

That said, we can be clear that “legitimate interest” is not:

  • Carte blanche to do whatever you fancy without consumers’ knowledge.
  • A justification for collecting data that you know full well your consumers would not consent to.

Those scenarios would not be lawful, fair or transparent.

Anyone planning to rely on the “legitimate interest” lawful basis will need to familiarize themselves with the detail of the regulation because there are specific requirements, such as the need to conduct a Legitimate Interests Assessment.

“Fairness” is not specifically defined in the regulation, but on any definition it overlaps significantly with lawfulness and transparency.

All of the regulation guidance suggests that fair processing involves ensuring that it does not have any unjustified adverse effects on the individual, and that data is used in ways that the individual might reasonably expect, given your relationship with them.

In short, if you are being open and transparent about how you process data, then you will almost inevitably being processing it “fairly.”

Examples of unfair processing might include:

  • Deceiving consumers about your real identity.
  • Attempting to hide the true purpose of your data processing behind swathes of small print or unnecessarily formal legal language.
  • Trying to hoodwink consumers in any way into providing their data.

“Transparency” is a fundamental and recurring theme throughout the regulation. You are expected to be conspicuously open and honest about what data you collect and what you propose to do with it.

More on transparency later.

Principle #2: Data Is Only Used for Specified, Legitimate Purposes


You must only use personal data for the specific purposes that you have declared.

Closely related to the concept of transparency, this principle demands that you may not collect data for one purpose, and then go on to use it in a different way.

Let’s take the example of a “Sign Up to Receive This Free Report” offer.

On the face of it, the individual is providing their email address so that you can send them the report. That’s it.

You cannot then add their email to your mailing list and send them other promotional material unless you’ve made it clear at the point of sign-up that that’s what you intend to do.

Principle #3: Limited to What Is Required to Achieve the Stated Purposes


You must collect only the minimum amount of personal data required to achieve your stated objective.

This is the concept of data minimization.

If you collect personal data to allow you to send blog notifications by email, then the minimum information you require is an email address. “Name” is probably fine too (for the purpose of personalizing your emails), but collecting anything else could be seen as excessive.

So if, in the same scenario, you also collect cell phone number, gender and age, then you need to be very clear why that information is necessary to allow you to send blog notifications.

Principle #4: Accurate and Up-To-Date


You must take all reasonable steps to ensure that any data you collect is accurate and kept up-to-date.

The risks to individuals’ data privacy are clearly increased where that data contains inaccuracies. Incorrect email addresses are a prime example of where other personal data can be inadvertently disclosed or leaked.

You are therefore obliged to address data inaccuracies without delay — incorrect data must be rectified, or deleted.

In practice, if someone contacts you to update their email address, you should take action on it without undue delay.

But being proactive is also important — for example, if you are getting regular bounce-backs from addresses on your mailing list, then this should be telling you something. Periodically checking your list and removing bounced addresses is highly recommended.

Principle #5: Time Limited


You must only hold personal data for as long as is required to achieve the stated objective.

It’s central to the concept of fairness that data is not retained for any longer than required to achieve the purpose for which you collected it.

Data retention also has implications for accuracy. If you’re still storing customer address data that you collected five years ago, the chances are that a significant proportion of that stale data is now inaccurate.

Principle #6: Data Must Be Processed Securely


You must process personal data in a way that ensures appropriate security.

The security of the data you hold is clearly pivotal to the whole objective of the GDPR. You are responsible for ensuring that there exist appropriate technical and organizational measures to protect against unauthorized access, loss, alteration and disclosure.

That said, you’re not expected to be Fort Knox.

But you are expected to take steps that are proportionate to the sensitivity of the data that you collect, and the risk to the individuals concerned were the data to be lost or disclosed.

Basic precautions would include:

  • Not storing consumers’ data on a portable device like a smartphone (especially if you’re the type who regularly leaves it in a cab on a Friday night).
  • Never sharing system login details with others.
  • Password-protecting any office files that contain personal data.
  • Using encrypted (https) connections for your blog (while this isn’t specifically required by the GDPR, it’s an all-around good idea).

That’s obviously not an exhaustive list, but you get the point.

All of the specific requirements contained within the GDPR are based upon these six principles.

By keeping these principles in mind, you should never deviate too far away from what the GDPR expects from you, even if you’re not an expert in the details of the regulation.

The problem is, there’s a certain amount of GDPR misinformation doing the rounds too.

Warning: Beware of These Three Dangerous Myths about GDPR

GDPR is new, and there’s a huge amount of speculation about how it will be applied in practice.

So let’s deal with some of the emerging myths.

Myth #1: I’m Not Based in the EU so It Doesn’t Affect Me


Don’t be fooled. That’s not the point.

The regulation protects consumers within the EU, regardless of where in the world the person who collects their data is based.

Anyone who starts a blog and makes it available to consumers within any of the EU Member States is potentially affected.

There are subtly different rules for controllers outside the EU, but regardless of whether you operate out of London, Milan or New York, GDPR needs to be on your radar.

At the very least, you will need to take an informed position on the subject, and that means having a plan.

Myth #2: I’m a Blogger, Not a Business, so It Doesn’t Apply


A swing and a miss.

While there are some provisions aimed specifically at organizations, the core accountability applies to anyone considered to be a “Data Controller.”

A Data Controller is the person responsible for “determining the purpose” of processing.

And it can be anybody — an individual or a business.

Long story short, if you are the person who decides to collect the data, or decides what data is collected and why, then you are a Data Controller — regardless of whether you are operating as a business in the normal sense of the word.

Bloggers. Micro-businesses. Non-profits. Charities. Hobbyists.

All potentially covered.

I’ll get into why I say “potentially” later.

Myth #3: There’s an Exemption for Anyone with Fewer Than 250 Employees


Nope.

I’ve seen this one doing the rounds a lot, and it’s based on a very lazy interpretation of the rules.

If you process personal data and have fewer than 250 employees, you may have an exemption from one very specific administrative reporting requirement.

It is absolutely not a general exemption.

GDPR can apply if you have no employees at all.

Four Common Blogging Activities That Could Put You in the GDPR Firing Line

As a blogger, you might feel that you’re not in the habit of collecting people’s personal data.

From there, it’s a very short walk to convincing yourself that GDPR is not your concern.

But think again — there are a number of very common blogging activities that can put you in the GDPR firing line.

#1. Collecting Email Addresses


Without doubt, this is the clearest scenario in which the GDPR can apply to bloggers.

Sure as eggs is eggs, names and email addresses are personal data.

If you invite people to give you this information — such as on a mailing list sign-up or via an online contact form — then you have a responsibility for that data.

