Welcome to our complete guide to help you understand GDPR for bloggers. While you may think, hey I’m just a small blog I don’t need to worry about this, I’m here to tell you that you still hold people’s data and you need to make sure you are doing so properly. Hopefully this guide makes sense of all that and helps guide you on what data you store, how you collect it and how the third party services you use do the same.
Complete Guide to GDPR for Bloggers
Before I start, I bet you’re thinking…who the hell am I to tell you what to do? Well, honestly, I don’t have any special expertise, my day job is in information management but I am but a lowly cog. What I can offer is my own interpretation after having read in depth on the subject. I have looked at the advice given by the ICO, the legislation itself as well as lots of articles.
If you run a blog, then you have probably heard some ominous whispers about something called GDPR – the General Data Protection Regulations, which are set to take the place of the current Data Protection Act. It sounds scary with people lobbing phrases like data controller, data processor, sensitive personal data, personal data and privacy notices at you. Especially when followed on by a vague threat of a 20 Million euro fine if you don’t comply with this mysterious and indecipherable “GDPR”.
However, GDPR isn’t the monster under your bed or the bogeyman in your closet. It’s an about-time update on current data protection legislation which will help protect your personal information in a digital age. What that means as a consumer is that you don’t get bombarded by spam and that any breaches in regard to your personal data are taken far more seriously and have more serious consequences. Which is great! I know I am sick of having harassing phone calls from cold callers, or loads of email on things I have zero interest in.
So, I am going to break this down to what I have found to be relevant to Under the Covers and how this is going to affect our processes going forward. As I said, I am not a legal expert, I am just someone with a brain who has read a lot on the legislation, including some of the legislation itself, and applied it as seems to fit Under the Covers’ needs.
The chances are that it will affect you. Although the GDPR is legislation for the EU it applies to all companies if they have any customers within the EU. So if you have readers from outside the US and in the EU then you need to take notice.
**Please note, I reference the ICO (Information Commissioner’s Office) a lot. The ICO is the governing body in the UK responsible for the GDPR. As a Brit, it is the organisation I am familiar with and whose website I used to gather the information in this post**
What is personal data?
As a blogger the GDPR means that there are some steps you need to take to ensure that you are treating people’s personal information correctly. First of all, you will need to establish if you even hold any personal data, to do that lets define what exactly personal data is:
“…meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
ICO Website
So, personal data is anything that can be used to identify someone, this includes: name, address, email address, IP address, phone number etc.
There is also another category of personal data called sensitive personal data or special categories of personal data. As a book blogger this isn’t something I will generally have to worry about. However, it’s important to know what it is and what it includes as sensitive personal data requires more measures to be put in place (for obvious reasons). Sensitive personal data includes: genetic data, bio-metric data, personal data relating to criminal convictions, information on sexuality, political believes etc. Also, again for obvious reasons, personal data on children requires extra measure.
My thoughts…don’t collect sensitive/special category personal data or information on children.
I’m now going to share with you a checklist/the order in which I considered GDPR when applying it to Under the Covers. This will include the questions I asked myself, the different aspects I considered and I will add some of the solutions that I came up with.
Do I hold any personal data?
Do you hold any personal data?
When looking at Under the Covers, we established, yes we hold personal data. We found the personal data we held was mainly names, email addresses, IP addresses and some postal addresses. This means that GDPR applies to us and we need to ensure we are compliant.
The chances are, that any blogger will have at least people’s name, IP and email addresses. Ask yourself:
- Does your comments section require an email address and name?
- Do you have a newsletter?
- Do you hold giveaways?
- Do you use Google forms or any kind of form?
- Do you use Google Analytics?
If you do any of these things then you WILL have people’s personal data and you WILL need to take notice of the GDPR.
Do I need to register with the ICO?
Check whether or not you need to register with the ICO. Anyone who gathers and/or processes personal data needs to do this. So if you answered “Yes” to the above then you need to do this.
The below ICO self-assessment tool will give you a definitive answer:
When I did this for Under the Covers we did NOT need to register.
What are the principles?
