I don’t know if you blissfully ignored it or if you have been reading up on the topic, but the GDPR (General Data Protection Regulation) goes into effect in Europe tomorrow (and yes, that also very likely affects you, even though you might not live in Europe).
I am sure you have at the very least noticed a flood of “privacy update” emails in the last couple of weeks. Everybody is scrambling to make sure their website is compliant.
I know, it’s a little bit overwhelming and the knee-jerk response might be to employ the head-in-the-sand attitude and ignore it, but is that really a good idea?
Probably not. But I will say, my head has been spinning with all the information of the GDPR.
In general, data protection is a good idea, right? But when I first heard about about it, it seemed to be more geared towards big data hog companies (like Google) and less towards small bloggers (like me). For small bloggers, determining what needs to be done to be compliant turns out to be somewhat of a huge task. So much happens “behind the scenes” of a blog. Even if you self-host, it means that your host service is involved in the background. So, virtually nobody seems to be exempt in this scenario and so I’d rather be safe than sorry.
The Five GDPR Basics You Absolutely Must Know¹
- It applies to anyone who processes “personal data” — Most obviously, that’s things like names, email addresses and other types of “personally identifiable information”;
- It creates significant new responsibilities — If you process personal data, you are now truly responsible and accountable for its security and the way it is used;
- It has a global reach — It might be an EU law, but it can apply to anyone, regardless of their location;
- It doesn’t just apply to traditional businesses — The principles are concerned with what you do with other people’s data, not who you are or why you do it;
- There are eye-watering fines for non-compliance — up to €20 million ($24m) or 4% of global revenue, whichever is higher.
I think it’s fairly self-evident that if you use the Internet and visit a website that some information of your visit is collected, most likely information about your IP address, possible location, device and browser you’re using (unless you enable private browsing, I suppose.) I don’t know how the Internet would work otherwise.
Obviously, you can visit this blog without submitting any other personal information, however, if you want to leave a comment and engage with the author of a blog (me!) you will be asked to submit your name and email address (so that I can verify your identity and engage with you).
I am not going over all the details of GDPR ( you can read up on other sites that have already done the work of gathering the relevant information — see some links below), but I thought I’d share what I have done to get my blog compliant.
The basic principles you want to keep in mind, whether you run a personal blog, a small business, or a big company are:
1. You must process personal data in a way that is lawful, fair and transparent (e.g. disclose which data you’re collecting and why).
2. You must only use personal data for the specific purposes that you have declared ( e.g. you can’t use email addresses that have been shared in your comments to send the same people a newsletter. They have to specifically sign up for that in a separate way).
3. You must collect only the minimum amount of personal data required to achieve your stated objective (e.g. you can’t collect address and phone number from a person, if you’re intending to send a email newsletter, unless there is another specific reason why you need this information).
4. You must take all reasonable steps to ensure that any data you collect is accurate and kept up-to-date (e.g. rectify or delete wrong or bouncing email addresses immediately).
5. You must only hold personal data for as long as is required to achieve the stated objective (e.g. make sure that logs or other data is deleted once it’s no longer needed).
6. You must process personal data in a way that ensures appropriate security (e.g. having strong passwords, using encrypted servers, etc.).
Here are some things I have done to comply with GDPR
(Disclaimer: I am not a lawyer and make no claims to the accuracy or completeness of these suggestions. I take no responsibility for the advice provided. It is entirely your responsibility to be aware and fully compliant with regulations that apply to your website.)
+ I created a disclosure and privacy policy and linked them in my main menu (so it’s easy for people to find). Some people link it in the footer. There are online generators that can help.
+ I verified that my blog is installed on a secure server, which means all communications between your browser and the website are encrypted. (Check by clicking https://theinbetweenismine-com.preview-domain.com).
+ I added a snippet of code into my WordPress (child) theme to omit the IP address when you submit a comment and deleted old IP addresses from my server.
+ Updated WordPress to the latest version (4.9.6. as of May 2018) and here’s their FAQ’s regarding WordPress and GDPR.
