GDPR – What It Means for Bloggers and Online Entrepreneurs [with infographic]

This post may contain affiliate links, which means we may receive a commission, at no cost to you, if you make a purchase through a link. Please see our full disclosure for further information. If not otherwise stated, all prices are intended in US$.

The General Data Protection Regulation (GDPR) is a new piece of EU legislation coming into force on 25th May 2018 and strengthening the protection of personal data of individuals based in the EU.

You may have heard of the GDPR by now.

Your web host or your email marketing provider may have sent you an email about what they’re planning to do on their end to comply with the GPDR.

You may have received emails from social media platforms letting you know they have updated their privacy policies and terms of service.

You may even have come across some posts about the GDPR on Facebook groups.

But do you know what the GDPR is? Has anyone told you what it means for bloggers and online entrepreneurs? What it means for YOU? How it affects YOU? What YOU need to do in order to comply?

If you don’t have your own blog yet, start one now in less than 5 minutes and for less than $50 a year!

And I’m not asking these questions for the sake of debate or conversation. These are questions you need answers to.

Because let me tell you; even if it may not seem that way, the GDPR DOES affect YOU and you need to make sure you and your blog are ready for when the GDPR comes into effect.

Or else, you may incur in hefty fines up to EUR 20 million or 4% of your annual turnover – whichever is higher!!!

But don’t worry, I’m here to help. I got all the answers for you. In fact, I know a lot about the GDPR.

Why?

You may know me as the co-founder of this blog and the Facebook Group Blogging for New Bloggers, but you might not know about my background and what I have been doing for a living for the past several years.

I’m a lawyer and hold a Master’s degree and a Ph.D. in… guess what? International and EU Law! I have taught EU Law in different Universities in several countries.

So, as a blogger, lawyer and EU Law lecturer and researcher, I’m well placed to go through the GDPR with you.

However, this post is meant for educational and informational purposes only and doesn’t constitute legal advice. Please read my full disclaimer. Should your circumstances require, I encourage you to seek legal advice through other avenues.

Now, let’s dive in and see what the heck this GDPR is and what it means for you.

This post is quite long but you can use the table of content below to navigate and skip sections. Or you can always pin it for later.

PIN IT FOR LATER

What’s the GDPR?

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), commonly known as the GDPR (thank God!) is a Regulation of the European Union which sets rules relating to the processing of personal data and enhances the right to the protection of personal data of individuals based in the EU.

Technically, the GDPR is not that new. It was passed in April 2016 and entered into force in May 2016. But it will start applying from the 25th May 2018 which means it will become enforceable on that date, and that’s why everyone is freaking out now.

The regulation is easily accessible here and an information portal can be found here.

Although it’s readily accessible, the regulation may sound obscure and it may be difficult to interpret the meaning of its 173 recitals and 99 articles if you’re not familiar with the legal jargon of EU institutions.

Even the full name of the regulation is kind of challenging!

So, my aim in this post is to leave aside all the legalese and mumbo-jumbo and explain in layman’s terms how the GDPR translate into plain and simple English.

For the visually inclined, I also made two infographics illustrating what the GDPR means for bloggers and online entrepreneurs:

1. one only detailing some of the key points applying to you for an easy read (at the top);
2. the other a bit more in-depth offering an overview of some of the main rights and obligations under the GDPR (at the bottom).

If you blog about blogging or related topics, feel free to use these infographics on your own blog with a backlink to this post if you would like to share it with your audience. To make it easier for you to share it with credits and be on the right side of the law, I’ve premade a code for you. You’d just need to copy and paste the code into your blog text editor and it’s ready to go. 

You can use this infographic on your blog!

Does the GDPR apply to bloggers and entrepreneurs?

Yes, it does. And we will see why in a minute.

Material Scope (whom and what it applies to)

The GDPR applies to any individual, company or agency that determines the purpose of or carry out the processing of personal data by either automated or not automated means (with the exception of personal or household use).

Individuals, companies or agencies that determine the purpose of the processing are called controllers. Those that carry out the processing are called processors.

Bloggers and online entrepreneurs (mostly as controllers) fall within the scope of the GDPR because you do process personal data on your blog or online business.

