Posted in Other

The GDPR and Bloggers – what you need to know

The GDPR and Bloggers – what you need to know Posted on 13/03/201823 Comments
Ahoy, hello! My name is Jenny. I am a thirty-something human female from Manchester in the north of England. I enjoy rainy days and sad songs, custard donuts and salt & pepper chips and beer, lentil dhal and fried okra, X-Files and Twin Peaks, fierce fat heroines and mental health advocates, dogs and cats and otters and a very special beirdo. To paraphrase Sylvia Plath: "I blog because there is a voice within me that insists on writing lots of ridiculous chuff".

Big fat disclaimer: This is not legal advice. I am not a legal professional. N qualified to practise back in the day but I hardly think that qualifies me to be anyone’s sole source of advice pertaining to the The Law does it. (No!!) So, whilst I’ve done some decent research here and think I’ve covered the salient points, bear in mind that you are still responsible for how you handle data and should prepare yourself accordingly. Also, data is a plural and you can fight me.

Introduction: GDPwhatnow?

Folks, you’ve heard of the Data Protection Act 1998, yes? Chances are that a lot of you have bumped into this legislation in the workplace as companies try their best to ensure that data are handled safely and lawfully and no-one on the payroll leaves a laptop full of sensitive information in a skip anywhere. The GDPR (General Data Protection Regulation) is regulation enacted by the EU that will finally come into effect on 25 May 2018. It will replace the Data Protection Act 1998. LIKE TOTALLY. It has a much broader scope, gives greater rights to individuals, has tougher punishments for non-compliance, and is basically a whole lot better and more fit for purpose. #Remain, y’all. I ❤ the EU.

A graphic showing yellow EU stars on a blue background with a padlock in the middle.

Key principles

Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act. As mentioned above, it gives more privacy and control to individuals (that includes you as an individual too, woohoo! read more here) and it gives regulatory authorities more power to take tougher action against those companies/organisations that break the rules. Down with spam texts yassss. (Note: ‘tougher action’ is actually quite terrifying and can be a fine up to €20 million so, srsly, you need to know this stuff. I mean I doubt very much a blogger would be treated in the same way as a large EU corporation but if you monetise your blog and hold a lot of user data you are at risk of serious penalties and ignorance will not be an acceptable excuse.)

Changes that need to be made by YOU as a blogger/organisation/employee very much depend on your current practice (i.e. how good it is) and to what extent you use data, how you collect, etc.

Some parts of the GDPR will have more of an impact on you than others. If you’re a blogger engaging in no PR, with no mailing list, and you only collect cookies/tracking data, very little will apply to you. If your blog is monetised and is your main source of income and you manage multiple mailing lists, there is a lot to think about.

Does it apply to me?

Any companies or organisations that collect and/or process the personal data of EU individuals are affected, and it’s important that you’re able to demonstrate compliance with the rules. So to check whether they apply to you, read on.

A MacBook on a wooden desk, alongside some paper and a pen pot.

But I’m just a blogger, aren’t I exempt? (something about personal or household activities?)

You might be, but if you gather data, you’re probably not exempt. Here is the actual clause that talks about this:

“This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.”

What is ‘personal data’ anyway?

‘Personal data’ is defined as “any information relating to an identified or identifiable natural person”, for example, name, email, address or even an IP address or Instagram handle. The definition has now become much broader and includes identifiers such as genetic, mental, cultural, economic, social identity. You can explore this definition in more detail here.

How do I know if I’m processing personal data?

The processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, simply logging an IP address on your web server constitutes processing of personal data of a user. So this definitely applies to collecting email addresses for a mailing list or competition.

A graphic showing four monitors with silhouetted heads and arrows pointing to the centre.

Ok, I am collecting and/or processing personal data. What do I need to know?

I’ll split this into the considerations I believe to be relevant to bloggers, no matter the scale of your popularity, engagement, or influence. (This assumes you are a one-person operation and are not a registered business/company with multiple employees.)

  1. You must have a ‘lawful basis’ for collecting and processing data.
  2. You must ensure you obtain consent in a robust and transparent way.
  3. You must ensure that you comply with the rules, protect data, and be prepared to be held accountable.

In more detail:

1. You must have a ‘lawful basis’ for collecting and processing data.

This is a key change in data processing law. Everyone/anyone who processes data must identify a legal basis for doing so. You can’t make one up (unfortunately) but there are six lovely ones to choose from that are broadly the same as the conditions for processing in the Data Protection Act. You can check out the six legal bases for collecting/processing data here.

