This post may contain affiliate links, which means we may receive a commission, at no cost to you, if you make a purchase through a link. Please see our full disclosure for further information. If not otherwise stated, all prices are intended in US$.
The General Data Protection Regulation (GDPR) is a new piece of EU legislation coming into force on 25th May 2018 and strengthening the protection of personal data of individuals based in the EU.
You may have heard of the GDPR by now.
Your web host or your email marketing provider may have sent you an email about what they’re planning to do on their end to comply with the GPDR.
You may have received emails from social media platforms letting you know they have updated their privacy policies and terms of service.
You may even have come across some posts about the GDPR on Facebook groups.
But do you know what the GDPR is? Has anyone told you what it means for bloggers and online entrepreneurs? What it means for YOU? How it affects YOU? What YOU need to do in order to comply?
And I’m not asking these questions for the sake of debate or conversation. These are questions you need answers to.
Because let me tell you; even if it may not seem that way, the GDPR DOES affect YOU and you need to make sure you and your blog are ready for when the GDPR comes into effect.
Or else, you may incur in hefty fines up to EUR 20 million or 4% of your annual turnover – whichever is higher!!!
But don’t worry, I’m here to help. I got all the answers for you. In fact, I know a lot about the GDPR.
Why?
You may know me as the co-founder of this blog and the Facebook Group Blogging for New Bloggers, but you might not know about my background and what I have been doing for a living for the past several years.
I’m a lawyer and hold a Master’s degree and a Ph.D. in… guess what? International and EU Law! I have taught EU Law in different Universities in several countries.
So, as a blogger, lawyer and EU Law lecturer and researcher, I’m well placed to go through the GDPR with you.
However, this post is meant for educational and informational purposes only and doesn’t constitute legal advice. Please read my full disclaimer. Should your circumstances require, I encourage you to seek legal advice through other avenues.
Now, let’s dive in and see what the heck this GDPR is and what it means for you.
This post is quite long but you can use the table of content below to navigate and skip sections. Or you can always pin it for later.
Table of Contents
What’s the GDPR?
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), commonly known as the GDPR (thank God!) is a Regulation of the European Union which sets rules relating to the processing of personal data and enhances the right to the protection of personal data of individuals based in the EU.
Technically, the GDPR is not that new. It was passed in April 2016 and entered into force in May 2016. But it will start applying from the 25th May 2018 which means it will become enforceable on that date, and that’s why everyone is freaking out now.
The regulation is easily accessible here and an information portal can be found here.
Although it’s readily accessible, the regulation may sound obscure and it may be difficult to interpret the meaning of its 173 recitals and 99 articles if you’re not familiar with the legal jargon of EU institutions.
Even the full name of the regulation is kind of challenging!
So, my aim in this post is to leave aside all the legalese and mumbo-jumbo and explain in layman’s terms how the GDPR translate into plain and simple English.
For the visually inclined, I also made two infographics illustrating what the GDPR means for bloggers and online entrepreneurs:
- one only detailing some of the key points applying to you for an easy read (at the top);
- the other a bit more in-depth offering an overview of some of the main rights and obligations under the GDPR (at the bottom).
If you blog about blogging or related topics, feel free to use these infographics on your own blog with a backlink to this post if you would like to share it with your audience. To make it easier for you to share it with credits and be on the right side of the law, I’ve premade a code for you. You’d just need to copy and paste the code into your blog text editor and it’s ready to go.
You can use this infographic on your blog!
Does the GDPR apply to bloggers and entrepreneurs?
Yes, it does. And we will see why in a minute.
Material Scope (whom and what it applies to)
The GDPR applies to any individual, company or agency that determines the purpose of or carry out the processing of personal data by either automated or not automated means (with the exception of personal or household use).
Individuals, companies or agencies that determine the purpose of the processing are called controllers. Those that carry out the processing are called processors.
Bloggers and online entrepreneurs (mostly as controllers) fall within the scope of the GDPR because you do process personal data on your blog or online business.
For instance, if you have an email list, the GDPR applies to you because you are collecting, processing and storing the email addresses of your subscribers and/or your email marketing provider is doing so on your behalf.
But what if you don’t have an email list?
Incidentally, let me remind you that you should start growing an email list ASAP.
However, the main point here is: are you still bound to comply with the GDPR?
The answer is again a big fat YES.
Let me explain.
The GDPR definition of personal data as information relating to an individual is quite broad and include, among others, name, email address, identification number, location data and online identifier.
So, even if you don’t have an email list, you are still most likely to process personal data on your blog or online business.
The GDPR applies to you even if you don't have an email list! Click To Tweet
Just to give you a few examples:
- Contact forms (in your contact page, you may use forms requesting a name and email address)
- Comment systems (in order for users to comment on your blog, your comment system or plugin probably require them to leave their email address and other information such as name and URL)
- Google Analytics or other analytics tools (they track tons of information relating to your users, including their location)
- Many other tools and plugins
- Cookies
- E-commerce transactions
- Affiliate portals
- Membership areas
- Ads targeting
Under the GDPR, you’re not only required to comply with the new rules but you’re also responsible to ensure that the plugins and external providers you use equally comply with the GDPR.