For instance, if you have an email list, the GDPR applies to you because you are collecting, processing and storing the email addresses of your subscribers and/or your email marketing provider is doing so on your behalf.

But what if you don’t have an email list?

Incidentally, let me remind you that you should start growing an email list ASAP.

However, the main point here is: are you still bound to comply with the GDPR?

The answer is again a big fat YES.

Let me explain.

The GDPR definition of personal data as information relating to an individual is quite broad and include, among others, name, email address, identification number, location data and online identifier.

So, even if you don’t have an email list, you are still most likely to process personal data on your blog or online business.

Just to give you a few examples:

• Contact forms (in your contact page, you may use forms requesting a name and email address)
• Comment systems (in order for users to comment on your blog, your comment system or plugin probably require them to leave their email address and other information such as name and URL)
• Google Analytics or other analytics tools (they track tons of information relating to your users, including their location)
• Many other tools and plugins
• Cookies
• E-commerce transactions
• Affiliate portals
• Membership areas
• Ads targeting

Under the GDPR, you’re not only required to comply with the new rules but you’re also responsible to ensure that the plugins and external providers you use equally comply with the GDPR.

Territorial scope (where it applies to)

Being the GDPR an EU regulation, it obviously applies to bloggers and online entrepreneurs based in the European Union.

The GDPR clearly states that the regulation applies to the processing of personal data in the context of the activities of an individual, company or agency in the Union, regardless of whether the processing takes place in the Union or not.

The GDPR has relevance for other countries such as Iceland, Liechtenstein and Norway which are not in the EU but are in the European Economic Area (EEA).

But what if you’re a blogger or online entrepreneur based in a country which is not part of the European Union or the EEA. Does the GDPR still apply to you?

The answer is – surprise! surprise! – again a YES.

In fact, the GDPR also clearly states that it applies to the processing of personal data of individuals who are in the European Union by an individual, company or agency not established in the EU, where the processing activities are related to:

• the offering of goods or services to individuals in the EU, irrespective of whether a payment is required; or
• the monitoring of their behaviour as far as their behaviour takes place within the EU.

From this statement we can infer three main key points:

1. If your blog or online business gets visitors, clients or subscribers who are based in the EU, the GDPR may apply to you. You’re based in the US, in India, in Canada, in Nigeria, or in Australia, like myself? It doesn’t matter. Wherever in the world you’re based, if you target individuals in the EU or monitor their behaviour, you’re bound by the GDPR. You can read more about how the GDPR applies to bloggers here.
2. The GDPR applies to you even if you are not generating an income from your blog or online business.
3. If you’re not based in the EU, the GDPR only applies to you if you either target users based in the EU or monitor their behaviour.

But what does “targeting users based in the EU” or “monitoring their behaviour” means?

Does it mean that if a user based in the EU visits your site, you’re bound to comply with the GDPR even if you’re based in the US or Australia? Does it mean that if someone based in the EU subscribes for your newsletter, then the GDPR automatically applies to you? Or does it mean that you must specifically say that you’re targeting EU based users for the GDPR to apply to you? Or does it mean anything in between?

Luckily, the GDPR itself gives some pointers about what this actually means.

Recital 23 clarifies that in order for the GDPR to apply, it needs to be apparent that your website envisages offering goods or service to users based in the EU.

• The mere accessibility from the EU of the website, an email address or other contact details; or
• The use of a language generally used in the country where you’re based

are not enough for the GDPR to apply to you if you’re not based in the EU.

By contrast, factors such as

• the use of a language or a currency generally used in one or more States of the EU; with the possibility of ordering goods and services in that other language; or
• the mentioning of customers or users who are in the EU

may make it apparent that you envisage offering goods or services to users based in the EU and therefore the GDPR will apply to you.

As to the monitoring of the behaviour of users based in the EU, Recital 24 clarifies that it needs to be ascertained whether users are tracked with subsequent use of techniques consisting of profiling, particularly in order to take decisions concerning them or for analysing or predicting  their preferences, behaviours and attitudes.