By now, you should know whether you hold any personal data and if you need to register with the ICO. What would be a really useful exercise now is to familiarise yourself with the basic principles of that underpin the GDPR. These principles all need to be complied with and all the complicated and seemingly indecipherable legislation has these responsibilities at its core:
**Italics is a direct quote from Article 5 of the GDPR, underneath is my interpretation and how I am applying this to Under the Covers.**
“All personal data must be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
When it says “processed” it basically means used. So when you USE the personal information, aka send your newsletter, do a giveaways, analyse your user data etc, you must do it in a fair and transparent manner. Don’t do anything underhanded with the data and don’t do anything you haven’t explicitly said you were going to do. Also, you must process it lawfully. Lawful processing is something I have dealt with separately in a later section in this post under “What is your lawful basis?”.
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
Okay, so lets break this down:
“…collected for specified, explicit and legitimate purposes…”
The purpose is a way of saying the reason you have asked for the data. So when you ask for personal data you must have a specific and explicit reason why and it must be essential for carrying out the purpose. For example, requesting a home address so you can send a giveaway prize to someone. In that example sending the giveaway prize is the “legitimate purpose” and I am asking for very specific and explicit personal information – an address to send the giveaway prize.
“…not further processed in a manner that is incompatible with those purposes.“
Once you have collected it you can only use it for the purpose you specifically and explicitly stated. So continuing the theme of sending a giveaway prize. Once I have obtained the postal address of my winner, I can’t then use that postal address for anything else other than sending the giveaway prize.
However, there is some scope in this, for example, Under the Covers have collected email addresses specifically for the purposes of sending a daily newsletter. When we collected this data we were very transparent and our users knew that by entering their email address in our subscribe box, they would receive a daily newsletter. We cannot use the email addresses for any other purpose than sending a newsletter.
However, we have recently changed our newsletter from daily to weekly so although the frequency has changed the purpose has not so this would be “compatible” under the purpose. BUT, if we were changing from weekly to daily I would regain consent as suddenly receiving 7 emails a week compared to 1 seems questionable in relation to transparency and general decency!
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
When collecting personal data, collect only what you need for the purpose i.e. so it is adequate, relevant and limited. Don’t collect any extra data “just in case”. You should collect the minimal necessary amount for the “purpose”. For example, a giveaway, you should only collect a name and an email address as that is the minimal amount needed to enter into the draw. You shouldn’t also collect all the entrants’ postal address as well “just in case they win”. Instead you would collect the postal address (obviously only relevant if you are sending a physical prize!) from the winner after the giveaway has ended.
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
All personal data must be kept accurate and up to date. If possible give people the option to amend their own email address and when notified of any changes ensure you update this as quickly as possible. This is also ties into principle (e) below.
You must also go a step further, if someone wants their personal information deleted you must do so as quickly as possible. This is also ties into principle (e) below. Unsubscribing would also come under this, there must be a visible and simple way to unsubscribe.
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
Basically, keep your shit organised. You need to know where you have your personal data stored and you have to be able to identify whose data is whose. This covers electronic and paper records. You can’t just have a jumbled mess. This ties into the principle (d), how can you know you have deleted or amended someone’s personal data if you don’t know where it is? You must also not keep people’s personal data for no longer than necessary for the purpose.
For example, this exemplary giveaway, you are sending a physical prize and therefore you have to collect a postal address. Once you have sent that prize and the winner has received it, the address has fulfilled its purpose and should now be deleted.
At Under the Covers we are implementing a set process for this:
- We contact the winner informing them of the happy news of their win and ask for their postal address so we can send the goodies.
- Once the winner gets back to us with their address we send the prize.
- We will let the winner know and inform the winner that we will keep their address for the next 3 months or until they confirm they have received their prize, whichever is first.
- If after 3 months we haven’t heard anything then we will delete their address information. If the winner gets back to us after the 3 months then we will not resend the prize. If we are told within the 3 months we will – with unique items such as signed books this isn’t always possible, be we will sendsomething. The winner will be informed of this in the initial email informing them we have sent the prize. This makes the process transparent for all parties.
Why 3 months you ask? Well sometimes things get lost in the post and we have to send the prize out again and therefore the “purpose” hasn’t been fulfilled. Upon discussion we thought 3 months was enough time for everyone, including international winners, to realise that this hasn’t been received and get back to us. It may be harsh but we feel it is a reasonable amount of time and we have to have a cut off somewhere. As per the GDPR we cannot hang on to personal data indefinitely.
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
If (e) was “keep you shit organised” then (f) is keep your shit safe. It seems really obvious. Make sure that you use strong passwords on your data. Make sure that only those who need access have access. Make sure you have antivirus and protection software on your computer. If you need to send personal data then make sure you find a secure way of doing it, password protect the file, use a shared drive; don’t just email it. If you have physical files, make sure they are secured in a locked cupboard and the key is in a safe place.
