Big fat disclaimer: This is not legal advice. I am not a legal professional. N qualified to practise back in the day but I hardly think that qualifies me to be anyone’s sole source of advice pertaining to the The Law does it. (No!!) So, whilst I’ve done some decent research here and think I’ve covered the salient points, bear in mind that you are still responsible for how you handle data and should prepare yourself accordingly. Also, data is a plural and you can fight me.
Folks, you’ve heard of the Data Protection Act 1998, yes? Chances are that a lot of you have bumped into this legislation in the workplace as companies try their best to ensure that data are handled safely and lawfully and no-one on the payroll leaves a laptop full of sensitive information in a skip anywhere. The GDPR (General Data Protection Regulation) is regulation enacted by the EU that will finally come into effect on 25 May 2018. It will replace the Data Protection Act 1998. LIKE TOTALLY. It has a much broader scope, gives greater rights to individuals, has tougher punishments for non-compliance, and is basically a whole lot better and more fit for purpose. #Remain, y’all. I ❤ the EU.
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act. As mentioned above, it gives more privacy and control to individuals (that includes you as an individual too, woohoo! read more here) and it gives regulatory authorities more power to take tougher action against those companies/organisations that break the rules. Down with spam texts yassss. (Note: ‘tougher action’ is actually quite terrifying and can be a fine up to €20 million so, srsly, you need to know this stuff. I mean I doubt very much a blogger would be treated in the same way as a large EU corporation but if you monetise your blog and hold a lot of user data you are at risk of serious penalties and ignorance will not be an acceptable excuse.)
Changes that need to be made by YOU as a blogger/organisation/employee very much depend on your current practice (i.e. how good it is) and to what extent you use data, how you collect, etc.
Some parts of the GDPR will have more of an impact on you than others. If you’re a blogger engaging in no PR, with no mailing list, and you only collect cookies/tracking data, very little will apply to you. If your blog is monetised and is your main source of income and you manage multiple mailing lists, there is a lot to think about.
Does it apply to me?
Any companies or organisations that collect and/or process the personal data of EU individuals are affected, and it’s important that you’re able to demonstrate compliance with the rules. So to check whether they apply to you, read on.
But I’m just a blogger, aren’t I exempt? (something about personal or household activities?)
You might be, but if you gather data, you’re probably not exempt. Here is the actual clause that talks about this:
“This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.”
What is ‘personal data’ anyway?
‘Personal data’ is defined as “any information relating to an identified or identifiable natural person”, for example, name, email, address or even an IP address or Instagram handle. The definition has now become much broader and includes identifiers such as genetic, mental, cultural, economic, social identity. You can explore this definition in more detail here.
How do I know if I’m processing personal data?
The processing of personal data refers to “any operation or set of operations which is performed on personal data”. Therefore, simply logging an IP address on your web server constitutes processing of personal data of a user. So this definitely applies to collecting email addresses for a mailing list or competition.
Ok, I am collecting and/or processing personal data. What do I need to know?
I’ll split this into the considerations I believe to be relevant to bloggers, no matter the scale of your popularity, engagement, or influence. (This assumes you are a one-person operation and are not a registered business/company with multiple employees.)
- You must have a ‘lawful basis’ for collecting and processing data.
- You must ensure you obtain consent in a robust and transparent way.
- You must ensure that you comply with the rules, protect data, and be prepared to be held accountable.
In more detail:
1. You must have a ‘lawful basis’ for collecting and processing data.
This is a key change in data processing law. Everyone/anyone who processes data must identify a legal basis for doing so. You can’t make one up (unfortunately) but there are six lovely ones to choose from that are broadly the same as the conditions for processing in the Data Protection Act. You can check out the six legal bases for collecting/processing data here.
In my view, consent is the likeliest legal basis for collecting/processing data for bloggers. This means you are legally allowed to use people’s data because the individuals concerned have consented to let you. Personally I think ‘legitimate interests’ is shaky ground as a blogger’s lawful basis, especially as “it should be for the controller to demonstrate that its compelling legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.” But you should make your own mind up! The important thing is to be transparent about your legal bases and to document them carefully (more on that below).