So, to translate the above statement in plain English and give you an example of the extent of these provisions, using Google analytics won’t make you in itself automatically bound to comply with the GDPR; whereas running ads with behavioural targeting techniques might.

So, I’m sorry to break it to you but even if you’re a new blogger just starting out, if you’re either targeting EU users or monitoring their behaviour, the GDPR does apply to you and you may need to make some changes to comply.

Of course, the GDPR dictates different rules and obligations depending on whether the processing of personal data is carried out on a small or large scale by a solo entrepreneur or an enterprise.

For example, the designation of a Data Protection Officer (DPO) and appointment of an EU representative is mandatory only when the processing is regular and sistematic, and when processing particular categories of data on a large scale. On the contrary, if the data processing is either occasional, not of a sensitive personal nature, or unlikely to result in a risk to the rights and freedoms of people, it’s not a mandatory requirement.

But the core principles and obligations of the GDPR apply to all individuals, companies and agencies involved in the processing of personal data either based in the EU or offering goods or services to individuals based in the EU, regardless of their size or whether payment to access their services is required.

Even when the processing of data is occasional or carried out on a small scale, the core principle and obligations of the GDPR are legally binding.

So, tough luck, my friends, we need to get to work and make the necessary changes to be compliant.

Let’s see what’s expected of us.

Take my FREE 5-day email course Blogging for New Bloggers Fast Track and set your blog up for success!

What do you need to do in order to comply with the GDPR?

The GDPR introduces many new obligations which also apply to bloggers and online entrepreneurs. They include

• the way consent can be obtained lawfully
• the duty to disclose how data are collected, stored and processed
• a series of rights that need to be guaranteed to users and subscribers
• a series of obligations you need to uphold
• and much more.

They’re all legally binding and what used to be lawful won’t necessarily continue to be so after the GDPR comes into force on 25 May 2018.

Consent

Processing of personal data under the GDPR is lawful only if and when at least one of the conditions listed in article 6.1. is met.

Among these conditions, the most relevant to bloggers is consent so, for the purpose of this post, we will focus on consent.

In relation to consent, the GDPR states that processing of personal data of EU individuals is legal only when they have given consent to the processing of their personal data.

You may think that you’re already applying this principle and so on this point, you’re covered.

Well, I’m sorry to be again the bearer of bad news but this may not be further from the truth.

Most blogs and websites (including my own – but, hey, I’m working on it and will be ready by the deadline of 25 May 2018!) are currently not compliant with the GDPR.

That’s because the way you can obtain consent lawfully under the GDPR is quite different from what it is currently considered legal.

The requirements are more stringent and what used to be lawful before won’t necessarily continue to be so under the GDPR.

Let’s start by looking at what the GDPR considers consent and how you can obtain consent in line with the GDPR provisions.

Bear with me for a second while we go through some technical points. I promise I will translate this into plain English.

First of all, consent must be freely given, specific, informed and unambiguous.

If consent is given in the context of a written declaration which also concerns other matters, the request must

• be made in an intelligible and easily accessible form,
• use clear and plain language, and
• be presented in a manner which is clearly distinguishable from the other matters.

Written declarations can be made by electronic means and by ticking a box (pheww!)

In all circumstances, consent should be given by a clear affirmative action.

In addition, at the time when the personal data are collected, you need to provide detailed information on many aspects of the processing of personal data you’re carrying out including (but not limited to)

• your contact details and of your representative in the EU (where applicable),
• the contact details of a DPO (where applicable),
• the purpose and legal basis of processing personal data,
• for how long their personal data will be stored,
• whether you will be transferring their personal data to third parties,
• the right to withdraw consent at any time,
• the right to lodge a complaint with a supervisory authority.

Moreover, parental consent needs to be obtained in case of users of 16 years of age or lower. Each EU State may lower the age requirement by law as long as it’s not below 13 years.

Alright, enough with the mumbo-jumbo!

We can breathe now.

So, what are some practical implications of these provisions for bloggers and online entrepreneurs?

Let’s start with a real-life example. Let’s say you would like to offer a freebie to encourage readers to sign up for your newsletter.

