GDPR and Bloggers: What you Need to Know
GDPR and Bloggers: what you need to know. On May 25, 2018 the EU is putting in place the General Data Protection Regulation (GDPR).
If you have EU visitors as I do you will need to know about this new law. It doesn’t matter whether you live in an EU country or not the law applies to the data from wherever it originates.
Its primary purpose is to protect the data privacy of EU citizens and does apply to you wherever you are. This is not meant to be legal advice but only informative in nature. If you have questions about anything in this article you should contact an attorney.
What is GDPR?
The General Data Protection Regulation, otherwise referred to as GDPR, is EU legislation that takes effect on May 25, 2018. The GDPR is the most significant legislation regulating the digital world in recent memory. The primary focus of the GDPR is to put control back in the hands of European Citizens when it comes to their personal information. The law mandates that any EU citizen has the right to demand details on what personal information is being held, who is using it, how they’re using it and how it’s being stored. They can also request copies of this data and ask to be deleted from your system. A simple unsubscribe button will not suffice. They must be completely removed.
Why is it Important to Bloggers?
If you have a mailing list or newsletter the law applies to you. If you gather email addresses and other personal information of EU residents for future marketing GDPR applies to you. Consider these scenarios:
- Do you have a newsletter list with at least one person in the EU?
- Do you have Facebook Ads where an EU resident could be targeted?
- Are you loading your mailing list into social media for re-targeting campaigns?
- Do you use Paypal or other eCommerce platform where you’re accepting credit card information from one of your readers?
- user registrations,
- contact form entries,
- analytics and traffic log solutions,
- any other logging tools and plugins,
- security tools and plugins.
If any of these situations apply to you so does GDPR.
GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. (See article 5.)
What is lawful Processing?
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used. Bloggers really need to start thinking more carefully about how they keep people’s personal data secure. If you have a security breach like a hack then you are liable under GDPR.The lawful basis for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data. Consider:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR.’ Recital 47 of the GDPR actually says that: “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
The most important thing to remember is that individuals in the EU must explicitly opt-in to communications from you. You cannot juts add them because they have purchased a product from you or entered a contest or giveaway.
You must be able to demonstrate when the person opted-in should you ever be asked to provide substantiation.
You must also provide an opt-out option. Again that means opt-out entirely from your data base and not just from the mailing list.
WHAT CAN I DO TO COMPLY?
Most third party data newsletter platforms, online payment systems and general CRM programs have been updating their platforms to comply with GDPR. You may have gotten notices recently from Google about their efforts to comply with the new law. However, it is still your responsibility to make sure that you are in compliance.
What bloggers should stop doing:
- Auto opt ins
- Share personal identifying information with others without their consent
- Stop collecting data from places other than consensual opt-ins.
What bloggers should start doing:
- Have a data processing and security policy
- Be able to demonstrate consent
- Make sure that data is secure.
PENALTIES FOR NON-COMPLIANCE
Penalties for violating GDPR can be up to 20 Million Euros and if the EU’s past performance is any indication of future behavior they will fully enforce the provisions of the new law.
The primary things that you need to know about GDPR are consent, security and record keeping. So in order to make your blog compliant you should
- Look into all the different ways in which you’re collecting visitor data.
- Put mechanisms in place to make sure that users can control their data.
- It’s probably a good idea to avoid collecting user data where it’s not necessary like the contact form and
- Even if you’re using third-party tools and solutions, you still need to make sure that those are GDPR compliant as well.
Keep all of these in mind and ensure your compliance by May 25, 2018 or be subject to serious fines. If you want to know about U.S. Laws take a look at my post on that subject here.
If you want more blogging Tips and tricks sign up for my news letter and receive your Free Blogging Planner