GDPR : What you need to do if you're a blogger

europe-3220293_640.jpg

"Let's not say goodbye yet.”

"Please don't let me go.”

"We are on the same page, aren't we?”

"You're still interested, aren't you?"

 

Unless you’ve been living under a rock, chances are that your inbox has been flooded by emails with similar subject lines. You may also have noticed that the frequency has increased rather dramatically over the past week or so, reminding you to ‘opt-in’ or ‘check the box’ before it’s too late.

 

Well, the culprit is #GDPR.

 

Sounds like one of those god-awful complicated acronyms from your high-school Economics class, doesn’t it? At least it did to me. But then it got me thinking.

 

Does my blog really need to be GDPR compliant? I don’t really sell anything on the blog. And what information do I really collect? After all, it’s largely a personal blog. So, I should be okay, shouldn’t I?
  As it turns out, probably not.   Now, if like me, you’re a blogger who does the occasional sponsored content and makes the odd penny from the blog, then what I’m about to discuss may help. But before we go on, I need your buy-in on the following disclaimers:  

I am not a lawyer or qualified in any aspect of the law, except maybe that I try to follow it as much as I can. So, in no way does this post qualify as legal advice. If you really need to get the nitty gritty of GDPR, please consult a specialist lawyer. Alternately, you can find a lot of information and guidance on the GDPR site.

What I’m about to discuss is purely based on my understanding of what I’ve read so far about GDPR, and the steps I’ve taken in an attempt to make my blog/site GDPR - compliant. Once again, I am not an expert and as such I will not be held liable for any advice taken from post/article

  Phew! For a moment, I felt like the small print in one of those infinitely long "I’ve read the terms and conditions and agree with them all" pages. Honestly, I miss the good old times when we could just post things without having to worry so much about all this. But hey, we got to keep rolling with the times.
 

So, what is this GDPR?

While the acronym sounds rather ominous, the name is quite self-explanatory. It stands for General Data Protection Regulation and it comes into effect on 25th May 2018. If you’d like to check out the detailed explanation, all the low down is available on the GDPR website. However, to convert it into ‘lay people speak’:  

GDPR is a new legislation developed by the European Union (EU) to strengthen our rights regarding the collection, use and storage of our personal data.

  Although it says it’s developed by the EU, and applies to businesses, organisations or people within the EU, those who are outside the EU but offer goods or services (regardless of whether it is paid or not) to people living within the EU, or monitor their behaviour must comply with it. Which means, in short in this large interconnected world where our posts are not restricted to particular geographical locations, GDPR will pretty much become the global standard for data protection.
 

But I’m a blogger. I don’t collect personal data. I’m not even in the EU.

Actually, this is where we get caught out. Even if you haven’t actively monetised the blog,  you are still collating personal data. Because according to their definition of personal data, it is  any information that can be used to identify a living person directly or indirectly. And that includes things like names, email addresses, location data, IP address. And all of these are things that our blogs collect when someone leaves a comment or even just visits (depending on the options of your site). Now, if you absolutely do not monetise your blog (yes, that means not even sponsored posts), then you could probably get away without any issues. But then again, the line is quite grey on this one, and hey, why invite trouble unnecessarily?
 

Okay, I’m starting to freak out. Why is this so confusing?

Well, first take a deep breath. It isn’t that complicated. In fact, I might even go out on a limb and say that it is a good opportunity to tidy up your blog and get it into shape. And we’re a community. Which means, we’re all in this together. If I had to break down GDPR into 3 points, this is what your website/blog must comply with:

We have to tell our visitors/users what sort of information we collect, who we are, what we do with the information and how long it will be stored for.

We have to get clear consent before collecting any data, i.e. they need to say yes, and no, we can’t bypass this.

If a user or visitor requests access to their data, we will need to provide it and also let them know should any data breaches occur, such as our website database being hacked and the rest.

 

Right, I’m feeling better now. So, what do I do?

Okay, the bad news is that there really isn’t a definitive guide to making sure your site or blog is GDPR compliant. Yes, I know - I said I’ll help.   [click_to_tweet tweet="Here is a quick 5-step checklist of things to do, which should help your #blog become #GDPR compliant." quote="So, I’m giving you a 5-step checklist of things to do, which will go a long way to make your site compliant with this new regulation." theme="style3"]  

Step 1: Create or write up a Privacy Policy for your blog.

If I had to pick one step which you absolutely HAD to do out of all of them, this would be the one. Because in many ways, it is your ‘anticipatory bail’ clause. Which means, it tells your visitors and users that you are ready to comply with the new regulation as well as reinforces the fact that you are transparent about what you do with their data and how it is being used. But a word of advise, do not copy word-for-word from another site. Of course, a lot of sites will have similar looking privacy policies, but you need to enter details of your own site, the plugins that you use and the rest of the information. So personalise it. Feel free to look at my Privacy Policy to get an idea.  
Top Tip: When writing the policy, try to address the 3W1H rule about the personal data. Why, What, Who and How?
 