At the moment, many bloggers are using a sign-up form that looks like this:

But bad news; while this kind of sign-up forms are okay now, they are not compliant with the GDPR.

Remember, under the GDPR, at the time you collect personal data, you need to provide your users with information relating to the way you will be storing and processing their personal data, their rights under the GDPR and the obligations you uphold.

But don’t be scared. I know what you’re thinking: if every time you collect some personal data, you need to provide all this information, your users will be put off for sure.

The good news is you can just refer to all this information with a link to your privacy policy and/or terms of service.

If you don’t have one, now is the time to make one. Make sure your privacy policy is updated and in line with the GDPR provisions. You also need to ensure it’s intelligible, clear and written in plain English. 

If you need help with drafting your privacy policy, I’ve made available for bloggers and website owners a very affordable template. You can have a look here.

Once you have your privacy policy ready, you will have to go and change all your sign-up forms to add a link to your privacy policy and/or terms of service, like in the form below.

This form has a link to the privacy policy and a box that users need to tick after they read your privacy policy to express acceptance of your terms and policies.

In order for this form to be compliant with the GDPR, you need to keep in mind that

• You can’t use pre-ticked boxes
• Users must tick the box to express acceptance of your privacy policy and/terms of use
• If they don’t tick the box, you cannot process their personal data
• Only by ticking the box, they agree to your policies relating the processing their personal data.

This is because under the GDPR, consent must be given freely by a clear affirmative act.

Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent.

On top of that, here comes more bad news: the purpose of you creating this awesome freebie was so that you could add your user to your list of subscribers to your newsletter in exchange for your freebie, right?

Well, sorry to disappoint but it will no longer work that way.

By using, a form similar to the one we discussed above, you are only obtaining consent from your users to processing their personal data to send them the freebie. They did not give you consent to be added to your newsletter and you cannot add them.

If you want to add them to your newsletter, you have two options: either you request separate consent in the same sign-up form or if you have a double opt-in, you can request separate consent in the email you will be sending to confirm their sign up.

But please keep in mind that under the GDPR, when you’re requesting consent for separate matters, each request must be distinguishable and you can’t bundle them.

So, for example, the form below would not be GDPR compliant because you’re bundling your request for both matters in one request.

Instead, you will have to use a form like this one below where the requests are kept separate and distinguishable.

Under the GDPR, you will no longer be able to make subscribing to your list a condition to redeem your freebie – however awesome it may be.

This means that there is the possibility that you may need to give the freebie without having your users sign up for your newsletter in exchange.

If they tick a box or click on a link or button to give consent to processing their data for the purpose of sending the freebie but they do not tick the separate box or click on the separate link or button to give consent to processing their data for the purpose of adding them to your newsletter, you cannot add them.

You need to have separate consent for each matter. And you cannot have them join your newsletter as a condition to retrieve the freebie. So you can’t have pre-ticked boxes or a system where if they don’t tick the newsletter box, they can’t continue. 

I mean, Article 6.4. states that processing for another purpose may be compatible with the purpose for which the personal data are initially collected if you are able to determine so by taking into account a series of factors such as

• any link between the two purposes;
• the context and the relationship between you and your user;
• the nature of the personal data;
• the possible consequences of the intended further processing;
• the existence of appropriate safeguards such as encryption or pseudonymisation.

So, some are arguing that adding your user to your newsletter was compatible with the initial purpose of processing their personal data to send the freebie.

But while this may be true for the processing of data on a different legal ground (e.g. legitimate interest), Article 6.4 does not apply when the processing of data on the basis of consent. 

Generally speaking, until there are some clear guidelines on this, some case-law and/or an established practice by the big players in the email marketing industry after the GDPR starts to apply, I wouldn’t personally risk by following loose interpretations of the regulation but I would rather stick with a strict compliance, albeit more onerous. I mean, better safe than sorry, right?

And if it’s true, on one hand, that this way your email list will grow less quickly, on the other hand, you will have a more engaged email list composed entirely by subscribers who truly wanted to join and weren’t “bribed” by your freebie.

Considering the costs associated with the size of your email list, it’s not necessarily a bad thing to fail to attract those potential subscribers who won’t be engaged with your message, won’t open your emails and definitely, won’t convert.