2. You must ensure you obtain consent in a robust and transparent way.
This is a key change too. Consent to gather personal data must be a positive opt-in process. Assumed consent, or a negative opt-in (i.e. If you would not like us to not do the thing, consider not thinking about not unticking this box) are explicitly not allowed.
- which data are going to be stored
- how data are going to be stored
- who has access to the data
- how a user can view the data and/or withdraw access to the data (consequently deleting the data, if required)
Keep evidence of consent – who, when, how, and what you told people.
The regulations say you should avoid making consent to processing a precondition of a service (i.e. joining a mailing list to get access to an eBook or other freebie). If you’d like to read the full guidance around consent, you can do that here.
Existing consent (for example, people who have signed up to your blog’s mailing list in the past, whether directly or as part of a competition entry or freebie) must be assessed against these new standards. So make sure you have retrospective evidence of consent (the who, when, how, and what mentioned above) and if you don’t, you need to think about checking in with all those individuals whose data you hold and making sure they’re aware of your shiny new privacy statement/declaration!
3. You must ensure that you comply with the rules, protect data, and be prepared to be held accountable.
Listen y’all, I know this stuff is pretty dry, but as mentioned above, ignorance of the legislation will not be an acceptable excuse if you’re not able to demonstrate that you’re complying with the law and protecting data adequately. Thankfully, this is a lot less complicated for a blogger than for the monumentally large organisation that I work for in my day job (for example). Even if you monetise your blog and have numerous mailing lists, it’s a pretty simple process once you get going. For more information about that process, read on my friends!
What to do next
There are a few important steps to follow if you collect and/or process data as a blogger. You’ll be pleased to know that if you’ve read this far, you’re already well on your way to completing step one!
The first step is to read up on the upcoming changes and make sure you’re aware of how they will affect you.
Find out and document which data you have right now, where the data came from, and who you share the data with. (Get rid of any data you don’t need.) If you can’t document or show the evidence of consent, you should reach out to those people and ask them to actively re-consent if they want to remain updated on all your blog’s happenings (or, yanno, whatever the purpose of keeping the data is).
Review any current privacy notices/disclaimers, and make any necessary changes. Or you might need to create a privacy notice from scratch. This might be the text on your mailing list sign-up form, or the statement on your disclaimer page. See below for advice on creating a privacy statement!
Identify your lawful basis for collecting and processing data. Is it consent? If so, ensure you follow the guidelines above and you should be good to go!
Make sure that your own processes cover all of the rights that individuals have, including how you’d delete personal data, or provide it electronically should anyone make a subject access request (unlikely, but possible!) If you use MailChimp or another similar provider, chances are your mailing list emails will have an easy unsubscribe option, and you’ll be able to pull out data should anyone ask to see their own.
Think about whether you are likely to collect data relating to anyone under the age of 16. If so, you may need to obtain parental or guardian consent, so this is worth considering! Click here for more info.
Make sure you know what you’ll do in the event of a data breach. This is super important as you’ll be required to notify authorities and the user(s) themselves within 72 hours of discovering a data breach. A breach could be something as simple as accidentally sending one user’s data to another. So you need to make sure you have a plan in place in case that happens. GDPR sets out clear requirements for securing personal data (e.g. encryption, monitoring, controlling who has access).Read more about personal data breaches here.
Be aware of the rules around WordPress plug-ins. You are responsible for how plugins process data via your website! There are even plugins for ensuring your plugins are compliant. Wot?
You should add a privacy statement to your blog. Begin with the template below, and amend to suit your blogging practices:
Things to think about
It’s tricky for bloggers to relate some of the legislation to their own practice, but it would be wise to start thinking about some of the issues listed here:
- Do you use email addresses for any purpose other than that originally outlined to your readers? (e.g. originally a competition entry and now added to a mailing list or passed on to a PR agency or brand)
- Have you had a major rebrand yet continued to maintain the same mailing list(s)?
- Do you use freebies as a way to recruit mailing list members?
- Do you collect data from anywhere you shouldn’t? (Facebook groups, Twitter, blog comments.)
- Can you demonstrate positive, opt-in consent for every individual’s data you hold?
I’d encourage you to read other bloggers’ views on GDPR, and there are a couple of excellent posts here:
All pictures are from Pixabay, thanks Pixabay!