Territorial scope (where it applies to)
Being the GDPR an EU regulation, it obviously applies to bloggers and online entrepreneurs based in the European Union.
The GDPR clearly states that the regulation applies to the processing of personal data in the context of the activities of an individual, company or agency in the Union, regardless of whether the processing takes place in the Union or not.
The GDPR has relevance for other countries such as Iceland, Liechtenstein and Norway which are not in the EU but are in the European Economic Area (EEA).
But what if you’re a blogger or online entrepreneur based in a country which is not part of the European Union or the EEA. Does the GDPR still apply to you?
The answer is – surprise! surprise! – again a YES.
In fact, the GDPR also clearly states that it applies to the processing of personal data of individuals who are in the European Union by an individual, company or agency not established in the EU, where the processing activities are related to:
- the offering of goods or services to individuals in the EU, irrespective of whether a payment is required; or
- the monitoring of their behaviour as far as their behaviour takes place within the EU.
From this statement we can infer three main key points:
- If your blog or online business gets visitors, clients or subscribers who are based in the EU, the GDPR may apply to you. You’re based in the US, in India, in Canada, in Nigeria, or in Australia, like myself? It doesn’t matter. Wherever in the world you’re based, if you target individuals in the EU or monitor their behaviour, you’re bound by the GDPR. You can read more about how the GDPR applies to bloggers here.
- The GDPR applies to you even if you are not generating an income from your blog or online business.
- If you’re not based in the EU, the GDPR only applies to you if you either target users based in the EU or monitor their behaviour.
But what does “targeting users based in the EU” or “monitoring their behaviour” means?
Does it mean that if a user based in the EU visits your site, you’re bound to comply with the GDPR even if you’re based in the US or Australia? Does it mean that if someone based in the EU subscribes for your newsletter, then the GDPR automatically applies to you? Or does it mean that you must specifically say that you’re targeting EU based users for the GDPR to apply to you? Or does it mean anything in between?
Luckily, the GDPR itself gives some pointers about what this actually means.
Recital 23 clarifies that in order for the GDPR to apply, it needs to be apparent that your website envisages offering goods or service to users based in the EU.
- The mere accessibility from the EU of the website, an email address or other contact details; or
- The use of a language generally used in the country where you’re based
are not enough for the GDPR to apply to you if you’re not based in the EU.
By contrast, factors such as
- the use of a language or a currency generally used in one or more States of the EU; with the possibility of ordering goods and services in that other language; or
- the mentioning of customers or users who are in the EU
may make it apparent that you envisage offering goods or services to users based in the EU and therefore the GDPR will apply to you.
As to the monitoring of the behaviour of users based in the EU, Recital 24 clarifies that it needs to be ascertained whether users are tracked with subsequent use of techniques consisting of profiling, particularly in order to take decisions concerning them or for analysing or predicting their preferences, behaviours and attitudes.
So, to translate the above statement in plain English and give you an example of the extent of these provisions, using Google analytics won’t make you in itself automatically bound to comply with the GDPR; whereas running ads with behavioural targeting techniques might.
So, I’m sorry to break it to you but even if you’re a new blogger just starting out, if you’re either targeting EU users or monitoring their behaviour, the GDPR does apply to you and you may need to make some changes to comply.
Of course, the GDPR dictates different rules and obligations depending on whether the processing of personal data is carried out on a small or large scale by a solo entrepreneur or an enterprise.
For example, the designation of a Data Protection Officer (DPO) and appointment of an EU representative is mandatory only when the processing is regular and sistematic, and when processing particular categories of data on a large scale. On the contrary, if the data processing is either occasional, not of a sensitive personal nature, or unlikely to result in a risk to the rights and freedoms of people, it’s not a mandatory requirement.
But the core principles and obligations of the GDPR apply to all individuals, companies and agencies involved in the processing of personal data either based in the EU or offering goods or services to individuals based in the EU, regardless of their size or whether payment to access their services is required.
Even when the processing of data is occasional or carried out on a small scale, the core principle and obligations of the GDPR are legally binding.
So, tough luck, my friends, we need to get to work and make the necessary changes to be compliant.
Let’s see what’s expected of us.
What do you need to do in order to comply with the GDPR?
The GDPR introduces many new obligations which also apply to bloggers and online entrepreneurs. They include
- the way consent can be obtained lawfully
- the duty to disclose how data are collected, stored and processed
- a series of rights that need to be guaranteed to users and subscribers
- a series of obligations you need to uphold
- and much more.
They’re all legally binding and what used to be lawful won’t necessarily continue to be so after the GDPR comes into force on 25 May 2018.
Consent
Processing of personal data under the GDPR is lawful only if and when at least one of the conditions listed in article 6.1. is met.
Among these conditions, the most relevant to bloggers is consent so, for the purpose of this post, we will focus on consent.
In relation to consent, the GDPR states that processing of personal data of EU individuals is legal only when they have given consent to the processing of their personal data.
You may think that you’re already applying this principle and so on this point, you’re covered.
Well, I’m sorry to be again the bearer of bad news but this may not be further from the truth.
Most blogs and websites (including my own – but, hey, I’m working on it and will be ready by the deadline of 25 May 2018!) are currently not compliant with the GDPR.
