From 25th May 2018 a new EU regulation comes into law called the General Data Protection Regulation (GDPR). Many of us have already heard of this new regulation, it was officially passed in 2016 but only becomes law from 25th May 2018. The new regulation is a good thing for anyone living in the EU as it gives you more control and transparency over how your personal data is kept and used by businesses and different companies who provide goods and services, but did you know that as a blogger you also need to comply with new GDPR rules, even if you’re not an EU citizen?
Now, before I start a couple of warnings, though please don’t freak out…
NOTE: The following advice is meant for all blogs but specifically mentions WordPress.com blogs. While the information will apply to other blogging platforms I don’t know what specific plugins may be installed on different platforms so please consult those platforms for more information.
Disclaimer: I am NOT a lawyer/solicitor or have any background in law. The following is my personal interpretation of the GDPR rules, however the following should not be taken as accurate fact. Please consult a lawyer/solicitor for legal advice on this matter. I am cannot be held responsible for any advice taken from this article.
Sorry to scare everyone but while I’ve done my best to interpret the rules there’s always a chance that this information might not be 100% accurate.
So let’s begin…
GDPR and personal data…
As I’ve stated, GDPR stands for the General Data Protection Regulation and is a new legislation passed into law on 25th May 2018. It protects the personal data of every EU citizen. This personal data is stuff that can identify you either directly or indirectly. Personal information that can identify you include your name, address, location as well as other things like medical information and age. All information which can identify you as a person is now better protected and EU citizens now have a right to not only find out what information a company has on them, but to have that information permanently deleted (this is called the ‘right to be forgotten’).
Although the regulation affects EU citizens and their rights to privacy over their personal information, this new law affects the whole world no matter where your business (or in this case blog) is based. The reason everyone should be aware of this new law and comply by it is because it protects EU citizens, it is to protect ALL citizens who reside in the EU and any websites they visit. If you have a blog and do not have any EU citizens visiting and using it then you won’t need to worry about GDPR. But almost all of us have blogs which have visitors from different countries of the EU (which includes the UK at this time) and so we’re all better off complying with this law.
GDPR also makes businesses responsible to report any data breaches within 72 hours. Something which most people will welcome given the way some companies have treated other’s data in the last few years. (On a personal note one of my Yahoo mail accounts was identified as having been vulnerable to the Yahoo hacking so I welcome this new law). If you have a large business or process a lot of personal data you will also need to hire a data protection officer, and in some cases it may be necessary to register a business with the ICO or relevant authority, however this depends on how big your business is (here’s a self-assessment questionnaire to help you find out if you need to do this), but the average smaller blogger won’t need to worry about any of this.
Fines for non-compliance
The fines are pretty extreme if you fail to comply with the new GDPR rules however you’re unlikely to get an actual fine without proper warnings first. The average blogger isn’t likely to see such warnings or fines but in my reading of this from various sources it suggests that the bigger your business the more visible you are and therefore you have to be more careful. The total fine anyone can get is €20 million but don’t worry, as I said this is probably only going to happen to those that repeatedly flout the law.
Does my blog need a privacy page?
If you have a WordPress.org blog, I’ve heard you can enable a new privacy page to automatically appear on your blog via the settings menu. I am unsure exactly what is included on the page but it seems that .org sites have more information in their help pages. If you have a WordPress.com blog you’ll need to write up your own privacy page and add it manually to the pages that already exist on your blog.
WordPress.com have stated that they are working on something to add to the EU cookie banner which already exists as a widget we can use on our blogs. This new privacy/cookie banner may in future cover the need for a basic blog’s privacy page but for now I’m sticking to writing one. The advantage of writing up your own policy is that you will appear more trustworthy in the eyes of visitors.
You need to state what data is collected when people use the site and why. You need to state who else has access to this information and let people know they have a right to both ask about this information and ask for it to be deleted.
This is where it gets tricky. I’ve relied heavily on the help thread about GDRP for the following. All WordPress.com websites collect data via comments and feedback. The data collected includes names, emails and IP addresses. These can all be seen when you view the comments section of your WordPress Dashboard.
Cookies also collect relevant information and need to be used for most websites so make sure to include this information too. I’ve seen plenty of blogs with privacy policies that mention only the cookie usage but this isn’t enough and you should write up a more detailed policy if you allow others to comment or contact you through your blog (this especially applies if you have a contact form available on your blog).
Don’t forget to mention third parties who may have access to information. This may include Akismet which is the default spam filter on most WordPress websites and some information is sent to them for verifying spam.
If you sell things directly through your blog then you’ll have to state that you collect this additional information, which may or may not include credit and details, when customers make purchases. In such cases you may be liable for more responsibility in keeping that information safe and accessing it so try to find out more about this by consulting someone for more legal advice. I don’t run a business from my blog so at this time I can’t comment further on what to do as I don’t know.
If your blog uses things like paid for advertising or analytics tools it’s worth including that information too.
How should you write your privacy page?
If your blog has a mailing list or newsletter (this is different from the standard ‘follow blog’ option) you need to check you have people subscribing in the right way. There’s no more informed consent available, you have to let people opt-in to getting your newsletter and that includes giving them a way of unsubscribing each time they read your newsletter.
Let me know how you cope with the new GDPR rules and if you believe anything I’ve stated is wrong don’t be afraid to say so, as I said I’m no lawyer, I’m just doing my best to interpret the new law.
Note: At the time of writing this the EU Cookie banner widget is faulty and causes a refreshing of the page each time it is clicked. Apologies if it’s making you go around in circles, try to ignore it and read on.
Featured image from Pixabay.com
Did you know about the GDPR rules? Does it affect your blog or website? Are you happy for the new privacy law in terms of your rights to your own data or is the whole GDPR thing a bit of a headache for you at the moment? Let me know any thoughts I’d love to hear from you 🙂
Don’t forget to follow My Peacock Books in these locations so you won’t miss the next post. Just click on the links below 🙂 :