Also, keep in mind that the forms above are just examples for illustrative purposes. But as long as the request for processing personal data is clear and in plain language, you can be less stiff and more creative to entice users to subscribe to your newsletter.

Finally, let’s have a look at another form.

This form is not GDPR compliant because there are too many fields requesting information that are not strictly necessary to achieve the designated purpose.

In order to fully comply with the GDPR, you need to apply the principles of privacy by demand and privacy by default at any stage of the data processing, including when determining the means for processing and at the time of the processing itself.

This means that at any stage of the processing, you need to give high priority to your users’ privacy and the protection of their personal data.

You are required to implement technical and organisational measures, such as pseudonymisation and data minimisation, and ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

According to the data minimisation principle, you can only request personal data which are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

In our example, your purpose is to send your awesome freebie to your user by email so requesting other information such as their phone number or their city in addition to their email address is not necessary and is therefore against the GDPR provisions.

All the core principles and obligations that we have seen so far apply to every aspect of requesting consent lawfully under the GDPR and you will have to follow and apply them in any situations where you will be processing personal data of your users.

So, for example, you will have to apply the same rules and apply the same principles to your cookie pop-up, your comment system, your giveaways and your e-commerce store.

Due to the large number of obligations and enhanced rights introduced by the GDPR and the complexity of its provisions, it would be impossible to go through each example in a single blog post.

However, I created a GDPR compliance e-course for bloggers (paid) where I go in detail for each provision of the GDPR and provide examples, templates and checklists for each action you will need to undertake to ensure full compliance.

Cutting it too close to the deadline of May 25th?

Not at all.

My course comes with an overview of the key GDPR provisions relevant to bloggers and a step-by-step action plan to make your blog fully GDPR compliant in no time.

Each action step can be tackled in 15/30 minutes or less.

It includes a Privacy Policy Template and other amazing bonuses.

Plus, my course is not limited to the steps you need to take before May, 25th but also includes instructions on how to uphold your ongoing obligations, how to act upon a request from one of your user or subscriber exercising one of their rights protected by the GDPR, and what to do in the unfortunate event of a breach.

It will also be updated with future legislative development such as, for example, the regulation on privacy and cookies expected to come into force in 2019.

You will have lifetime access to current and all future versions of the course at no extra cost to you.

Double opt-in

A double opt-in is not per se a requirement for obtaining consent lawfully under the GDPR.

A single opt-in system which uses a GDPR compliant form is still a lawful way to obtain consent.

However, under the GDPR, you’re also required to be able to demonstrate that you have obtained consent to the processing operation.

So, I would recommend activating a double opt-in for the purpose of keeping evidence of consent.

The burden of proof is on you and by storing the paper trail of the double opt-in where users/subscribers/customers have validated their consent, you can easily prove that that specific individual has consented to you processing their personal data for that specific purpose.

Existing users and subscribers

The other issue that we will have to take into account when making our blog GDPR compliant is that the GDPR doesn’t apply exclusively to the processing of personal data after it comes into effect on 25 May 2018, but you also need to make sure that the consent obtained before the GDPR meets the conditions set out in the GDPR.

So, now that we know what’s expected of us under the GDPR in terms of lawful consent, we will also have to check whether your previous sign-ups were GDPR compliant and whether you have records of the lawfully obtained consent.

If your previous sign-ups were compliant and you have records, that’s great! You don’t have to do anything.

If not – which is most likely – you will have to revalidate all of your EU subscribers now.

Since you can’t be 100% sure which ones of your subscribers are from the EU (even if you have access to their IPs), just to be safe, I would revalidate all your subscribers.

But I’m not an IT expert. So, if your email marketing provider assures you that you can be 100% sure of the location of your subscribers, since the GDPR only applies to individuals based in the EU, you are allowed by law to revalidate your EU subscribers only.

However, keep in mind that YOU, as the controller, are responsible to make sure your blog is compliant and also that all your external providers (processors) involved in the process of the personal data of your users comply too. So, if something goes wrong, you are the one liable, not your email provider. So, when in doubt, err on the safe side of things even if they’re more onerous for you.