That’s because the way you can obtain consent lawfully under the GDPR is quite different from what it is currently considered legal.
The requirements are more stringent and what used to be lawful before won’t necessarily continue to be so under the GDPR.
Let’s start by looking at what the GDPR considers consent and how you can obtain consent in line with the GDPR provisions.
Bear with me for a second while we go through some technical points. I promise I will translate this into plain English.
First of all, consent must be freely given, specific, informed and unambiguous.
If consent is given in the context of a written declaration which also concerns other matters, the request must
- be made in an intelligible and easily accessible form,
- use clear and plain language, and
- be presented in a manner which is clearly distinguishable from the other matters.
Written declarations can be made by electronic means and by ticking a box (pheww!)
In all circumstances, consent should be given by a clear affirmative action.
In addition, at the time when the personal data are collected, you need to provide detailed information on many aspects of the processing of personal data you’re carrying out including (but not limited to)
- your contact details and of your representative in the EU (where applicable),
- the contact details of a DPO (where applicable),
- the purpose and legal basis of processing personal data,
- for how long their personal data will be stored,
- whether you will be transferring their personal data to third parties,
- the right to withdraw consent at any time,
- the right to lodge a complaint with a supervisory authority.
Moreover, parental consent needs to be obtained in case of users of 16 years of age or lower. Each EU State may lower the age requirement by law as long as it’s not below 13 years.
Alright, enough with the mumbo-jumbo!
We can breathe now.
So, what are some practical implications of these provisions for bloggers and online entrepreneurs?
Let’s start with a real-life example. Let’s say you would like to offer a freebie to encourage readers to sign up for your newsletter.
At the moment, many bloggers are using a sign-up form that looks like this:
But bad news; while this kind of sign-up forms are okay now, they are not compliant with the GDPR.
Remember, under the GDPR, at the time you collect personal data, you need to provide your users with information relating to the way you will be storing and processing their personal data, their rights under the GDPR and the obligations you uphold.
But don’t be scared. I know what you’re thinking: if every time you collect some personal data, you need to provide all this information, your users will be put off for sure.
The good news is you can just refer to all this information with a link to your privacy policy and/or terms of service.
If you don’t have one, now is the time to make one. Make sure your privacy policy is updated and in line with the GDPR provisions. You also need to ensure it’s intelligible, clear and written in plain English.
If you need help with drafting your privacy policy, I’ve made available for bloggers and website owners a very affordable template. You can have a look here.
Once you have your privacy policy ready, you will have to go and change all your sign-up forms to add a link to your privacy policy and/or terms of service, like in the form below.
This form has a link to the privacy policy and a box that users need to tick after they read your privacy policy to express acceptance of your terms and policies.
In order for this form to be compliant with the GDPR, you need to keep in mind that
- You can’t use pre-ticked boxes
- Users must tick the box to express acceptance of your privacy policy and/terms of use
- If they don’t tick the box, you cannot process their personal data
- Only by ticking the box, they agree to your policies relating the processing their personal data.
This is because under the GDPR, consent must be given freely by a clear affirmative act.
Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent.
On top of that, here comes more bad news: the purpose of you creating this awesome freebie was so that you could add your user to your list of subscribers to your newsletter in exchange for your freebie, right?
Well, sorry to disappoint but it will no longer work that way.
By using, a form similar to the one we discussed above, you are only obtaining consent from your users to processing their personal data to send them the freebie. They did not give you consent to be added to your newsletter and you cannot add them.
If you want to add them to your newsletter, you have two options: either you request separate consent in the same sign-up form or if you have a double opt-in, you can request separate consent in the email you will be sending to confirm their sign up.
But please keep in mind that under the GDPR, when you’re requesting consent for separate matters, each request must be distinguishable and you can’t bundle them.
So, for example, the form below would not be GDPR compliant because you’re bundling your request for both matters in one request.
Instead, you will have to use a form like this one below where the requests are kept separate and distinguishable.
Under the GDPR, you will no longer be able to make subscribing to your list a condition to redeem your freebie – however awesome it may be.
This means that there is the possibility that you may need to give the freebie without having your users sign up for your newsletter in exchange.
If they tick a box or click on a link or button to give consent to processing their data for the purpose of sending the freebie but they do not tick the separate box or click on the separate link or button to give consent to processing their data for the purpose of adding them to your newsletter, you cannot add them.
You need to have separate consent for each matter. And you cannot have them join your newsletter as a condition to retrieve the freebie. So you can’t have pre-ticked boxes or a system where if they don’t tick the newsletter box, they can’t continue.
I mean, Article 6.4. states that processing for another purpose may be compatible with the purpose for which the personal data are initially collected if you are able to determine so by taking into account a series of factors such as
- any link between the two purposes;
- the context and the relationship between you and your user;
- the nature of the personal data;
- the possible consequences of the intended further processing;
- the existence of appropriate safeguards such as encryption or pseudonymisation.
So, some are arguing that adding your user to your newsletter was compatible with the initial purpose of processing their personal data to send the freebie.
But while this may be true for the processing of data on a different legal ground (e.g. legitimate interest), Article 6.4 does not apply when the processing of data on the basis of consent.
