I don’t know if you blissfully ignored it or if you have been reading up on the topic, but the GDPR (General Data Protection Regulation) goes into effect in Europe tomorrow (and yes, that also very likely affects you, even though you might not live in Europe).
I am sure you have at the very least noticed a flood of “privacy update” emails in the last couple of weeks. Everybody is scrambling to make sure their website is compliant.
I know, it’s a little bit overwhelming and the knee-jerk response might be to employ the head-in-the-sand attitude and ignore it, but is that really a good idea?
Probably not. But I will say, my head has been spinning with all the information of the GDPR.
In general, data protection is a good idea, right? But when I first heard about about it, it seemed to be more geared towards big data hog companies (like Google) and less towards small bloggers (like me). For small bloggers, determining what needs to be done to be compliant turns out to be somewhat of a huge task. So much happens “behind the scenes” of a blog. Even if you self-host, it means that your host service is involved in the background. So, virtually nobody seems to be exempt in this scenario and so I’d rather be safe than sorry.
The Five GDPR Basics You Absolutely Must Know¹
- It applies to anyone who processes “personal data” — Most obviously, that’s things like names, email addresses and other types of “personally identifiable information”;
- It creates significant new responsibilities — If you process personal data, you are now truly responsible and accountable for its security and the way it is used;
- It has a global reach — It might be an EU law, but it can apply to anyone, regardless of their location;
- It doesn’t just apply to traditional businesses — The principles are concerned with what you do with other people’s data, not who you are or why you do it;
- There are eye-watering fines for non-compliance — up to €20 million ($24m) or 4% of global revenue, whichever is higher.
I think it’s fairly self-evident that if you use the Internet and visit a website that some information of your visit is collected, most likely information about your IP address, possible location, device and browser you’re using (unless you enable private browsing, I suppose.) I don’t know how the Internet would work otherwise.
Obviously, you can visit this blog without submitting any other personal information, however, if you want to leave a comment and engage with the author of a blog (me!) you will be asked to submit your name and email address (so that I can verify your identity and engage with you).
I am not going over all the details of GDPR ( you can read up on other sites that have already done the work of gathering the relevant information — see some links below), but I thought I’d share what I have done to get my blog compliant.
The basic principles you want to keep in mind, whether you run a personal blog, a small business, or a big company are:
1. You must process personal data in a way that is lawful, fair and transparent (e.g. disclose which data you’re collecting and why).
2. You must only use personal data for the specific purposes that you have declared ( e.g. you can’t use email addresses that have been shared in your comments to send the same people a newsletter. They have to specifically sign up for that in a separate way).
3. You must collect only the minimum amount of personal data required to achieve your stated objective (e.g. you can’t collect address and phone number from a person, if you’re intending to send a email newsletter, unless there is another specific reason why you need this information).
4. You must take all reasonable steps to ensure that any data you collect is accurate and kept up-to-date (e.g. rectify or delete wrong or bouncing email addresses immediately).
5. You must only hold personal data for as long as is required to achieve the stated objective (e.g. make sure that logs or other data is deleted once it’s no longer needed).
6. You must process personal data in a way that ensures appropriate security (e.g. having strong passwords, using encrypted servers, etc.).
Here are some things I have done to comply with GDPR
(Disclaimer: I am not a lawyer and make no claims to the accuracy or completeness of these suggestions. I take no responsibility for the advice provided. It is entirely your responsibility to be aware and fully compliant with regulations that apply to your website.)
+ I verified that my blog is installed on a secure server, which means all communications between your browser and the website are encrypted. (Check by clicking https://theinbetweenismine.com).
+ I added a snippet of code into my WordPress (child) theme to omit the IP address when you submit a comment and deleted old IP addresses from my server.
+ I added a check box to my comment form and contact form for you to consent before you’re submitting personal information.
+ I have disabled Google Analytics for now, because I don’t really care that much about my blog stats and will do some more research to see how it can be implemented safely, if I decide to use it again in the future.
It seems like there are some straight-forward steps you can take to make your blog/website save to use for visitors, but at the same time, there is no single solution that will make a website compliant (because every website is different and uses/offers different services).
I have a gathered a few websites that might help you get compliant (if you read nothing else, read the first article, it’s explains GDPR and its reach fairly well):