I use MailerLite and they have released a pre-built template which comes in handy to revalidate subscribers.

This template is fully customizable but please don’t delete the unsubscribe button. Under the GDPR, it must be as easy to withdraw as to give consent so you do need to keep both options.

Also, remember that as I mentioned earlier, consent must be given freely and by a clear affirmative action. Silence or inactivity don’t constitute consent.

So, if your subscribers don’t click on the button to revalidate their consent by 25 May 2018, you will have to remove them from your list.

If you use a different email marketing provider, you can check this thorough post on GDPR and email marketing by Peter Nyiri of FunnelXpert which discuss what the most popular email marketing providers are planning to do to comply with the GDPR.

Expanded rights for individuals

The GDPR includes a range of new and enhanced rights for individuals.

We have already discussed how we need to provide information to our users on how, why and for how long we will be processing their personal data. Other rights include

Right of access

Users are entitled to ask you how you are using their data and for what purposes. If you receive a request of this type, you must provide a personal data report at no cost to them.

Right to erasure

Users have the right to be forgotten and they’re entitled to ask you to delete all data associated with them. This means that an unsubscribe button is not enough. If you receive a request of this type, you are required to delete all the data stored in your database.

Right to data portability

Users are entitled to request their data. If you receive a request of this type, you will need to download a file of all their data in a commonly used and machine-readable format, e.g. pdf, JSON.

MailerLite allows you to download your subscribers’ data in a GDPR compliant format.

The right to data portability also means that once users obtain their data from you, they are entitled to transfer them to another blogger or online entrepreneur.

Other enhanced rights are

• the right to rectification;
• the right to restrict processing;
• the right to object;
• and rights in relation to automated decision making and profiling.

Right to lodge a complaint and right to compensation

In addition to these rights, your users also have the right to lodge a complaint with a supervisory authority against you if they consider that the processing of their personal data doesn’t comply with the GDPR.

They also have the right to an effective judicial remedy, bring legal proceedings before Courts, and receive compensation if they’ve suffered monetary or emotional damage as a result of non-compliance with the GDPR.

Basically, they can sue you and get you to pay for compensation.

And this is on top of the administrative fines up to EUR 20 Million you may incur.

You can use this infographic on your blog!

What happens if you don’t comply?

The obligations introduced by GDPR are not limited to those I have mentioned so far.

Under the GDPR you are required to uphold many more obligations, including

• Carrying out assessments
• Implementing data protection by design and by default
• Where applicable, designating a DPO and appointing a representative in the EU
• Keeping records of processing activities
• Ensuring security standards
• Notifying breaches to supervisory authorities within 72 hours
• Communicating breaches to involved users.

With so much to learn and implement, it’s easy to get overwhelmed and I understand you may feel tempted to not comply with the GDPR.

But you need to keep in mind that the GDPR is the law, so it’s not really up to you to decide.

If you don’t comply, you will be doing something illegal.

Besides the ethical implications, you may risk very steep fines (up to EUR 20 000 000 or 4% of your annual turnover – whichever is greater).

And if you’re thinking “yeah, but the GDPR is going after the big fish like Facebook and Google, not a small blog with 500 subscribers”, think again!

It’s not so much that some zealous EU officials may stumble upon your blog; it is more that your users have the right to lodge a complaint against you to the EU supervisory authority and/or sue you.

It takes one unhappy subscriber to get you in trouble.

Plus, if large companies like Facebook or Google may survive hefty fines in the range of millions (they have in the past), the same can’t be said for a new blogger just starting out.

It can just take a fine of a few thousand dollars to tank your business for good.

If you’re not based in the EEA, you may be tempted to make your blog or online business inaccessible to the users from the EEA.

After all, being the GDPR applicable only to the processing of data within the EEA or of individuals based in the EU, if you don’t process data of individuals based in the EU, you won’t need to comply.

But, apart from the fact that you may never be 100% sure that your users are not based in the EU, are you really sure you want to lose the traffic from about 30 very populous countries?

Finally, you may be tempted to apply different privacy standards to your users from the EU and your other users.