Step 2: Spring Clean the blog

Ideally, if you’ve been blogging or writing regularly, this shouldn’t take more than a couple of minutes. But, if like me, you’ve been neglecting the blog and have somehow ended up with over 50 updates, then believe me - this is a key step for you. Make sure all your plugins, themes and Wordpress (if you’re on self-hosted) is updated to the latest version. In fact, the latest version of Wordpress has the option for Privacy Policy included, and they have good guidelines to help with the creation of this policy.  While not mandatory, it is also good to look at your plugins, make a note of any/all that collect any details of your visitors/users and then contact these 3rd party providers for information about their compliance. Usually, it will be on their site, but if not, you can always email them.  
Top Tip: Make sure you list all of these 3rd party plugins in the Privacy Policy that you’ve created. For instance, plugins like Sumo, Mailchimp, Jetpack and so on.
 

Step 3: Consent

Okay, this is the tricky part, and I’m certain that a lot of fellow bloggers can testify to how cumbersome this is. It is likely that your blog/site has already collected a sizeable number of emails for your newsletter or email notifications. If you’re using a tool such as MailChimp or Sumo, you can use one of their pre-designed email templates to contact all your subscribers and get their consent to be on your mailing list. The trouble though is getting your subscribers to open the newsletters and respond. Unfortunately, short of sending reminders, not much you can do about this. Which may explain the rather creative email subject lines that I started the post with. If you’re using the Jetpack subscriber module, I have some more bad news. At the time of writing this, I haven’t yet managed to discover a way to let subscribers know that we need their consent in order to keep sending them email updates. That is short of emailing them all separately. Automattic and Jetpack have mentioned that they will be GDPR compliant in time, but I haven’t found any options that explicitly help with either letting existing customers know nor adding a checkbox to the subscriber widget. If any of you know a way, please let me know and I’ll update it.  
Top Tip: As much as I hate to say it, reach out personally to your subscribers where possible. Unless you want to take them off the list.
 

Step 4: Cookies!

Okay, ignore the exclamation mark. That was my sweet tooth typing. Now, while these cookies (unlike their baked cousins which are yummy!) cannot be eaten, they can certainly help score brownie points when it comes to GDPR compliance. Provided you notify your visitors about it, that is. Because cookies let us identify a visitor by their device, this falls under personal data territory.  
Top Tip: If you’re on Wordpress, use the Cookie Widget banner to inform your visitors that you store information to enhance their reading experience. Simples!
 

Step 5: Use a GDPR plugin

I left this point for last because you’ll need to do steps 1 and 2 in order for step 5 to work. But it is by far the easiest thing to do. There are several GDPR compliance plugins available on self-hosted Wordpress, and my recommendation would be either the GDPR plugin by Trew Knowledge or WP GDPR Compliance by Van Ons. Regardless of which one you use, the plugin can help you create a checkbox which can be linked to your privacy policy as well as any other locations where your visitors enter their information. This way, you are getting clear consent from your visitors to get their data, rather than assuming that they’re okay with it.  
Top Tip: Once you use the plugin, remember to incorporate the checkbox in your comments section, contact form and any other place where your visitors may enter their personal information.
 
 

Bonus Step: SSL it

I’m sure most of you have already heard it, or done it even, but since October 2017 you may have noticed that your browsers have started throwing messages saying site not secure. (In fact, due to some issues that I’m presently having with Bluehost, you may notice this on mine too). While I could launch into a detailed explanation of what SSL is, the simplest way to look at it is that https sites make your site/blog more secure than http. And it helps convince your visitors that you pay attention to things like security  
Top Tip: Most hosting providers offer you basic SSL certificates for free with your hosting plan. Chat to them and get one asap.

I bet that I can read your mind right now. You’re possibly thinking, ‘What happened to the time when blogging was such a simple affair?’

 

I hear ya. In fact, I feel ya too. But on the plus side, look at this way. The fact that things like this affect blogging means that it is no longer considered as 'just a hobby'. This paves the way for the future. Which means bloggers will now have to be accountable for things and put out better quality content and maintain better databases. And in my eyes, that may well be a giant leap to blogging being recognised as a valid medium of expression. So stand up and be counted.

 

And let’s #GDPR with it!

 


Note: I hope this rather long post has been worth your time. If you’ve found it useful, please do show the love by sharing it.

 

If you have any questions, I’ll be happy to try and answer it, although I’m reiterating this again - I am not an expert or a legal professional. Most of this is what I’ve understood and inferred from the various sources that I’ve had at my disposal.

Update There is currently an option available within the Jetpack plugin to generate the cookie banner as well as an automated privacy page for your site, along with a few other settings.

Top post on IndiBlogger, the biggest community of Indian Bloggers