In my view, consent is the likeliest legal basis for collecting/processing data for bloggers. This means you are legally allowed to use people’s data because the individuals concerned have consented to let you. Personally I think ‘legitimate interests’ is shaky ground as a blogger’s lawful basis, especially as “it should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.” But you should make your own mind up! The important thing is to be transparent about your legal bases and to document them carefully (more on that below).

2. You must ensure you obtain consent in a robust and transparent way.

This is a key change too. Consent to gather personal data must be a positive opt-in process. Assumed consent, or a negative opt-in (i.e. If you would not like us to not do the thing, consider not thinking about not unticking this box) are explicitly not allowed.

Individuals who consent to give their data must understand, clearly, what they are agreeing to. This means that they must confirm that their data can be collected, and be able to find a clear privacy policy on your site that shows:

  • which data are going to be stored
  • how data are going to be stored
  • who has access to the data
  • how a user can view the data and/or withdraw access to the data (consequently deleting the data, if required)

Keep evidence of consent – who, when, how, and what you told people.

The regulations say you should avoid making consent to processing a precondition of a service (i.e. joining a mailing list to get access to an eBook or other freebie). If you’d like to read the full guidance around consent, you can do that here.

Existing consent (for example, people who have signed up to your blog’s mailing list in the past, whether directly or as part of a competition entry or freebie) must be assessed against these new standards. So make sure you have retrospective evidence of consent (the who, when, how, and what mentioned above) and if you don’t, you need to think about checking in with all those individuals whose data you hold and making sure they’re aware of your shiny new privacy statement/declaration!

3. You must ensure that you comply with the rules, protect data, and be prepared to be held accountable.

Listen y’all, I know this stuff is pretty dry, but as mentioned above, ignorance of the legislation will not be an acceptable excuse if you’re not able to demonstrate that you’re complying with the law and protecting data adequately. Thankfully, this is a lot less complicated for a blogger than for the monumentally large organisation that I work for in my day job (for example). Even if you monetise your blog and have numerous mailing lists, it’s a pretty simple process once you get going. For more information about that process, read on my friends!

A cup of herbal tea on a desk, with an iPad held by a pair of pale-skinned hands. There is a little bit of floral sleeve showing.

What to do next

There are a few important steps to follow if you collect and/or process data as a blogger. You’ll be pleased to know that if you’ve read this far, you’re already well on your way to completing step one!

Step One

The first step is to read up on the upcoming changes and make sure you’re aware of how they will affect you.

Step Two

Find out and document which data you have right now, where the data came from, and who you share the data with. (Get rid of any data you don’t need.) If you can’t document or show the evidence of consent, you should reach out to those people and ask them to actively re-consent if they want to remain updated on all your blog’s happenings (or, yanno, whatever the purpose of keeping the data is).

Step Three

Review any current privacy notices/disclaimers, and make any necessary changes. Or you might need to create a privacy notice from scratch. This might be the text on your mailing list sign-up form, or the statement on your disclaimer page. See below for advice on creating a privacy statement!

Step Four

Identify your lawful basis for collecting and processing data. Is it consent? If so, ensure you follow the guidelines above and you should be good to go!

Step Five

Make sure that your own processes cover all of the rights that individuals have, including how you’d delete personal data, or provide it electronically should anyone make a subject access request (unlikely, but possible!) If you use MailChimp or another similar provider, chances are your mailing list emails will have an easy unsubscribe option, and you’ll be able to pull out data should anyone ask to see their own.

Step Six

Think about whether you are likely to collect data relating to anyone under the age of 16. If so, you may need to obtain parental or guardian consent, so this is worth considering! Click here for more info.

Step Seven

Make sure you know what you’ll do in the event of a data breach. This is super important as you’ll be required to notify authorities and the user(s) themselves within 72 hours of discovering a data breach. A breach could be something as simple as accidentally sending one user’s data to another. So you need to make sure you have a plan in place in case that happens. GDPR sets out clear requirements for securing personal data (e.g. encryption, monitoring, controlling who has access).Read more about personal data breaches here.

Step Eight

Be aware of the rules around WordPress plug-ins. You are responsible for how plugins process data via your website! There are even plugins for ensuring your plugins are compliant. Wot?