Generally speaking, until there are some clear guidelines on this, some case-law and/or an established practice by the big players in the email marketing industry after the GDPR starts to apply, I wouldn’t personally risk by following loose interpretations of the regulation but I would rather stick with a strict compliance, albeit more onerous. I mean, better safe than sorry, right?
And if it’s true, on one hand, that this way your email list will grow less quickly, on the other hand, you will have a more engaged email list composed entirely by subscribers who truly wanted to join and weren’t “bribed” by your freebie.
Considering the costs associated with the size of your email list, it’s not necessarily a bad thing to fail to attract those potential subscribers who won’t be engaged with your message, won’t open your emails and definitely, won’t convert.
Also, keep in mind that the forms above are just examples for illustrative purposes. But as long as the request for processing personal data is clear and in plain language, you can be less stiff and more creative to entice users to subscribe to your newsletter.
Finally, let’s have a look at another form.
This form is not GDPR compliant because there are too many fields requesting information that are not strictly necessary to achieve the designated purpose.
In order to fully comply with the GDPR, you need to apply the principles of privacy by demand and privacy by default at any stage of the data processing, including when determining the means for processing and at the time of the processing itself.
This means that at any stage of the processing, you need to give high priority to your users’ privacy and the protection of their personal data.
You are required to implement technical and organisational measures, such as pseudonymisation and data minimisation, and ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
According to the data minimisation principle, you can only request personal data which are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
In our example, your purpose is to send your awesome freebie to your user by email so requesting other information such as their phone number or their city in addition to their email address is not necessary and is therefore against the GDPR provisions.
All the core principles and obligations that we have seen so far apply to every aspect of requesting consent lawfully under the GDPR and you will have to follow and apply them in any situations where you will be processing personal data of your users.
So, for example, you will have to apply the same rules and apply the same principles to your cookie pop-up, your comment system, your giveaways and your e-commerce store.
Due to the large number of obligations and enhanced rights introduced by the GDPR and the complexity of its provisions, it would be impossible to go through each example in a single blog post.
However, I created a GDPR compliance e-course for bloggers (paid) where I go in detail for each provision of the GDPR and provide examples, templates and checklists for each action you will need to undertake to ensure full compliance.
Cutting it too close to the deadline of May 25th?
Not at all.
My course comes with an overview of the key GDPR provisions relevant to bloggers and a step-by-step action plan to make your blog fully GDPR compliant in no time.
Each action step can be tackled in 15/30 minutes or less.
It includes a Privacy Policy Template and other amazing bonuses.
Plus, my course is not limited to the steps you need to take before May, 25th but also includes instructions on how to uphold your ongoing obligations, how to act upon a request from one of your user or subscriber exercising one of their rights protected by the GDPR, and what to do in the unfortunate event of a breach.
It will also be updated with future legislative development such as, for example, the regulation on privacy and cookies expected to come into force in 2019.
You will have lifetime access to current and all future versions of the course at no extra cost to you.
LEARN MORE ABOUT THE COURSE
Double opt-in
A double opt-in is not per se a requirement for obtaining consent lawfully under the GDPR.
A single opt-in system which uses a GDPR compliant form is still a lawful way to obtain consent.
However, under the GDPR, you’re also required to be able to demonstrate that you have obtained consent to the processing operation.
So, I would recommend activating a double opt-in for the purpose of keeping evidence of consent.
The burden of proof is on you and by storing the paper trail of the double opt-in where users/subscribers/customers have validated their consent, you can easily prove that that specific individual has consented to you processing their personal data for that specific purpose.
Existing users and subscribers
The other issue that we will have to take into account when making our blog GDPR compliant is that the GDPR doesn’t apply exclusively to the processing of personal data after it comes into effect on 25 May 2018, but you also need to make sure that the consent obtained before the GDPR meets the conditions set out in the GDPR.
So, now that we know what’s expected of us under the GDPR in terms of lawful consent, we will also have to check whether your previous sign-ups were GDPR compliant and whether you have records of the lawfully obtained consent.
If your previous sign-ups were compliant and you have records, that’s great! You don’t have to do anything.
If not – which is most likely – you will have to revalidate all of your EU subscribers now.
Since you can’t be 100% sure which ones of your subscribers are from the EU (even if you have access to their IPs), just to be safe, I would revalidate all your subscribers.
But I’m not an IT expert. So, if your email marketing provider assures you that you can be 100% sure of the location of your subscribers, since the GDPR only applies to individuals based in the EU, you are allowed by law to revalidate your EU subscribers only.
However, keep in mind that YOU, as the controller, are responsible to make sure your blog is compliant and also that all your external providers (processors) involved in the process of the personal data of your users comply too. So, if something goes wrong, you are the one liable, not your email provider. So, when in doubt, err on the safe side of things even if they’re more onerous for you.
I use MailerLite and they have released a pre-built template which comes in handy to revalidate subscribers.
This template is fully customizable but please don’t delete the unsubscribe button. Under the GDPR, it must be as easy to withdraw as to give consent so you do need to keep both options.
Also, remember that as I mentioned earlier, consent must be given freely and by a clear affirmative action. Silence or inactivity don’t constitute consent.
So, if your subscribers don’t click on the button to revalidate their consent by 25 May 2018, you will have to remove them from your list.