As we’ll see later, this doesn’t of itself guarantee that the full force of the GDPR will apply, but it does mean that you are potentially affected.

#2. Using WordPress (or Another Content Management System)


Don’t misunderstand me, I’m a big fan of WordPress.

One of its biggest selling points is just how much it does for you straight out of the box.

But that can be a double-edged sword — would you know if WordPress was collecting/processing personal data in the background?

Possibly not.

Well it can, and it does:

  • With blog commenting enabled, WordPress will by default require all commenters to submit their names and email addresses before they can comment. This is personal data.
  • WordPress will set web cookies for anyone who logs into your site or submits a comment. The GDPR specifically states that cookies are potentially personal data.
  • All plugins that you install on your WordPress site give you additional functionality (that’s why you use them) — and every one of those plugins has the potential to collect personal data.

#3. Using Any Type of Web Tracking or Profiling


Use the Facebook pixel for tracking page views and conversions?

Track who opens your MailChimp or AWeber campaign emails?

Use Google Analytics to understand web traffic?

Each of these, to one extent or another, involves profiling the behavior of identifiable individuals, and is potentially within the GDPR’s remit.

#4. Using a Web Host That Logs Visitors’ IP Addresses


It’s extremely common practice for your web server to record, in its server logs, the IP addresses of anyone who visits your blog.

Now there’s nothing the matter with that, because it can actually help to protect against malicious attacks and unauthorized access.

But IP addresses are personal data as far as the GDPR is concerned.

So, while you might not consider yourself to be actively collecting personal data, there’s a very good chance that, in reality, you are.

How Some Bloggers Can Dodge the GDPR Bullet

We’ve already seen that the core factor in determining whether the GDPR applies to you is whether or not you process personal data. It what the GDPR calls the “material scope” of the regulation.

But that’s not the only consideration.

We also need to consider what the GDPR calls “territorial scope” — and it’s this territorial scope that might allow some bloggers to dodge the GDPR bullet.

Territorial scope is EU-speak for the geographic limitation of the GDPR.

We’ve already touched on this in our first dangerous myth above.

The regulation protects the interests of consumers within the EU — regardless of whether the individual/business that collects their data is based in the EU or not.

So the real question is not where you are based — rather it is where your intended consumers are based.

A US-based blog can be caught within the scope of the GDPR if it in any way targets consumers in the EU.

But to be clear, if you can legitimately argue that your blog falls outside the territorial scope of the GDPR, the regulation will not apply to you — and none of the requirements, responsibilities or fines apply.

Some folks will, understandably, see this as a GDPR get out of jail free card.

Just be wary…

The GDPR makes a clear distinction between Data Controllers (remember, that’s probably you) who are based in the EU and those based outside the EU. It boils down to this:

  • Data Controllers in the EU are within the territorial scope, and the GDPR applies.
  • Data Controllers outside the EU are subject to the GDPR rules if they “offer goods and services” to individuals within the EU.

This distinction will be crucial for many bloggers.

It introduces the concept of your intended target audience.

If your blog is genuinely targeted at a non-EU audience and you don’t, in reality, process the data of EU consumers, then you have a potential exemption from the entirety of the GDPR.

But it’s important to understand that this is a gray area.

The actual wording of the regulation refers to whether “the Controller envisages offering goods and services to data subjects in the Union.”

If you blog about childcare in San Francisco, then I’d argue that you’re on pretty solid ground. It doesn’t have any obvious relevance to EU consumers, and it would seem fair to argue that you don’t “envisage offering a service” to them.

On the other hand, blog on a subject that’s not limited by location (such as the cool new features on the iPhone X), and that argument might not fly. Your content is just as relevant to EU consumers as it is to anyone else, and you probably have no real intention of limiting your readership.

So it’s going to depend very much on the nature of your blog.

Factors to bear in mind:

  • While there is no definition of what constitutes a “service,” it is highly likely that blogging will count as one (the UK data regulator has strongly implied to us that blogging is clearly an information “service”).
  • It is irrelevant whether or not your consumers pay you for your service;
  • Just because you have a blog that can be accessed from the EU does not necessarily mean that you intend to offer your services in the Union.
  • Some specific factors will strongly imply that you do intend to offer your services in the EU — such as offering payments in a European currency, having localized domain names (such as .eu or .co.uk), or offering local phone number options.

Importantly, if in reality you DO process the personal data of EU consumers (let’s say by having people with .co.uk email addresses on your email list), then it’s hard to argue that you don’t envisage offering a service to them.

Because you’re already actually doing it.

The $64,000 Question: Is Your Blog in Scope?

Coming to a conclusion about whether your blog falls within the scope of the GDPR is something that only you can do.

It will depend on the exact nature of your blog, the data you capture, and your target audience.

And there are areas that are not perfectly clear-cut when you apply them to blogging.

Just keep in mind that it’s human nature to try to shoehorn your own blog into one of the limited exemptions to the rules.

If you offer a service to consumers in the EU and, by so doing, process information that qualifies as “personal data,” then, at face value, the GDPR will apply.

If you’re in any doubt, the wise approach is to have a plan to tackle it.

Three Totally Legitimate Approaches to Tackling GDPR (Including One That’s Super Easy)

Let’s assume that the GDPR applies to you and your blog.

What now?

Strikes me that people are going to take one of three approaches that extend beyond simply pretending it’s not happening.

Approach #1: Do Nothing (aka “Wait and See”)


Let me be clear here: “Do nothing” is not the same as “ignore it.”

Ignoring it would be bad. It needs to be on your radar.

But depending on your approach to risk, you might well choose the “wait and see” method.

Day 1 GDPR compliance would be awesome — but pragmatically, it can take time, effort and potentially expense.

And realistically, you are unlikely to come to the attention of the data regulators unless you actually experience a data breach or someone chooses to make a complaint against you.

So why not just wait for the dust to settle and see what everyone else does?

Pros:

  • You buy yourself some time.
  • Provided you keep your ear to the ground, you’ll get to see how the regulators approach enforcing the rules in practice.
  • The specifics of how to be compliant can only get clearer over time — so you can possibly avoid going down a variety of rabbit holes in the meantime.

Cons:

  • This is undeniably a higher risk option.
  • You will technically be non-compliant on Day 1 (albeit along with much of the rest of the world).
  • Technically, you could be fined in the event of a data breach, such as your WordPress site being hacked.
  • Depending on your brand visibility, your reputation is at risk if you’re simply unprepared for things like individuals’ requests for access to data — and that might bring you to the attention of the regulators.
  • Regulators are likely to have little sympathy for people who have made no apparent effort to comply.