+ I added a check box to my comment form and contact form for you to consent before you’re submitting personal information.
+ I have contacted my blog hosting service (lunarpages.com) and have – unfortunately – not gotten a satisfactory answer in regards to their GDPR-compliance yet. Many articles mention that you have to have a ‘data processing agreement’ with your hosting service, but I am not sure yet what that looks like or if Lunarpages provides one. (I have, for now, linked their privacy policy in my privacy policy for transparency).
+ I have disabled Google Analytics for now, because I don’t really care that much about my blog stats and will do some more research to see how it can be implemented safely, if I decide to use it again in the future.
It seems like there are some straight-forward steps you can take to make your blog/website save to use for visitors, but at the same time, there is no single solution that will make a website compliant (because every website is different and uses/offers different services).
Make sure you take a good look at your website first and note where and how you process data, then take appropriate steps towards GDPR-compliance. Showing willingness by implementing some first, no-brainer solutions (like revisiting your consent process and publishing a privacy policy) is a huge step towards full compliance. I am sure there will be more information available as we enter this new territory.
Helpful resources
I have a gathered a few websites that might help you get compliant (if you read nothing else, read the first article, it’s explains GDPR and its reach fairly well):
+ What the Heck is GDPR? (and How to Make Sure Your Blog Is Compliant)
+ GDPR Compliance Tools in WordPress
+ The Lowdown on GDPR Compliance for WordPress Users
+ The GDPR and Bloggers – what you need to know
+ Privacy and Disclosure Policies for Bloggers
¹From SmartBlogger.
Beth
May 24, 2018 at 7:34 amUffda, this is a lot to think about and I’m just now becoming aware of it, I’m glad you shared this information. I’ll be taking the steps needed to do the same for my blog.
Kim Munoz
May 24, 2018 at 9:23 amI just saw this yesterday. Ive been sorta flying lown in the online world for a few weeks. Now I have to get caught up. And quick! Thanks for sharing!
Lisa of lisas yaRnS
May 24, 2018 at 7:05 pmI didn’t even know about this! I must have overlooked emails about this. I’m sure I have received some but I am not paying close attention to things like emails these days (aside from friends and family!). Thanks for compiling all this info!
Shann Eva
May 24, 2018 at 7:24 pmThis is really great information in a way it’s easier to understand. I’ve been trying to read about it, but most of the articles or posts are really confusing. This is really helpful. I’ve updated my privacy policy, but I still need to complete some of the other steps.
suki
May 24, 2018 at 11:32 pmGreat post! Comprehensive, even. I updated my privacy policy and disclaimer. I think that most of the services I use on the site are GDPR compliant… :) Hopefully they have bigger fish to fry than me.
Penny Struebig
May 25, 2018 at 3:52 amThis whole thing is so confusing to me. Thanks for this information.
Charlotte
May 26, 2018 at 8:38 amAmazing info! Thanks for sharing, San! I’ve had a lot of meetings about this at work this past week, since I work for an influencer marketing agency that collects info (though never to resell, we just had to make sure we were staying completely compliant). It’s a lot to take in, but so important, especially given the recent data breach with Facebook.
Stephany
May 26, 2018 at 1:06 pmThank you SO much for all of this useful information, especially the checklist of what you actually did. I’ve been trying to research what I need to do as a blogger, but it’s so confusing! I just added a privacy policy + cookies consent form. Working on disabling the storage of IP addresses and my Google Analytics. Oh, and I’ve got to figure out how to get an SSL certificate. I use HostGator and it seems like this might be more complicated than I thought, wah.
Audrey
May 29, 2018 at 12:33 pmWhoa. This is interesting. I wondered what was going on with all the policy and privacy updates. Now I know. I’ll have to dig into my blog a little more and make sure everything is all good! Thank you for writing this and explaining all this!
terra
May 31, 2018 at 7:33 amThis is super helpful! It all sort of snuck up on me and I’ve been super, super busy the past few weeks and am now playing catch-up.