"Let's not say goodbye yet.”
"Please don't let me go.”
"We are on the same page, aren't we?”
"You're still interested, aren't you?"
Unless you’ve been living under a rock, chances are that your inbox has been flooded by emails with similar subject lines. You may also have noticed that the frequency has increased rather dramatically over the past week or so, reminding you to ‘opt-in’ or ‘check the box’ before it’s too late.
Well, the culprit is #GDPR.
Sounds like one of those god-awful complicated acronyms from your high-school Economics class, doesn’t it? At least it did to me. But then it got me thinking.
Does my blog really need to be GDPR compliant? I don’t really sell anything on the blog. And what information do I really collect? After all, it’s largely a personal blog. So, I should be okay, shouldn’t I?As it turns out, probably not. Now, if like me, you’re a blogger who does the occasional sponsored content and makes the odd penny from the blog, then what I’m about to discuss may help. But before we go on, I need your buy-in on the following disclaimers:
Phew! For a moment, I felt like the small print in one of those infinitely long "I’ve read the terms and conditions and agree with them all" pages. Honestly, I miss the good old times when we could just post things without having to worry so much about all this. But hey, we got to keep rolling with the times.
I am not a lawyer or qualified in any aspect of the law, except maybe that I try to follow it as much as I can. So, in no way does this post qualify as legal advice. If you really need to get the nitty gritty of GDPR, please consult a specialist lawyer. Alternately, you can find a lot of information and guidance on the GDPR site.
What I’m about to discuss is purely based on my understanding of what I’ve read so far about GDPR, and the steps I’ve taken in an attempt to make my blog/site GDPR - compliant. Once again, I am not an expert and as such I will not be held liable for any advice taken from post/article
So, what is this GDPR?While the acronym sounds rather ominous, the name is quite self-explanatory. It stands for General Data Protection Regulation and it comes into effect on 25th May 2018. If you’d like to check out the detailed explanation, all the low down is available on the GDPR website. However, to convert it into ‘lay people speak’:
Although it says it’s developed by the EU, and applies to businesses, organisations or people within the EU, those who are outside the EU but offer goods or services (regardless of whether it is paid or not) to people living within the EU, or monitor their behaviour must comply with it. Which means, in short in this large interconnected world where our posts are not restricted to particular geographical locations, GDPR will pretty much become the global standard for data protection.
GDPR is a new legislation developed by the European Union (EU) to strengthen our rights regarding the collection, use and storage of our personal data.
But I’m a blogger. I don’t collect personal data. I’m not even in the EU.Actually, this is where we get caught out. Even if you haven’t actively monetised the blog, you are still collating personal data. Because according to their definition of personal data, it is any information that can be used to identify a living person directly or indirectly. And that includes things like names, email addresses, location data, IP address. And all of these are things that our blogs collect when someone leaves a comment or even just visits (depending on the options of your site). Now, if you absolutely do not monetise your blog (yes, that means not even sponsored posts), then you could probably get away without any issues. But then again, the line is quite grey on this one, and hey, why invite trouble unnecessarily?
Okay, I’m starting to freak out. Why is this so confusing?Well, first take a deep breath. It isn’t that complicated. In fact, I might even go out on a limb and say that it is a good opportunity to tidy up your blog and get it into shape. And we’re a community. Which means, we’re all in this together. If I had to break down GDPR into 3 points, this is what your website/blog must comply with:
We have to tell our visitors/users what sort of information we collect, who we are, what we do with the information and how long it will be stored for.
We have to get clear consent before collecting any data, i.e. they need to say yes, and no, we can’t bypass this.
If a user or visitor requests access to their data, we will need to provide it and also let them know should any data breaches occur, such as our website database being hacked and the rest.
Right, I’m feeling better now. So, what do I do?Okay, the bad news is that there really isn’t a definitive guide to making sure your site or blog is GDPR compliant. Yes, I know - I said I’ll help. [click_to_tweet tweet="Here is a quick 5-step checklist of things to do, which should help your #blog become #GDPR compliant." quote="So, I’m giving you a 5-step checklist of things to do, which will go a long way to make your site compliant with this new regulation." theme="style3"]
Top Tip: When writing the policy, try to address the 3W1H rule about the personal data. Why, What, Who and How?
Step 3: ConsentOkay, this is the tricky part, and I’m certain that a lot of fellow bloggers can testify to how cumbersome this is. It is likely that your blog/site has already collected a sizeable number of emails for your newsletter or email notifications. If you’re using a tool such as MailChimp or Sumo, you can use one of their pre-designed email templates to contact all your subscribers and get their consent to be on your mailing list. The trouble though is getting your subscribers to open the newsletters and respond. Unfortunately, short of sending reminders, not much you can do about this. Which may explain the rather creative email subject lines that I started the post with. If you’re using the Jetpack subscriber module, I have some more bad news. At the time of writing this, I haven’t yet managed to discover a way to let subscribers know that we need their consent in order to keep sending them email updates. That is short of emailing them all separately. Automattic and Jetpack have mentioned that they will be GDPR compliant in time, but I haven’t found any options that explicitly help with either letting existing customers know nor adding a checkbox to the subscriber widget. If any of you know a way, please let me know and I’ll update it.
Top Tip: As much as I hate to say it, reach out personally to your subscribers where possible. Unless you want to take them off the list.
Top Tip: If you’re on Wordpress, use the Cookie Widget banner to inform your visitors that you store information to enhance their reading experience. Simples!
Top Tip: Once you use the plugin, remember to incorporate the checkbox in your comments section, contact form and any other place where your visitors may enter their personal information.
Bonus Step: SSL itI’m sure most of you have already heard it, or done it even, but since October 2017 you may have noticed that your browsers have started throwing messages saying site not secure. (In fact, due to some issues that I’m presently having with Bluehost, you may notice this on mine too). While I could launch into a detailed explanation of what SSL is, the simplest way to look at it is that https sites make your site/blog more secure than http. And it helps convince your visitors that you pay attention to things like security
Top Tip: Most hosting providers offer you basic SSL certificates for free with your hosting plan. Chat to them and get one asap.
I bet that I can read your mind right now. You’re possibly thinking, ‘What happened to the time when blogging was such a simple affair?’
I hear ya. In fact, I feel ya too. But on the plus side, look at this way. The fact that things like this affect blogging means that it is no longer considered as 'just a hobby'. This paves the way for the future. Which means bloggers will now have to be accountable for things and put out better quality content and maintain better databases. And in my eyes, that may well be a giant leap to blogging being recognised as a valid medium of expression. So stand up and be counted.
And let’s #GDPR with it!
Note: I hope this rather long post has been worth your time. If you’ve found it useful, please do show the love by sharing it.
If you have any questions, I’ll be happy to try and answer it, although I’m reiterating this again - I am not an expert or a legal professional. Most of this is what I’ve understood and inferred from the various sources that I’ve had at my disposal.
Update There is currently an option available within the Jetpack plugin to generate the cookie banner as well as an automated privacy page for your site, along with a few other settings.