It’s hard for me to wholeheartedly advocate the “wait and see” approach — because it feels reactive, and maybe I’m a bit risk-averse.

But there is arguably a place for it if you understand and accept the risks.

That said, some of the risks can be mitigated, which leads me to the second approach.

Approach #2: Show Willingness by Implementing Some Quick Wins


While full GDPR compliance is going to be complex for some, there’s likely to be some low-hanging fruit to be had.

Not only will it start you off on a path toward full compliance, you’re also demonstrating a commitment to data privacy — and you might be surprised how much you’re already doing.

If you do nothing more than revisit your consent processes and publish a privacy policy on your blog, you will still be making a significant step towards compliance.

(Check out my Seven Easy Steps Toward GDPR Compliance below, which suggest what some of these approaches might look like.)

Pros:

  • Significantly lower risk than doing nothing.
  • Relatively low effort, time and cost.
  • Simply reviewing your privacy risks will put you in greater control.
  • It promotes a data privacy mindset that will inform your future decisions.
  • Practically, you are even less likely to attract the attention of regulators.

Cons:

  • Quick wins alone are unlikely to make your blog fully compliant.
  • You will need to commit some time and effort to evaluate your risks and liabilities.

My guess is that “showing willingness” will be where many bloggers and small businesses will be when the GDPR comes into force.

Approach #3: Go the Full Nine Yards and Aim for Complete GDPR Compliance


In an ideal world, full GDPR compliance from Day 1 is clearly the place to be.

It minimizes risk and — to those who know what to look for — demonstrates your credibility and professionalism.

For simple blogs and small online businesses, full compliance might be perfectly achievable, because simplicity is your friend.

Pros:

  • All privacy risks will be closely managed.
  • You won’t be caught off-guard in the event of a personal data inquiry or, worse, a complaint.
  • All other things being equal, you get to sleep at night.

Cons:

  • Will require time and effort to understand the full requirements of the GDPR.
  • May involve cost to bring processes and technology into line.

Seven Easy Steps Toward GDPR Compliance

The actual GDPR regulation itself is a horribly impenetrable document.

It runs to over 250 pages, with 99 main provisions (“Articles”) and 173 supplementary “recitals.”

And they wonder why people don’t read it.

Unless you’re a lawyer, you’ll likely come away from it feeling just a little overwhelmed.

But if you can master the concepts and the six core principles, you’ll see that there are a number of discrete, tangible things that you can do toward compliance.

And some of them are pretty pain-free.

#1. Make a Personal Data Inventory


Spend 30 minutes just brainstorming and documenting the types of personal data that you collect.

Then you’ll begin to understand where your actual liabilities are.

Make sure you consider:

  • The information you actually ask people for, in particular names and emails via contact forms and blog subscriptions.
  • The information that might be collected by your systems — if you use Google Analytics or Facebook remarketing, you will have some thinking to do about the fact that these applications use cookies. If you use WordPress or another CMS, it’s worth investigating whether you’re setting cookies that you don’t know about.

Only when you’ve identified how you collect data can you start to address whether you need to take further action.

#2. Publish a GDPR-Compliant Privacy Policy


Publishing a privacy policy is the most tangible thing you can do to demonstrate your commitment to data privacy.

It’s your opportunity to:

  • Outline what types of data you collect and specifically how you intend to use it — including who that data might be shared with.
  • Detail what types of cookies are used on your blog.
  • Describe what steps you take to ensure that the data is secure.
  • Highlight exactly what individuals are consenting to, how they provide consent and, importantly, how they may withdraw their consent in the future.
  • Explain the rights that individuals have over their data (the GDPR gives individuals a range of new rights, including the rights to access and the data and the “right to be forgotten”).

If you already have a privacy policy, you may already have much of this covered. But it’s unlikely that your policy will be GDPR-compliant without some form of amendment. If nothing else, you will need to add the range of data access rights that consumers have.

And just publishing your privacy policy is not enough.

You need to stick to it.

And make sure that anyone else working on your behalf sticks to it, too.

Your GDPR protection is only as strong as its weakest link.

Feel free to check out my own privacy policy as a guide to what should be included. You’ll find other great examples on the web, but I’m confident mine is firmly on the right track.

That disclaimer again: I’m not a lawyer, and this is not legal advice. (And please don’t just copy my policy — it’s not polite, and your policy needs to reflect what you do, not what I do!)

#3. Be Crystal-Clear about Consent


A lot of people who talk about GDPR seem to think that consent is the silver bullet for all GDPR problems.

It’s not.

Consent is just one of six lawful grounds for collecting personal data under the GDPR, and it won’t always be the most appropriate one to rely on.

That said, it IS important.

Where consumers are volunteering personal information (such as online contact forms and blog sign-ups) you must ask for their specific consent if there is no other legal ground for processing that data.

This will usually mean having one or more checkable “consent” boxes on all sign-up forms.

Important things to consider:

  • People must be able to tell what they’re consenting to — vague and generalized statements about what you intend to do with the data will not cut it. (The days of “we collect data to improve your experience” are gone!).
  • Your privacy policy is the place for this information, and your readers must have the opportunity to read the policy before they are asked for consent.
  • Consent must be given as an “affirmative action” — so it is not acceptable to use a pre-checked consent box. Any consent checkbox must be unchecked by default (Some email providers like MailChimp make this easy with built-in GDPR features).
  • You must only use the information gained via consent for the reasons you gave when consent was given.
  • You should always take advantage of the “double opt-in” options that are found within campaign management tools like MailChimp. Double opt-in requires the individual to confirm their initial request before their data is added to your mailing list. It will also usually give you a means of demonstrating when consent was given.

#4. Stop Collecting Data You Don’t Need


Data minimization is the way to go.

Do you really need someone’s cell phone number to send them blog updates?

Probably not.

The more data you collect, the more data you’re responsible for.

If you can’t justify why you’re asking for a particular piece of data, don’t ask for it.

And if you already hold data that you don’t need (or can’t justify), now is the time to dispose of it. (Securely, of course!)

#5. Make Sure Your Blog Is Super-Secure


One of the core objectives of the GDPR is to keep personal data secure.

You can directly influence this by making sure that you are taking basic, common-sense security precautions such as:

  • Never sharing your blog’s login credentials with anyone else.
  • Always using strong passwords.
  • Removing the default “admin” user account on WordPress blogs.
  • Using a reputable security plugin to prevent unauthorised access.
  • Physically protecting data stored on removable storage such as USB sticks and external hard drives.

All of these things form the basis of the “how we protect your data” section of a privacy policy.