I’m not a big fan of this approach either.

And that’s for several reasons.

1. Because, again, you can’t be 100% sure of the residency status or location of your users. And remember, it takes one unhappy user to get you in trouble.
2. Because the GDPR has resulted – and will result even more in the near future –  in a big shift worldwide in the way personal data will be processed. All big social media platforms such as Facebook, Instagram and Twitter have already changed their privacy policies to comply. Google Analytics has already implemented measures and so have thousands of other companies. Even WordPress is planning to release a new version with  GDPR compliant privacy tools in core. If everyone else is updating their policies and systems for all users, you don’t want to be the only one left looking spammy, do you?
3. Under the GDPR, you are not only required to comply with its provisions but to make sure your partners, plugins and external providers do. If you your blog or online business is not GDPR compliant, brands and providers may not want to work with you. 
4. Because due to the close relationship, partnership and collaboration between the EU and other countries, national legislation of other countries may change in the next years to catch up with the GDPR to the point that the data protection set by the GDPR will be the standard in most countries. Do you want to work on your compliance again once it becomes national law in your own country?
5. And most importantly, because it’s the right thing to do. The GDPR strengthen the rights of all of us as consumers and we should be pleased that our consent to the processing of our personal data has finally been formally enforced in some way.

So, let’s recap. What happens if you don’t or partially comply with the GDPR?

• It’s illegal
• You can get fined
• Users can lodge a complaint against you and sue you
• You may lose traffic, clients and sponsored opportunities
• You may look spammy
• You may have to work twice on your compliance.

So, start working on your compliance with the GDPR now!

When do you need to comply by?

You have until the 25 May 2018 to finalise your compliance.

But this deadline is just the beginning.

By the 25 May 2018, you need to make sure that everything related to the processing of personal data via your blog or online business (your forms, plugins, privacy policy, etc.) are GDPR compliant.

After that, you will need to maintain records, undertake actions and carry out duties as per GDPR requirements in terms of the rights of access, right to data portability, obligations in case of breach and so on.

Basically, under the GDPR, you will have ongoing obligations for the rest of your blogging life.

Plus, further pieces of EU legislation, such as the E-Privacy Regulation, may come into force in the not so distant future.

Here are a few things you can do to make sure your blog or online business is ready by the deadlines:

• Get some plugins like the GDPR plugin or the GDPR Framework plugin to start familiarising yourself with what you need to do. Please keep in mind that even if you install a plugin, you will still need to know what you’re required to do under the GDPR and fill out the boxes, fields and forms accordingly.
• Add a Privacy Policy to your website. You can get my Privacy Policy Template here.  And if you need help with your legal pages, check out these tips on the 4 legal pages you must have on your blog.
•  If you don’t have it already, get an SSL certificate for your website (basically switch from http to https) to make it secure. Unlike other web hosts, Siteground offers FREE SSL certificates included in their hosting fees. 
• Research and learn as much as possible but please be mindful of the reliability of your sources. There is so much conflicting advice out there at the moment and I have personally come across some advice that was plain wrong. Given the steep fines and what’s at stake, I would make sure you don’t rely on random posts and articles but that you carefully check your sources.
• Consult with a lawyer, if necessary. Yes, it may be expensive but if your circumstances are particularly complex, I would consider making the investment.
• Consider expanding your education and enrol in a good course. It will give you peace of mind and at the same time, will save you money, headache and tons of time that could be better spent writing your posts and growing your business.

As I mentioned earlier, I’ve created an e-course (paid) where I go in detail for each provision of the GDPR and provide examples, templates and checklists for each action you will need to undertake to ensure full compliance.

It will cover all aspects of your compliance, all principles and legal requirements, and all ongoing obligations and responsibilities under the GDPR that couldn’t be possibly addressed in one single blog post without it becoming super overwhelming.

The great thing about the course is that you will be able to learn and implement at your own pace and you will be able to go back to it every time you receive a request from your users related to their rights under the GDPR.

LEARN MORE ABOUT THE COURSE

Good luck with your compliance and if you have any questions about the GDPR, go ahead and leave a comment below.