If you use a different email marketing provider, you can check this thorough post on GDPR and email marketing by Peter Nyiri of FunnelXpert which discuss what the most popular email marketing providers are planning to do to comply with the GDPR.
Expanded rights for individuals
The GDPR includes a range of new and enhanced rights for individuals.
We have already discussed how we need to provide information to our users on how, why and for how long we will be processing their personal data. Other rights include
Right of access
Users are entitled to ask you how you are using their data and for what purposes. If you receive a request of this type, you must provide a personal data report at no cost to them.
Right to erasure
Users have the right to be forgotten and they’re entitled to ask you to delete all data associated with them. This means that an unsubscribe button is not enough. If you receive a request of this type, you are required to delete all the data stored in your database.
Right to data portability
Users are entitled to request their data. If you receive a request of this type, you will need to download a file of all their data in a commonly used and machine-readable format, e.g. pdf, JSON.
MailerLite allows you to download your subscribers’ data in a GDPR compliant format.
The right to data portability also means that once users obtain their data from you, they are entitled to transfer them to another blogger or online entrepreneur.
Other enhanced rights are
- the right to rectification;
- the right to restrict processing;
- the right to object;
- and rights in relation to automated decision making and profiling.
Right to lodge a complaint and right to compensation
In addition to these rights, your users also have the right to lodge a complaint with a supervisory authority against you if they consider that the processing of their personal data doesn’t comply with the GDPR.
They also have the right to an effective judicial remedy, bring legal proceedings before Courts, and receive compensation if they’ve suffered monetary or emotional damage as a result of non-compliance with the GDPR.
Basically, they can sue you and get you to pay for compensation.
And this is on top of the administrative fines up to EUR 20 Million you may incur.
You can use this infographic on your blog!
What happens if you don’t comply?
The obligations introduced by GDPR are not limited to those I have mentioned so far.
Under the GDPR you are required to uphold many more obligations, including
- Carrying out assessments
- Implementing data protection by design and by default
- Where applicable, designating a DPO and appointing a representative in the EU
- Keeping records of processing activities
- Ensuring security standards
- Notifying breaches to supervisory authorities within 72 hours
- Communicating breaches to involved users.
With so much to learn and implement, it’s easy to get overwhelmed and I understand you may feel tempted to not comply with the GDPR.
But you need to keep in mind that the GDPR is the law, so it’s not really up to you to decide.
If you don’t comply, you will be doing something illegal.
Besides the ethical implications, you may risk very steep fines (up to EUR 20 000 000 or 4% of your annual turnover – whichever is greater).
And if you’re thinking “yeah, but the GDPR is going after the big fish like Facebook and Google, not a small blog with 500 subscribers”, think again!
It’s not so much that some zealous EU officials may stumble upon your blog; it is more that your users have the right to lodge a complaint against you to the EU supervisory authority and/or sue you.
It takes one unhappy subscriber to get you in trouble.
Plus, if large companies like Facebook or Google may survive hefty fines in the range of millions (they have in the past), the same can’t be said for a new blogger just starting out.
It can just take a fine of a few thousand dollars to tank your business for good.
If you’re not based in the EEA, you may be tempted to make your blog or online business inaccessible to the users from the EEA.
After all, being the GDPR applicable only to the processing of data within the EEA or of individuals based in the EU, if you don’t process data of individuals based in the EU, you won’t need to comply.
But, apart from the fact that you may never be 100% sure that your users are not based in the EU, are you really sure you want to lose the traffic from about 30 very populous countries?
Finally, you may be tempted to apply different privacy standards to your users from the EU and your other users.
I’m not a big fan of this approach either.
And that’s for several reasons.
- Because, again, you can’t be 100% sure of the residency status or location of your users. And remember, it takes one unhappy user to get you in trouble.
- Because the GDPR has resulted – and will result even more in the near future – in a big shift worldwide in the way personal data will be processed. All big social media platforms such as Facebook, Instagram and Twitter have already changed their privacy policies to comply. Google Analytics has already implemented measures and so have thousands of other companies. Even WordPress is planning to release a new version with GDPR compliant privacy tools in core. If everyone else is updating their policies and systems for all users, you don’t want to be the only one left looking spammy, do you?
- Under the GDPR, you are not only required to comply with its provisions but to make sure your partners, plugins and external providers do. If you your blog or online business is not GDPR compliant, brands and providers may not want to work with you.
- Because due to the close relationship, partnership and collaboration between the EU and other countries, national legislation of other countries may change in the next years to catch up with the GDPR to the point that the data protection set by the GDPR will be the standard in most countries. Do you want to work on your compliance again once it becomes national law in your own country?
- And most importantly, because it’s the right thing to do. The GDPR strengthen the rights of all of us as consumers and we should be pleased that our consent to the processing of our personal data has finally been formally enforced in some way.
So, let’s recap. What happens if you don’t or partially comply with the GDPR?
- It’s illegal
- You can get fined
- Users can lodge a complaint against you and sue you
- You may lose traffic, clients and sponsored opportunities
- You may look spammy
- You may have to work twice on your compliance.
So, start working on your compliance with the GDPR now!
When do you need to comply by?
