gdprpersonaldata

Blogging is (and will continue to be) a fast-paced, complex subject, which some struggle to understand. The world of blogging is always changing. However, GDPR (General Data Protection Regulation) is a European law which you will be aware of, as I can guarantee your email inbox will have been flooded recently by businesses. GDPR for bloggers is also incredibly confusing and I feel there is little/no direct explanations of how to be GDPR compliant as a self hosted blogger, using WordPress.org.

gdpr-for-bloggers

The truth is, even GDPR consultants or lawyers, don’t fully seem to understand GDPR for bloggers and what it means for us bloggers yet. Within the blogging community, there has been a hell of a lot of mis-information and scaremongering. This has caused panic and bloggers seem to think they need to register as a data controller with the ICO. If you are unsure whether you do need to register, you can take this “quiz” which only takes 5 minutes.

The EU GDPR regulation will take effect on 25th May 2018. Although GDPR may sound scary, it is relatively straight forward once you’ve got your head around how you can comply as a self hosted blogger on WordPress.org (not WordPress.com, which is a separate issue). The ultimate goal and aim of GDPR is to give EU citizens control over their personal data and how it is used by organisations/businesses.

gdprpersonaldata

The easiest way I can explain the GDPR penalties is… after May 25th, 2018, businesses that are not in compliance with GDPR’s requirements can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater). I want to take this opportunity to stress to you that although it has the potential to escalate to the high level of fines mentioned previously, the process will begin with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the GDPR law, the large fines will then hit you.

The EU isn’t out to get you or make everything super complicated for you. The goal is to protect consumers and their personal identifiable information (PII). In my own opinion, the big fines are generally nothing for us smaller business owners to majorly worry about, as I believe they are to attract the attention of large corporations such as Facebook and Google, to ensure the GDPR regulation is NOT ignored.

Overall, GDPR is about protecting a users PII and holding businesses to a higher standard when collecting, processing, storing and using this data. Personal data includes, but is not limited to: name, emails, physical address, IP address, health information, income, etc.

So, what does GDPR mean for bloggers who are self hosted (via WordPress.org)?

As of WordPress 4.9.6, the WordPress core software is GDPR compliant. Platforms such as WordPress have been aware of GDPR for a long time and will have been working on this in the background, to ensure they are compliant.

However, due to the dynamic nature of websites and blogs, no single platform or plugin can offer 100% GDPR compliance. Based on the type of blog you have, what data you store, and how you process data on your site – the GDPR compliance process will vary.

Explained as simply as possible, on a basic self hosted WordPress blog, WordPress 4.9.6 by default now comes with the three following GDPR enhancement tools:

Comments consent tick box

WordPress used to store, by default, a commenters name, email address and website as a cookie in the User’s browser. Due to GDPR requirements with regards to consent, WordPress have added a comment consent tickbox. User’s can leave a comment without ticking this box, it will just mean they have to re-input their data each time they leave a comment on your blog as this data will not be stored.

Data export and data erase features

WordPress have (rightly so) given bloggers the ability to comply with the data handling requirements within GDPR, so we can honour a User’s request for exporting and/or removing their personal data. These data handling features can be found under the Tools menu inside WordPress admin.

Privacy policy generator

Much to your advantage, WordPress now comes with a built-in privacy policy generator, making creating a compliant privacy policy so much simpler. Offering a pre-made privacy policy template and guidance (with regards to what else you should add), this means you can be more transparent with your blogs User’s and how you store/use their data.

These three features are enough to make a basic, default WordPress blog GDPR compliant. However, it is highly likely that your blog has additional features and plug-ins which will need to be GDPR compliant.

Plugins and other features

As a blogger, we use a variety of plugins which we will need to ensure are GDPR compliant. Again, if these store or process data, such as consent forms, analytics, newsletters/email marketing, etc, you will need to ensure these are up to date and compliant.

Google Analytics

To be GDPR compliant with Google Analytics, you need to do one of the following: Anonymise the data before storage and processing begins, or add an overlay to the site that gives notice of cookies and ask users for consent prior to tracking.

Retargeting ads

You will need to get User’s consent, if your website is running retargeting pixels or retargeting ads. A great plugin like Cookie Notices is very useful for this.

General key points – GDPR for bloggers

  • Does GDPR apply to all bloggers? YES it does. It applies to every blogger or business, large and small, around the world (not just in the European Union).
  • Consent is very important BUT do not solely focus on consent. GDPR is about so much more than just consent.
  • Following on from above, a huge misconception is that you need to get “re-permission” from everyone on your mailing list (if you have one!). No. If you got clear consent from subscribers to opt-in and they can also easily unsubscribe.
  • Move your blog to HTTPS, if you haven’t already done so, as it is more secure.
  • Update your privacy policy. You should include: what data you collect, what you use it for, and who it’s shared with. It needs to be clear how people can request data held on them (known as a “subject access request”) or request that data is amended or deleted.
  • Ensure you know what you will do in the case of a data breach. Report data breaches to relevant authorities within 72 hours, unless the breach is considered harmless and poses no risk to individual data.
  • Do not share named brand/PR details without their consent.

Key points on GDPR for self hosted bloggers who use WordPress.org

Everything mentioned above & additionally…
  • Google analytics – I’d personally suggest installing the plugin MonsterInsights, which has a new EU compliance addon that helps automate the compliance process.
  • Use the three WordPress features I’ve mentioned earlier in this post, as they are compliant and very useful.
  • YOU are responsible for how plugins on your blog process data, so check your plugins are GDPR compliant. Search “GDPR” on plugins to see if alternatives are available.

The scaremongering needs to stop. I really do hope this blog post has been helpful and informative, as I honestly understand GDPR is relatively complex as a blogger. You now have the opportunity as a blogger to follow GDPR and make any changes that are needed. If you feel you can’t be GDPR compliant by the 25th May, I personally wouldn’t worry about it and I’d suggest still focusing on getting everything ready ASAP. The sooner, the better!

Here I am including a handy list of informative blog posts and information I’ve come across, from those who are “in the know” with GDPR:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.