#6. Use a Reputable Web Host


You are most likely using some form of third-party web hosting for your blog — either shared hosting or maybe VPS.

By providing the servers that your blog runs on, that 3rd party hosting company becomes a “Data Processor” in GDPR terms — because they are processing data on your behalf.

You are effectively subcontracting the technical hosting activities to them.

As a result, they have access to any personal data that is stored on your blog — and they are therefore quite capable of being the weak link in the chain.

A reputable web host will be only too happy to talk to you about the security processes that they have in place, their security accreditations, and so on.

The best ones already have GDPR-compliant conditions within their standard terms of service, or will offer you a personalized data processing agreement on request.

This is important, because the GDPR expects you to have a written agreement with anybody who acts as a Data Processor on your behalf — especially if it involves processing that takes place outside the EU.

So choose your web host wisely.

And be prepared to find a different provider if you don’t get the answers you need.

#7. Check Your Google Analytics Configuration


Okay, this is a bit specific, but it might be the difference between compliance and non-compliance for some simple blogs.

Google Analytics uses cookies to track when people visit your blog. They enable GA to distinguish one visitor from another.

But, when set up correctly, GA cookies are likely to be seen as “non-privacy intrusive,” which means that you do not need to get prior specific consent to use them (which, believe me, would be a technical minefield).

For this exclusion to apply, though, you need to be careful:

  • It’s important that you haven’t implemented the (optional) User ID functionality within GA. User ID allows you to identify a particular individual even if they view your blog from different devices. You should know if you’re using this functionality, because it’s not enabled by default, and you would have had to implement it manually.
  • You should take advantage of the “anonymizeIP” function that GA provides, which has the effect of obscuring part of visitors’ IP addresses when the data is stored at Google. Note that this is switched OFF by default, but can be activated by adding a simple parameter to your GA tracking code (the exact code depends on which version of the Google Analytics code you’re using — analytics.js or gtag.js). If you’re using a plugin for analytics, you might find this option in the plugin settings.
  • You should make sure that you never (intentionally or inadvertently) include personal data within page URLs that are sent to GA. Not only is this bad for GDPR, it’s also a breach of Google’s Terms of Service.

For a handy visual reminder of the seven steps, check out the image below:

Seven Easy Steps Toward GDPR Compliance

Embed This Infographic On Your Site

Stop Hiding Under the Pillow and Get Ahead of GDPR

Like it or not, the GDPR could affect you.

Even if you’re not in the EU.

While regulators are extremely unlikely to start handing out huge fines on Day 1, smart bloggers will see this as an opportunity get their data processes properly nailed down.

Get on the front foot and you’ll have a better, deeper understanding of the value of the data that you hold, and the responsibility (and accountability) that you have for that information.

And frankly, even if the GDPR doesn’t apply to you, it’s a strong indication of where data privacy is going — so why not embrace the principles anyway?

It may seem a million miles away from why you pour your heart and soul into blogging. You blog to inform, to inspire, to share your passion.

But you’re also responsible to your loyal followers for the information they entrust to you.

So don’t lose sleep over it. Get ahead of it.

Because when you do, your blog will be stronger than ever.

Paul Long is a small business web designer, WordPress enthusiast and self-confessed data freak based in the UK. He currently spends his days helping folk to tread the fine line between GDPR denial and meltdown. For further actionable guidance, check out his free GDPR Action Plan for small businesses.
Photo of author

Paul Long

GET PAID TO WRITE

Make 2-5K per month, even if you're a beginner. We're seeking writers of any skill level.
Photo of author

Written by Paul Long

113 thoughts on “What the Heck is GDPR? (and How to Make Sure Your Blog Is Compliant)”

  1. Good to know Paul. I store data mainly through blog comments since I build no email list. Meaning this would be my main personal data stored, although you could toss cookies in there too. Thanks for the nudge to be compliant 😉

    Ryan

    Reply
    • Hey Ryan – no problem, thanks for reading!

      Looks like there are some interesting GDPR enhancements to Wordpress in development (including clearer opt-in for commenters and anonymization of commenter data), so if you’re a WP user, it’s worth looking out for updates.

      Cheers,
      Paul

      Reply
      • Thanks for this comment about WordPress developments to respond to GDPR. Was wondering throughout this whole post as to what WordPress would have to say in response (my blog is powered by WP).

  2. Great article! The clearest and most understandable one I’ve read so far. Thank you for the effort of writing it.

    Reply
    • Thanks Jana 🙂 There’s already a bit of ‘GDPR-fatigue’ taking hold (well, certainly here in the UK) – so I’m glad if the information helps!

      Cheers
      Paul

      Reply
  3. Thank you for this clear guide to GDPR compliance. I’ve been digging around trying to find guidance that’s both thorough yet easy to understand. This is exactly what I was looking for.

    Reply
  4. Thank you for a thorough and simple to understand post about a topic that I was definitely avoiding. I checked out your privacy policy. It’s excellent and gave me many good ideas about how to rework mine.

    Reply
  5. Good article, though I wouldn’t necessarily say it’s a new law since it was adopted in 2016. It’s only popular now because the the enforceable date is looming.

    Reply
    • Thanks James – absolutely right. A law that is ‘in force’ but not ‘enforced’ is an interesting concept, but that’s technically where we’ve been for the last couple of years.

      Human nature, I guess, for people to get a bit twitchy when the fines start to apply!

      All the best
      Paul

      Reply
    • It certainly can affect you – doesn’t matter where in the world you are if you process personal data relating to people in the EU.

      I guess the main point for you will be the ‘territorial scope’ section and the question about whether you ‘offer goods and services’ in the EU, or profile the behaviour of people in the EU.

      If you don’t do either of those things, then it might not apply to you.

      thanks
      Paul

      Reply
  6. Hi Paul. Thanks so much for providing this information. In trying to understand the GDPR and what I’m supposed to do as the owner of a small blog, I have been asking people in online forums, FB groups for bloggers etc. what they’re doing to prepare for implementation of the new regulations and checking out the bigger blogs in my niche. I was shocked that so many are doing nothing…

    You info is not only thorough, but easy for me to grasp the important details, so that I have some sense of what this means for my blog. Thanks. I greatly appreciate the help.

    Reply
    • Hi Kimberly – my pleasure, I’m glad it’s been of some help.

      You’re right, of course – there are a lot of people (and organisations) who have been taken off-guard. I don’t think it’s too controversial to say that the existing (pre-GDPR) rules weren’t very actively enforced, and perhaps some people got a little complacent about it. I think the GDPR is going to change that!