Privacy policy

You should add a privacy statement to your blog. Begin with the template below, and amend to suit your blogging practices:

“We do not share personal information with third-parties nor do we store information we collect about your visit to this blog for use other than to analyse content performance through the use of cookies, which you can turn off at anytime by modifying your Internet browser’s settings. We are not responsible for the republishing of the content found on this blog on other Web sites or media without our permission. This privacy policy is subject to change without notice.” [source]

Things to think about

It’s tricky for bloggers to relate some of the legislation to their own practice, but it would be wise to start thinking about some of the issues listed here:

  • Do you use email addresses for any purpose other than that originally outlined to your readers? (e.g. originally a competition entry and now added to a mailing list or passed on to a PR agency or brand)
  • Have you had a major rebrand yet continued to maintain the same mailing list(s)?
  • Do you use freebies as a way to recruit mailing list members?
  • Do you collect data from anywhere you shouldn’t? (Facebook groups, Twitter, blog comments.)
  • Can you demonstrate positive, opt-in consent for every individual’s data you hold?
  • Are you confident about data security, and do you have a privacy policy easily available to your readers?

Further resources

I’d encourage you to read other bloggers’ views on GDPR, and there are a couple of excellent posts here:

All pictures are from Pixabay, thanks Pixabay!

Pinnable image.

Follow me:

Twitter | Instagram | Pinterest | Mailing list


  1. I’m blogging in the USA and of course have readers from all around the world. This is a terrific and super helpful post, thanks so much Jenny! And loved reading a little about you above and on your “About” Page. Including the detailed name of your work and how open you are to all comers. It’s what we need on this planet – more love, more open arms.

    Thank you!

  2. Great post Jenny – I’ve spent this afternoon reading up on GDPR and man my head is spinning! I’ve grown an email list through opt-in freebies up to now which clearly isn’t going to work (well, in the same way anyway) going forward. But I’m guessing that even a comment system like this which captures and stores personal data in your WordPress comment dashboard will be something to look at? So much work!

  3. The opt in thing is the hard one. I’ve read that it’s dependent on how you phrase it. So sign up to the newsletter and get access to my free resources, vs get my freebie and be added to my mailing list? I’ve not worked out the wording I could use in future, otherwise there’s an.awful lot of bloggers who need to rethink including all the training courses advising to do opt ins. (Obviously once they’ve signed up without an opt in they can then get offered the freebies if wanted but that’s not best for growing a mailing list)

    1. I’ve been thinking about this too. I don’t offer freebies yet, I’m still a beginner blogger, but I was thinking about adding one to grow my mailing list. I think something like the first phrase you wrote “sign up to the newsletter and get access to my free resources” or “there’s a special gift for all my email subscribers” “if you sign up to my weekly newsletter you’ll also get this gift”. Something along these lines.

  4. I am so delighted to have found your blog – I have been worrying about how to comply with GDPR. I use Word Press who have been as useful as a chocolate tea pot regarding advice.

    If any other users are on Word Press, I would love to know how to set up an ‘opt in’ – there is an unsubscribe on every email that is sent, but I don’t think that is good enough!

  5. You forgot, that you need to register with the ICO (Information Commissioners Office), if you monetize/make money from your blog, which you seemingly do. I costs currently £40, rising annually. Yeah, the EU is great.

    1. Actually, my blog isn’t monetized (though it costs me plenty!) and I am not obliged to pay a fee. Nor are other bloggers if they process personal data only to advertise and market their own goods and services. If bloggers operate as a business/sole trader and use data to advertise and market other goods/services, then a fee is due. There is a fee self-assessment tool here for anyone who is unsure:

      1. Did you answer “None of the above” in the ICO self assessment to question 7 “Are you processing information for any of the following purposes”? Because your blog is Journalism/Media. For example your reviews could appear in women’s/lifestyle magazine. So you have to pay.

          1. I happen to have a master’s degree in journalism, so I know what journalism and media is. Quite a lot is included in this definition. So even if you think your blog is not, that doesn’t matter. So you are already violating the GDPR laws.

            And sorry for that a reader actually dares to use the comment function provided by you for the readers.

            I suggest that you put a notice there, that the comment function is only for readers who agree with you.

            1. Pls go ahead and report me to whomever you deem appropriate, Huberto MA (Hons)! Disagreement is fine, mansplaining will be shown no mercy.

  6. Great one Jenny. I was reading through different articles on GDPR today and came across yours. It was a helpful post.
    Thank You for sharing such a piece of information.

  7. Hi, how can you write about GDPR and not even have a decent privacy policy on your own blog? That’s incredible!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.