You have until the 25 May 2018 to finalise your compliance.
But this deadline is just the beginning.
By the 25 May 2018, you need to make sure that everything related to the processing of personal data via your blog or online business (your forms, plugins, privacy policy, etc.) are GDPR compliant.
After that, you will need to maintain records, undertake actions and carry out duties as per GDPR requirements in terms of the rights of access, right to data portability, obligations in case of breach and so on.
Basically, under the GDPR, you will have ongoing obligations for the rest of your blogging life.
Plus, further pieces of EU legislation, such as the E-Privacy Regulation, may come into force in the not so distant future.
Here are a few things you can do to make sure your blog or online business is ready by the deadlines:
- Get some plugins like the GDPR plugin or the GDPR Framework plugin to start familiarising yourself with what you need to do. Please keep in mind that even if you install a plugin, you will still need to know what you’re required to do under the GDPR and fill out the boxes, fields and forms accordingly.
- Add a Privacy Policy to your website. You can get my Privacy Policy Template here. And if you need help with your legal pages, check out these tips on the 4 legal pages you must have on your blog.
- If you don’t have it already, get an SSL certificate for your website (basically switch from http to https) to make it secure. Unlike other web hosts, Siteground offers FREE SSL certificates included in their hosting fees.
- Research and learn as much as possible but please be mindful of the reliability of your sources. There is so much conflicting advice out there at the moment and I have personally come across some advice that was plain wrong. Given the steep fines and what’s at stake, I would make sure you don’t rely on random posts and articles but that you carefully check your sources.
- Consult with a lawyer, if necessary. Yes, it may be expensive but if your circumstances are particularly complex, I would consider making the investment.
- Consider expanding your education and enrol in a good course. It will give you peace of mind and at the same time, will save you money, headache and tons of time that could be better spent writing your posts and growing your business.
As I mentioned earlier, I’ve created an e-course (paid) where I go in detail for each provision of the GDPR and provide examples, templates and checklists for each action you will need to undertake to ensure full compliance.
It will cover all aspects of your compliance, all principles and legal requirements, and all ongoing obligations and responsibilities under the GDPR that couldn’t be possibly addressed in one single blog post without it becoming super overwhelming.
The great thing about the course is that you will be able to learn and implement at your own pace and you will be able to go back to it every time you receive a request from your users related to their rights under the GDPR.
Good luck with your compliance and if you have any questions about the GDPR, go ahead and leave a comment below.
This was super helpful. Thanks so much for taking the time to make it!
Thank you, Jessica!
Thanks for explaining a of this! As a new blogger, I had no idea how much of a big deal GDPR is. While I now know more about it, at the same time I am completely overwhelmed and not sure if I am tech savvy enough to do everything that is required!!!! I guess I have 23 days to work on it…
I know, it’s a lot to take in, Kimberley, but once you start working on your compliance, it will all make sense! Thanks 🙂
Thank you soooo much! Seriously. This also impacts me at work but some people just don’t get it.
I know, Michelle, right? Plus, I have seen so much BS around. Thanks 🙂
Thank you for this!!! I just sent an email in regards to this to my subscribers.
Trying to figure out how to have those boxes so the reader ticks on them under the EU’s guidelines. I have MailerLite too.
Thanks, Maria ? In MailerLite, in the “embedded form” there is a field called “Confirmation checkbox text”. You need to fill that out. Hope this helps.
Thank you! Though fairly certain the fines go up to $20MM EU, not 2.
Yes, Lynn, 20 million! I wrote 20 million every time except for the first time. It was a typo. Thanks so much for pointing that out. Much appreciated. I will go and fix it now. Thanks again.
This has helped SO MUCH – as I am completely clueless when it comes to this area of expertise. I was wondering – what about affiliate links compliance? And, as far as the Terms and Conditions and Privacy Policy… I have one, but I used a free “template” from the grapevine. Is there a way I can pay someone to actually write a legitimate one that comply with the GDPR?
Hi Carissa, thanks. Glad to hear you found it useful. 🙂
As to affiliate links compliance, you will have to include that in your cookie pop up, privacy policy and terms of service.
You may also want to add in your FTC compliant affiliate disclosure at the top of your posts that you use cookies for this purpose but the cookie pop-up, if fully GDPR compliant, will be enough.
As to the privacy policy, you can use a premade free template as long as you make sure it’s fully GDPR compliant and is intelligible and written in plain and simple English.
I find these free templates are usually very full on legalese.
But if you read it and 1) you see that it covers all the information you need to provide under the GDPR 2) you, yourself, understand what it’s saying, you’re okay to use it.
Otherwise, I wouldn’t.
You can pay either an agency or a lawyer to draft a privacy policy for you. For what I’ve seen around they’re quite pricey ($500+) but you can shop around.
My course will include GDPR compliant privacy policy templates that can be used on blogs.
If someone requests the right to be forgotten and you delete their data from your mail service, how ever do you go about proving that to them?
Hi Emma,
That’s a great question!
I use MailerLite and they have introduced a GDPR feature called “forget”.
If a subscriber exercises their right to be forgotten, I would locate them and click on forget (then type forget as an extra safety measure) and all their data will be completely erased by my database within 30 days (in line with GDPR provisions).