      All the best with your planning!

      cheers
      Paul

      Reply
  7. FINALLY someone who actually explained GDPR and told us what to do about it in plain English. This post should be required reading for all bloggers. Great job and Thanks!

    Reply
  8. This is really a detailed post about GDPR. I am one of those who wrongly assumed that, I may not need to bother myself about GDPR since I no readers from Europe. Thanks for this post.

    Reply
    • Thanks Uthman – yes, the trick is to be as clear as possible in your own mind whether the Regulation affects you. A clear, defensible argument that the GDPR does not apply to you is as good a plan as any!

      all the best
      Paul

      Reply
  9. Really great article – I get the concept of what the Europeans are trying to do but it seems very onerous for small blogs with a few tens to a few hundred subscribers, particularly if there is no financial model associated with the blog to cover any expenses related to becoming “compliant”.

    One thing I do not understand is – if this is a European law – how they (whoever “they” are) intend to enforce and fine blog owners in the USA or for that matter in any other country outside of Europe.

    Reply
    • Thanks Simon – that’s a really interesting point actually.

      The principle is of course concerned with protecting individuals’ personal data, regardless of the purpose of processing that data. For example, even a charity, or a completely non-commercial and benevolent organization is just as capable of a data breach as anyone else – and the impact of such a breach would be no different.

      Each EU member state will have their own ‘supervisory authority’ (i.e. regulatory body). Here in the UK, it is the Information Commissioner’s Office (ICO), and they will actually have a lot of discretion.

      There is clear guidance that the supervisory authorities must take account of what is reasonable and proportionate, given the size of the Controller’s organization, the nature of the data being processed and the cost/complexity of implementing solutions.

      So, in my opinion, they absolutely will take a different approach for individuals and small organizations that process small amounts of low-risk data.

      And yes, whether they could actually track down a non-EU blogger in order to apply a penalty is a completely different matter!

      cheers
      Paul

      Reply
  10. Thanks for the post.

    But what about affiliate marketing? I’m an affiliate of several products and I don’t know how to address this.

    Any ideas? 😉

    Reply
    • Thanks John,

      Affiliate marketing does involve a number of the GDPR concepts.

      Primarily, there’s the question of what personal data you (as opposed to the affiliate network) are actually processing.

      Chances are that by using any form of affiliate link, some sort of web cookies will be used to identify (and subsequently track) the individual – and cookies are potentially ‘personal data’. So (assuming that the GDPR applies to you at all), you would be obliged as a minimum to explain this in your Privacy Policy – including the fact that the cookie data is effectively shared with the affiliate network.

      But are you actually collecting/processing any personal data other than this? I guess it will depend on what specific approach you use.

      If you’re using affiliate links within emails to your mailing list, then there’s also the broader question the scope of the consent that you have from people on that list.

      I think the principle must be this: if you publish an affiliate link, then you should be clearly signposting the fact that it IS an affiliate link (there’s nothing new in that). If, by clicking on the link, the individual will be tracked in some way, then you should be transparent about that so that people can make an educated decision about whether to click it.

      All of that said, I think that the affiliate networks themselves have got some significant work to do to make sure that they are compliant.

      cheers
      Paul

      Reply
      • Thanks for the information! I’m impressed by your reply.

        I’ll update my privacy policy for starters and then wait and see what happens on other sites. I run a little website and for now consider it almost impossible to comply 100%.

        Guess I am going for the Quick Wins strategy.

  11. Wow. This is fantastic. Best GDPR explanation and help that I have come across. Thank you so much for your extensive work on this. You are awesome!

    Reply
  12. Thank you Paul for this very clear explanation.

    While my personalised product is not sold outside Australia, I do have a dot com domain name, and blog within the site.

    You have given me some distinct threads to follow on compliance.

    My CRM definitely is not Australian and I understand your point on “data processor”.

    Thank you and Jon for this invaluable advice.

    Reply
    • Thanks Lesley,

      That’s a good point actually – if you sell a specific product, but you do not ship that product outside Australia, then that is a solid indication that you do not ‘envisage offering goods and services to individuals within the EU’.

      Of course, that isn’t the only factor, but it is an important one that might suggest that you are outside the ‘territorial scope’ of the GDPR.

      thanks
      Paul

      Reply
    • Hi Andreea,

      Almost certainly not – a specific Data Protection Officer is not required unless you are a public body, or your processing constitutes ‘regular and systematic monitoring of data subjects on a large scale’ (especially if you are dealing in certain ‘special categories’ of data such as health, religion, ethnic origin etc).

      If you are unsure, Article 37 of the GDPR contains the details.

      I would think it highly unlikely that you would need to appoint a DPO.

      thanks
      Paul

      Reply
  13. One thing I don’t see here (and haven’t seen in any of the other posts I’ve read on the subject), how can the EU enforce this on people in other countries? In other words, how can a country that I don’t live or do business in, and am not visiting, enforce a law I or those elected to represent me didn’t vote for?

    I also see this backfiring big time in two ways. One, if I’m a small-time blogger that doesn’t directly do business with anyone in Europe and doesn’t have a lawyer on retainer, I might as well say to hell with this law and block all European IP addresses from my blog. That way I don’t have to bother with complying. And second, what’s to stop other countries from making up their own laws to impose on residents of other countries?

    Reply
    • Hey Matt,

      Yep, the geographic scope of the GDPR is one of its more surprising elements. Whether it’s right or wrong is another story altogether.

      I guess the point is that the GDPR only affects people in non-EU countries to the extent that they are impacting EU citizens.

      I think some people will do exactly what you suggest: block visitors from the EU. But that’s a shame (and arguably unnecessary) if you have a readership or revenue coming from the EU.

      And yes, there’s probably nothing stopping (for example) the US creating a law that puts exactly the same obligations on people in the EU, in so far as they target US citizens.

      That gives us something to look forward to 🙂

      Reply
  14. Hey Alex,

    Firstly, I’m glad my ‘IANAL’ (I Am Not A Lawyer) disclaimer is doing its job 😉

    On that (non-lawyerly) basis, and if we assume that GDPR does apply to you:

    – Good job with your double-opt-in, that’s obviously very important;
    – But there’s more to GDPR consent than the visitor just saying that they consent. What are they actually consenting to? This is where the Privacy Policy comes in – by offering the visitor a link to the PP that they can read BEFORE they consent, you are effectively incorporating the rest of the privacy details within that consent.
    – By doing that, not only are your subscribers agreeing to be placed on your email list, they’re also consenting to who you share the data with, the methods you use to protect the data, and so on. This is central to the idea of ‘informed’ consent;
    – Should you have a link to the PP on your landing page? Absolutely. That’s part of being open and transparent. But to be effective, the CHECKBOX really should be included at the point at which they subscribe – because you want their consent to cover 1) delivering the goodie to them and 2) adding them to your mailing list. The double-opt-in will only affect whether or not they end up on the mailing list, not whether they get the goodie or not (I assume)
    – If we’re being really technical, you should probably have 2 consent boxes (sorry!) – one for the goodie and one for the mailing list. Because if they HAVE to sign up for the list in order to get the goodie, then this is arguably not ‘freely given’ consent. If they actually want to be on your mailing list, they’ll check the box.

    This last point, in itself, makes an ‘interesting’ point – we all know that we offer freebies to get people to subscribe. But what if they don’t want to subscribe, they just want the freebie?

    Discuss 🙂

    Reply
    • Hey Alex,

      Ok, that arguably changes things slightly. If the intention is (understandably) to keep your landing page simple and free from barriers to subscribing, and we look at this from a theoretical perspective of ‘how can I legitimately NOT put a consent checkbox on my landing page’, then an approach might be this:

      – you technically need a lawful basis for collecting the email address that allows you to send your confirmation email. Simplest answer is consent. But if we don’t want an annoying consent checkbox, you could argue that collecting the email address is clearly essential to allow you to deliver the thing that the user is asking you for. The ‘contractual’ lawful basis might help you here – i.e it is lawful to process personal data if it is ‘necessary … in order to take steps at the request of a data subject prior to entering into a contract’. If we read ‘contract’ as ‘agreement’, then it is clearly necessary for you to collect an email address from the individual so that you can do what they’ve asked you do to;
      – Re your point 5 – I completely agree: you are providing valuable information, and it would be reasonable to expect that there would be some ‘quid pro quo’. I personally think that it would be a valid argument to say that you have a ‘legitimate interest’ in adding the individual to your mailing list, as that is in part what allows you to give away valuable goodies in the first place. Your Legitimate Interest is a separate legal basis and can, in theory, justify adding the individual to the list without their specific consent;
      – However, using the legitimate interest lawful basis comes with other responsibilities – you are expected to consider and document your legitimate interest in a way that demonstrates that you can 1) show that it is legitimate, 2) show that the processing is necessary to achieve that interest and 3) have balanced your interest against the individual’s right to privacy.

      in my opinion, I don’t think it would be too hard to establish that what you’ve described is a valid, legitimate interest – especially if 1) you are crystal clear in your privacy policy that the user will be added to a mailing list and 2) the user can unsubscribe at any time.

      So yes, I think it’s possible, but you’ve got to get your ducks in a row …

      Reply
  15. Great article, Paul. Very informative and easily understood. Even though I’m not in the EU zone, it is a good idea to embrace the GDPR principles and go along with it. And the fact that you suggested that the is GDPR enhancements to WordPress in development, including clearer opt-in for commenters is great as my site is on a WP platform. I will have to edit my Privacy Policy accordingly.

    Thanks for sharing, Paul.

    Reply
    • Thanks Moss!

      Yes, keep an eye out for WP version 4.9.6 – it looks like the release is due in a matter of days, and there appears to be new functionality for Privacy Policies and the ability to erase/export personal data in comments. It also looks like more privacy enhancements are being lined up for v4.9.7 too.

      cheers
      Paul

      Reply
  16. Thank you, Paul. I have been to workshops, attended Webinars and read the ICO information but this is the first time I actually feel I know what I should be doing to comply with the GDPR. I have passed this on to other business owners, even those without a blog, directing them to the 7 steps towards compliance.

    Reply
  17. What is the recommendation about cookies and consent for those? Do we need a popup on the site that says there are cookies that might collect data? If we do, what exactly does that consent need to look like? I am seeing lots of different interpretations of this!

    Reply
    • Hi Lisa, good question

      Firstly, it’s worth pointing out that there is a reason why you’re seeing different interpretations of the rules on cookies:

      The GDPR does not (and was never intended to) give any detailed requirements in relation to cookies. GDPR sets out the general privacy principles which, as we have seen, apply to a broad range of situations.

      The detailed cookie requirements actually come from a SEPARATE regulation, commonly referred to as the Privacy and Electronic Communications Regulation (PECR). The existing PECR was due to be replaced with a new version at the same time as GDPR came into force.

      Unfortunately, the new PECR has been delayed and is unlikely to happen until 2019.

      So we have a frustrating ‘limbo’ situation where the OLD PECR will still apply when the GDPR comes into force – and there are some areas of inconsistency between the two sets of rules.

      For example:
      – GDPR says that cookies can be personal data, and if your legal basis for using cookies is consent, then that consent must be ‘explicit’ consent, indicated by an affirmative action on behalf of the individual;

      But:

      – PECR says that you need consent to place cookies, but that consent can be ‘implied’ (i.e. ‘by continuing to use this site, we assume that you are ok with our use of cookies’).

      These rules are obviously inconsistent with each other.

      So, this is a complex area, but my best summary of the situation is this:

      – From an EU perspective, we should all have been using some form of cookie notification before now, under the PECR. So yes, technically, you should have a notification of some form, with a link to your privacy/cookie policy. But the requirement to do this comes from PECR, and not GDPR;
      – Going by the letter of the GDPR law, if you need consent for ANYTHING, you need EXPLICIT consent, and you’d need to get that consent BEFORE the cookies are set. This is going to provide a real technical challenge for some folk, because it’s not always easy to wait for consent before setting a cookie;
      – But realistically, I cannot imagine any regulator giving a Data Controller a penalty for using IMPLIED consent, while the PECR still says that that is ok. In fact, the UK regulator (the ICO) still uses implied consent on their own website;
      – The current DRAFT of the new version of the PECR shows a softening of attitudes towards ‘non-privacy-intrusive’ cookies, such as analytics cookies – the implication is that no consent will be required to set that type of cookie. But as I say, this is only an indication of what the new rules might say.

      So:

      – If you want to be ultra-safe, you should use a cookie notification, and develop your website in such a way as to only set cookies when you have the explicit consent of the individual;
      – But I personally think there is a good justification for NOT going to this extreme, and that justification boils down to this:
      a) the existing PECR regulations allow implied consent for cookies;
      b) under GDPR, there is a separate legal basis that you might rely upon for the use of many types of cookies, i.e. the ‘legitimate interest of the controller’. But please note the words of caution I gave in the article about using ‘legitimate interest’.

      So this is a bit of risk-based decision. If your site uses cookies, I would suggest that you SHOULD have at least a notification message/banner. But I also know that a lot of site owners will make a conscious decision not to, because of the inevitable impact it has on user experience.