Once I do that, MailerLite gives me the following confirmation message “Subscriber data will be completely deleted and forgotten within 30 days.” I would then take a screenshot of this and attach to my correspondence to my ex subscriber to communicate erasure.
I think all other email providers will roll out similar features by the 25th May.
This is the best info I’ve found. Thank you.
Aww thanks! Nice to hear that 🙂
One more thing, I see you use MiloTree. I use for Pinterest but also to get email subscribers. Do you know if they are compliant?
Hi Michelle,
I’m currently using MiloTree to get email subscribers too but it’s only a straight sign-up form to join my email list with no freebie in exchange (for anything else I use MailerLite sign-up forms).
At the moment, this MiloTree form is NOT GDPR compliant.
If they add the possibility to include checkboxes within their subscribe form before the 25th May (which is most likely), I will keep using it.
If not, I will keep using MiloTree only to increase my following on social media platforms such as Pinterest or Facebook but I will stop using their sign up form for subscribers.
Well so much for “plain English” & assumed implementation.
There is no way this is enforceable across the pond.
Thanks for your comment.
If you read the regulation and then compared it with my post, you would see how my post is indeed in plain English. The regulation is composed of 173 very long recitals and 99 very complex articles. A short post of 6K words offering an overview of all the key points, main rights and primary obligations is physiologically doomed to be a bit overwhelming and crammed with legal concepts. Sorry. In my course, where I can address each concept individually, I have more room to break each provision down in simple words.
As to its application, saying that there is no way the GDPR would be enforceable across the pond is denying the existence of private international law, undermining cooperation agreements and the aid of enforcement agencies and local authorities, and calling national provisions such as, for example, those relating to the enforcement of a foreign judgement in the US, rubbish.
Everyone is free to ignore the GDPR… at their own risk.
Thank you so much for this! As a new blogger, so much of the GDPR information that was out there was so confusing as to how it would apply to me and my blog. And so much of the information was vague with a lot saying not to worry about it. Thankfully I found this post in time to get it all fixed up and compliant! I always prefer to play it on the side of caution rather than risk the worst case scenario happening. Now that I have a few pages of notes for what I need to do for the blog I can get started on getting it done and out of the way now! Seriously, thank you!!! 🙂
Awww thank you, Kristin, for your sweet message. I’m glad to hear my post was helpful to you ?
Ma’am, would your paid class also refer and be helpful to those on Google’s Blogger? I have a big following of those on Blogger getting hit with this stuff as well and need to make sure they aren’t going to be pushed and coerced into joining another platform. Also can you email me your prices for this?
Thank you!
Hi Rebekah,
Thanks for your message and interest in my course.
My course applies to all platforms. I may suggest some FREE plugins to make things easier but everything can be manually done on all platforms.
My course is currently available for pre-purchase at an early-bird price of US$39 (over 40% OFF regular price) until May, 18th. You can check it out here: https://tinylovebug.teachable.com/p/gdpr-compliant-blog/
HI Lucrezia – I am awaiting your course and the costing too. I have had a few with lawyer back-ups put
out courses with the forms needed etc – but for USA. What will your course involve?
PS I didn’t tick the Privacy Policy as it had no detail – then your box wouldn’t accept my comment unless
I ticked the box 🙂 🙂
Hi Deborah,
I’m sorry to hear about the checkbox in the comment. I’m testing out things for the course and for my own compliance, and you must have commented when I was playing around with my policy and plugins. I won’t make my own website GDPR compliant until the 24th May but obviously, I’m already working on it behind the scenes.
Thanks for your interest in my course. It will cover all provisions of the GDPR (application, ongoing obligations, rights, etc.) and will have a practical section where I guide through full compliance step-by-step. It will also include checklists, templates of privacy policy, cookie policy, emails, other documentation and real-life examples of implementation. It will be a living document as most companies and providers are only working on their own compliance with the GDPR now so I will keep updating it as soon as new features get released or policies change. Purchasing the course will give lifetime access to all its future updates.
I’m an Italian (so EU citizen) trained in EU law but I’m currently based in Melbourne, Australia. My course is not country-specific, it can be used by any blogger to make their blog GDPR compliant regardless of what country they’re based in.
I would have loved to launch the course sooner but I want it to be as comprehensive as possible so I’m awaiting the release of some features by other companies and providers (e.g. the location feature to identify subscribers from the EU by MailerLite) so that I can include them in my course.
My course is currently available for pre-purchase at an early-bird price of US$39 (over 40% OFF regular price) until May, 18th. You can check it out here: https://tinylovebug.teachable.com/p/gdpr-compliant-blog/
Oh I love this! Thank you SO much Lucrezia! I’ve been struggling with this… I feel like I’m lucky in that I’m just starting out (my blog is just a few weeks old, zero subscribers yet) so I have the chance to set it all up right from the beginning. I’m with MailerLite too, and I think I’ve got my head around the email list subscriber side (well, kind of ?), but the privacy policy stuff has me all ??♀️??♀️? So sign me up, baby! My only question is, will the privacy policy template in your course be suitable for Australian bloggers? And will it be sufficient as a privacy policy as a whole, or will there be other Australia-specific “bits” I will need to add in?
Thanks again!