      Personally, I have a cookie notification banner. I set non-privacy-intrusive cookies (analytics and some security cookies) without consent because I believe it is in my legitimate interest to do so, and I’m prepared to justify that position. I will only set marketing (FB) cookies after the user has seen the cookie warning and continued to use the site.

      Usual disclaimer – this is just my opinion and not legal advice – but I hope the context helps in some way to make your decision about your own site.

      thanks
      Paul

      Reply
  18. So you mean to tell me that the European Union can put fines on a blogger or content marketer in the United States and get the money from them if the EU feels the site owner is in violation of GDPR?

    Reply
  19. HI Paul, today l was sent an email from a US based company tell me that they will no longer be able to sell goods to me in Australia (including EU countries) because of the GDPR, is this because they do not wish to comply with this or is there another reason ?
    Thanks
    Russell

    Reply
    • Hi Russell,

      Difficult to say for sure – because there’s nothing in the GDPR that would affect US/Australian sales specifically (i.e. because it’s nothing to do with the EU) – but I have heard of some companies that have decided to simply stop doing business with EU consumers.

      I’m assuming that a company would only do that if their EU sales were low, and the cost of complying with the GDPR wouldn’t be justified based on those sales. Basically, it is a clear way of them demonstrating that they do not ‘envisage offering products or services in the Union’.

      It’s a shame if that’s what’s happening, but I guess it could be a logical response in some circumstances.

      I hope you can get whatever you buy from them from somewhere else 😉

      Reply
  20. Hi Paul: Where it says that one must only hold data for as long as required to achieve the stated objective — supposing someone signs up for something and it says on our site that by signing up they will also receive an ezine and occasional emails, do we need to go in and actually remove people who haven’t been opening our emails? I mean, do we need to be culling our list of people who signed up before GDPR goes into effect and are not active?

    Reply
    • Hi Jill,

      I think there are two different separate issues there:

      1) From a consent perspective, I wouldn’t say there was any direct obligation for you to remove people from a mailing list simply because they don’t open your emails. There is a school of thought, however, that you should periodically review your mailing list and potentially invite people to ‘re-consent’ if they are not engaging with your content. After all, what you really want is a list full of people who are actually interested in what you’re offering. You should certainly use this periodic review to remove addresses that regularly bounce, because this is indicative of old/inaccurate data;

      2) In terms of people who signed up before GDPR goes into effect, you need to ask yourself the question whether the consent you have from them is still valid under GDPR at all. If the consent does not meet GDPR standards, then you wouldn’t technically be able to send emails to them after May 25 unless you had some other lawful basis for doing so. That’s why so many people are sending ‘reconsent’ emails to their list before the 25th.

      hope that helps
      thanks
      Paul

      Reply
  21. This is a fantastic summary, and I have been watching what others are doing to their privacy policies so that I can change mine to be GDPR-compliant.

    Thanks for this! I’m sharing it everywhere!

    Reply
    • Thanks Lorraine – writing (or amending) your privacy policy can actually be a strangely positive experience – because it forces you to think about what you’re doing with people’s data, how you protect it etc. It might seem like a chore, but it can only make us all better prepared in the end.

      All the best
      Paul

      Reply
  22. Wow. This is fantastic. Best GDPR explanation and help that I have come across. Thank you so much for your extensive work on this. You are awesome!

    Reply
  23. Great points throughout this article Paul! Staying compliant is so important especially to those who are looking to make blogging a career. There are a ton of compliance issues with many passive income methods that have been popping up lately including dropshipping and affiliate marketing. Companies like AliExpress often don’t abide by the regulations put in place by US lawmakers. Using a website like SaleHoo.com is your best bet.

    Reply
    • Thanks Ryan – absolutely, it’s only when you really sit down and think about it that you realise how easy it is (too easy maybe?) for information to be passed around and shared. Doing your ‘due diligence’ on any company that you plan to use is a great idea (although I can’t comment on the specific ones you mention).

      cheers
      Paul

      Reply
  24. Hey Paul,
    Thank you so much for this vital information. I am just starting out and being a
    “Newbie” is very scary. This new requirement probably has seasoned veterans
    quaking in their boots. With me being such a novice, it scares me to death. However, I feel more comfortable now that I have read your detailed report
    about how to proceed and the reasons stated. I cannot thank you enough for this
    submission. It is much appreciated.

    Reply
    • Hey Kenneth – thanks very much, I’m glad it helped. Actually, being a newbie is not a bad place to be right now – it’s almost more difficult for people with established businesses and blogs because changing the way you’ve always done things is arguably more complicated than doing it right in the first place.

      As long as you keep privacy considerations in mind, and you’re open and transparent about what you’re doing, you shouldn’t hit too many obstacles.

      It frightened the life out of me until I started to understand it a bit better.

      All the best
      Paul

      Reply
    • thanks Aboudi – just keep in mind that it can affect you wherever you are based – the important thing is whether you are dealing with the personal data of people in the EU …

      Reply
  25. I find myself in the “do nothing and wait” camp to see how Wordpress is going to address this. It literally makes no sense to accept, let alone try to respond to comments if people aren’t requested to leave their email address. I’m sure Europeans would see it differently (some of them anyway), but if they’re inclined to leave a comment, the cost of an email address is a fair price. Otherwise… don’t leave one!

    Otherwise… I don’t have a newsletter and I don’t have a mailing list, and even though I market a couple of products on my blogs I haven’t had a buyer in years. At this juncture I’ll wait to be penalized 20 million Euros (whatever that comes to) and see if they can extradite me someone so they can try to get it from me.

    Reply
    • Hey Mitch. Yes, I can understand your point of view about commenters and their email address. It just depends what you plan to do with those email addresses though. If, hypothetically, somebody planned to send marketing/promotional emails to anyone who commented on their blog, you could argue that it’s only fair to let people know that’s how their data will be used?

      And yes, good luck to anyone trying to get $24million out of me!

      Reply
  26. GDPR has become a buzzword nowadays. In fact, this is quite beneficial both for our audience and us because we’re the audience of different sites.

    Data protection measures should be taken seriously.

    Thanks for bringing almost all the sides of GDPR.

    Reply
  27. Hi,
    correct me if I’m wrong, but I am just wondering. How come you don’t have any Privacy policy or Terms and Conditions pages here on Smart blogger?

    I also don’t get a cookies notification/pop-up here. Could you please explain?

    This is strange to me.

    Cheers

    Reply
  28. Hey Paul,
    Your post was a timely release. The information that it provided was very helpful
    in that I am lost in some of the terminologies and you have made it easy for me to understand what action is required on my part. This document scared me that I
    was upset about it until your Post.
    Thank you so much for posting this extremely valuable information.

    Reply
  29. So, for the new bloggers that have yet to build a email list, how does GDPR affect marketing products in the future? Is it worth making a freebie/content upgrade? If so, why?

    Reply
    • Good question. If you have yet to build an email list, you’re in a pretty good position, because ‘getting it right from the start’ is probably much easier than ‘fixing’ an existing list or changing your existing processes.

      If you’re clear with people that you’re going to use their details to market products to them, then fair enough. They can make an informed decision about whether they want to give you their data on that basis – which is why it’s so important to be open and transparent about what you plan to do.

      The problems arise when data is used in a way that is beyond the consent that was given, and where there is no other legitimate basis for doing it.

      Giving away freebies is definitely not a requirement – but it can be useful to help you reinforce your ‘legitimate interest’ in marketing to people if that is the lawful basis that you are relying on.

      cheers
      Paul

      Reply
  30. Hi Paul, thanks for the comprehensive info you’ve put together in this article, all really helpful in clarifying the GDPR minefield! Just wanted to mention something that may help other readers.

    You mention consent a lot and it’s a key part of the legislation, but the burden of course is on businesses to be able to prove that consent in future. Part of this, for email lists, is recording the opt-in form that someone has used to opt in.

    The only advice for people at present seems to be to manually record the forms in some way, e.g. screenshots, the underlying code etc. For a lot of businesses though, this becomes fairly impractical very quickly, especially if you have a lot of forms, you’re split testing them, and so on.

    Would you be interested in some brief info on a solution that auto-records the form each time someone opts in? In other words, for each lead you have an automated record of exactly what the form looked like at time of opt in.

    Reply
  31. Your follow-up comments are almost as good as the article! THANK YOU so much for this! I work with small businesses (dance studio, painter, physical therapist, etc.) whose clientele is strictly local. One other (I hope?) myth is that if you service EU citizens – even if they’re now living in the U.S. – you must comply with GDPR completely for them. Is this true? I certainly see no downside to doing some of the items listed here, but I want to know how nervous I should be and how quickly I need to comply! LOL Thank you again, Paul!

    Reply
    • Thank you Stephanie, very kind 🙂

      Yes, that’s a good point, and is the subject of significant debate.

      The regulation seeks to protect the rights of data subjects who are ‘in the Union’ (i.e. within the EU) – so an EU citizen who has their personal data processed as a result of their activities when they were not in the EU is unlikely to have the protection of the GDPR.

      I’m choosing my words carefully here because this IS complicated – but I would say it boils down to this:

      – For Data Controllers who ARE based in the EU, the GDPR applies and it almost doesn’t matter whether your ‘data subjects’ are within in the EU, resident in the EU or otherwise – you’re caught by the GDPR because YOU, the controller, are in the EU;
      – For Data Controllers OUTSIDE the EU, all of the considerations about Territorial Scope in the article apply – but if you have concluded that the GDPR otherwise does not apply to you, the fact that an EU citizen uses your services while they are outside the EU shouldn’t make any difference – because they are not ‘in the Union’ at the time.

      So your specific example seems reasonably clear:
      1) you provide local services in the US;
      2) you do not in any way provide (or envisage providing) services to people in the EU;
      3) you simply happen to know that some of your local clients are EU citizens, but they now live in the US.

      On the face of it, 1) and 2) imply that you are outside the territorial scope of the GDPR. My opinion is that 3) does not alter that fact because those people are not ‘in the Union’.

      I think it gets more complicated for people passing through the US (vacation etc) because then there’s the question about what’s required when they are back in the EU.

      I hope that helps – it is, as always, subject to my usual caveat that this is not legal advice 😉

      all the best
      Paul

      Reply
  32. Or you could just have stated the obvious; instead of pretending that Americans need to pay attention to this, at all:

    1) The EU has zero jurisdiction over a United States-based blog or site.

    2) The EU has literally no way of seizing a US-based website or enforcing any kind of European civil or criminal judgement against a United States citizens, ever.

    So why would I bother paying attention to their ridiculous rules?

    Reply
  33. Mentions very good and useful points in the article. Nicely explain everything one need to know about GDPR.
    Thanks for sharing information with us.

    Reply
  34. Highly informative comprehensive article. Thank you for breaking it down into very thorough albeit complex morsels. Not the most joyful subject but necessary to understand to protect oneself. It’s distressing that our blogging world has come down to this control.

    Reply
  35. Thank you so much paul for that, that article was exactly what i was looking for. an easy and relatable guide towards understanding of gdpr. finally a big step towards protection of data and reducing data breaches.
    i cam across this website that helps you monitor security controls, policies and can prove that your regulatory compliances are in place. Securing gives you bird eye view of your IT environment, You can detect, investigate and actively respond to cyber attacks in real time.
    It also provides you with Best log management tool for small business

    Reply
  36. According to GDPR, in general, the consumers and users may have more stated rights regarding the use and erasure of their data and they must have the clear and accountable process and intentions about their data collection. Another important element is compelling companies to notify users of data breaches.

    Reply
  37. Thanks for sharing wonderful information, But European Union forcing the companies to intensify privacy-specific policies, instead of implementing a separate GDPR-friendly policy for EU countries.

    Reply
  38. What a great post, I will suggest your blog to my colleagues because here I found very appropriate information.
    It will help my Digital Marketing Institute students to explore more about GDPR.

    Reply
  39. So what about free WordPress.com blogs? I need help making sure my blog is GDPR compliant as I don’t want to go to prison for it. Please help me. Thanks.

    Reply
  40. Scary stuff… very thankful I know now though.

    It’s actually a good thing in my opinion to start implementing some stricter regulations on data collection. A lot of the tech giants are collecting what most consider to be completely unnecessary data that’s actually kind of creepy, like your face, current location, all conversations, etc.

    Reply
  41. I have a question. I use wordpress.com so I am not sure if I am responsible for GDPR compliance or if they are. Also do you go to prison and become a felon for non-compliance? Thanks.

    Reply
  42. Thanks for the long article, guess I am a bit late to the party but I I was doing research trying to figure out how this affects me if I am not in Europe, but seems that I have a bit of homework to do now.

    Reply
  43. Thank you for a great article! It really opened my eyes on how the cookie announcement seem to appear in every site I open. I had not think of it before that also blog writers may be responsible to give announcements on what information they collect from the readers. Great to read your simplified explanations about GDPR!

    Reply

Leave a Comment