Hi Chrissy,
Thanks for your sweet message and your interest in my course 🙂
I’m based in Australia too so we’re covered ahah
There are some bits that bloggers in the US (not us Aussies) need to add but everything will be specified in the course.
Thank you so much for posting this, it was super helpful! I saw in a previous comment that you had a checkbox enabled for comments; does this mean we should include a checkbox for readers to tick off to confirm they’ve read our Privacy Policy before they comment on a post? How did you turn that on?
Thanks, Ann, glad to hear you found it helpful. Yes, that’s correct, you should include a checkbox in your comment system. You can use plugins to turn that on. I recommend one in my course.
Great post, Lucrezia — thanks! Two questions:
1) How do we get tick boxes for our sign up forms? My email provider doesn’t seem to have them, nor does SumoMe. I emailed support at both. I suspect some providers won’t have them, which means I should disable all forms till they do? Do you know any workarounds?
2) Establishing consent for users already signed up is problematic when not everyone is likely to open emails asking for consent. Any suggestions on how to stay compliant since there’s no way everyone you email to get consent will reply? The write-up from my email provider implies that a record of their signing up for the email list (which they did when they opted into my freebie sometime in the last several years) is “proof of consent,” which does not seem to align with what you’re saying.
Thanks for any advice you can offer!
Thanks, Susannah.
1) Most providers have enabled tick boxes for sign up forms. They’re all working on their own compliance with the GDPR now so if they don’t have it yet, they might be rolling it out in the next few days. You’ve done the right thing in contacting their support team. I contacted MailerLite which initially only had the possibility to add one single checkbox and no possibility to add a link to privacy policy, explaining my concerns and they have now added the possibility to add multiple checkbox and links to policy notices. We need to make sure the providers we use are fully GDPR compliant because under the GDPR, as controllers we’re responsible and liable for the compliance of our processors (our providers) too. So, I would recommend NOT using providers that don’t offer GDPR compliant features and switch over to those that do.
2) I’m afraid you will have to remove the subscribers who don’t open your email and reply. But only if they’re based in the EU! Not a big loss anyway: you’re paying (or will be paying in the future) for them (ESP charging you fees depending on email list size) but they’re not engaging with your emails. As to the record of proof of consent, it might be true. I mean, it depends on your specific sign up forms and your specific circumstances. So, I can’t advise on whether it’s in line with the GDPR or not without knowing more. I cover this in my course where I go through each situation/option.
Thank you for sharing this information. I use mailerlite right now and I am wondering how you were able to make multiple checkboxes to click. My opt-in forms only give me the option to create one. I use the free version right now as I only have two subscribers. I would love some feedback on how I can add multiple checkboxes to my opt-in forms.
Thank you!
Hi Cassandra,
The GDPR features in MailerLite only work on new forms.
Hi Lucrezia,
Thank you so much for this amazing blog post. It is really informative and soooo helpful. I so agree about the emails, not all open or read to agree. However, I have one question. What do we do when we have to credit someone on our blog? Like this photo was taken by John Doe.
You sure know what you’re talking about. Everyone is going to soon be visiting your site.
This is really helpful, thanks.
Thank you for sharing this. I especially like the information on What Happens If You Don’t Comply Look forward to seeing more from you.
Thank you for tackling such a complicated subject and explaining it in an easy to understand manner!
Thanks for this Article. This helps me out a lot!
Woah. Mindblown. I just came back to blogging and had no idea this GDPR was even a thing. This post has a lot to process at once though, so I might be back to read it again. Thanks for sharing your knowledge with us.
I all thee time emailed this blog post page too aall my contacts, as if lile to read it after that my friends willl
too.
Hello Lucrezia!
thank you so much for this incredible post. I did not know this law affects bloggers too.
I totally understand that I have to follow this new law with my blog, but I have a question:
what if I have a YouTube channel and I use affiliate marketing links? Do you know if this law affects that too?
If you know anything about it I would appreciate your help so much!
Thank you and I am a new subscriber to your blog 😀
OMG! Thank you so much for this post! I have to save this and read it for latter. I’m so glad I join this group on Fb. I am a new blogger and had no idea what a GDPR is????
Hi there! I read all about this GDPR compliance earlier this year and made sure my blog was compliant, however now the sider of my blog looks completely ridiculous with all the wording that has to be displayed now and I am trying to figure out why no one else has the same thing? Am I misunderstanding how it is supposed to work? I also noticed that your subscribe by email doesn’t even have it. Could you please help me out? I would appreciate it so much! 🙂
Hi Bekah,
I had a look at your sidebar. You don’t need all that wording (which I assume you got it from MailChimp?). You can keep it if you like but you’re not required by law to display all that wording in that fashion, a clickable link to your privacy policy within the sign-up forms and in the footer of your blog will suffice and meet the current legal requirements.
Nice blog by the way 🙂
Great post. I love how informative you are. I also have your course, and I find that you are one of the most knowledgeable bloggers when it comes to GDPR!
I read your entire blog, it was really informative. Although I have a doubt, I have a Digital Marketing agency based in Mumbai which targets people in Mumbai ONLY. And the Law is for Europe right? Then is it necessary for me to add that to my website?
Thanks, it is quite informative