What’s your lawful basis?
Before I go into the the lawful bases, I need to stress, you should only collect personal data if it is NECESSARY for the purpose. If it isn’t necessary and there is another way of fulfilling the purpose, even if it is a process you don’t want to do, then it doesn’t matter what lawful basis you quote. You would have broken principle (a) of the GDPR: that information is processed lawfully.
When reviewing your personal data, you need to establish the lawful basis in which you are collecting and processing it. It sounds complicated, but under GDPR there are a choice of six. Of that six, only two are relevant and those are the ones that I am going to talk about. You need to have a lawful basis and you should make yourself familiar with the one you are using. Once you have decided which lawful basis is best for collecting and using personal data, you need to stick with it. To swap your lawful basis later on you must have a very good reason.
However, you can use more than one lawful basis, you just need to know which ones you are using for what and document it clearly. It will become a lot clearer as you read on!
Once you have established what your lawful basis is, you must document this and add ensure this is on your Privacy Notice (I will go into Privacy Notices later on in this post).
If you are using sensitive personal data (or “special category data” as it is referred to in the GDPR) then there is extra conditions. I am not going into this, however, you should be aware if you are using this data that there is additional requirements.
The two lawful bases for processing that are most relevant are:
- Consent
- Legitimate interests
Consent
From my research, consent is going to be the most popular and best-fit for blogs similar to Under the Covers. It is certainly the basis which we will be utilising. However, although the concept of consent is fairly straightforward that doesn’t mean there isn’t work to be done.
Consent standards must be high, the days of pre-ticked and opt-out boxes are over. The consent must be explicit and transparent. When someone signs up or gives you there personal data, you must tell them exactly what they are signing up for. No vague and ambiguous language. You also can’t make consent to something a prerequisite to service – this means you can’t do a giveaway and have sign up to your newsletter as a required condition of entering. If third parties are also going to access and process this data you must state this and name the third parties.
Consent should be freely given and people should know EXACTLY what they are consenting to. If they don’t then it isn’t consent and you have no legal basis.
Once consent is obtained you must also have a good evidence of, who, when and how it was obtained. If you don’t have evidence of people’s consent, it’s the equivalent of not having their consent to begin with.
This means that if any personal data you collected where a pre-ticked box was used, or you don’t have a record of how you obtained consent, then you need to go back out to the individuals and get consent again. If you do not get this consent you must delete the personal data.
You also need to make withdrawing consent easy and tell people how they can do this. Whether this is by contacting you directly, unsubscribing or having a user setting functionality where people can opt out. And more importantly, this has to work. As soon as someone withdraws consent you cannot keep and process someone’s personal data.
Applied to real life…
So, I am going to explain how Under the Covers have approached this so you get an idea of the idea of “consent” in a real life context.
Newsletter/Mailing List
We were lucky, we have never used a pre-ticked box to get people on the mailing list. If your set up for your mailing list is similar to ours then you are covered in regard to explicit consent. When someone adds their email address into that box, it is really clear what they are signing up for.
We also have a verification system in place, so once someone submits their email address they will receive a verification email. Once they have clicked to verify they do want to receive our newsletter they will be added to the mailing list. This means that you can’t sign someone else up by just putting in their email address.
If your sign up isn’t similar in its transparency then you will need to regain consent from everyone on your mailing list. If you don’t regain consent they will need to be deleted from your list.
But, that is only a third the work. We also need to know when someone signed up and the details they used. This is where it becomes tricky. Even if your method of gaining consent is transparent if you don’t’ have evidence of when, who and how then you will need to regain consent so you can record this information.
Luckily for us, the mailing services we have used have recorded this information, so for our mailing list we have a comprehensive set of data. Check the service you use and you may find that you also have this data.
Next up, you need to make is really clear how users can “withdraw their consent”, which translates to: make it easy to unsubscribe. Common convention has it that there is an unsubscribe button at the bottom of a newsletter. Make sure it’s there and make sure it isn’t so ridiculously small and lost in a mass of text that people can’t see it.
Legitimate Interests
Under the Covers won’t be using legitimate interests as a legal basis. After researching it, although it is flexible and should applicable to us, it seemed simpler for us to stick with consent. However, it may be something you wish to pursue further. So here are the basics:
Article 6(1)(f) says:
“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
This is broke down into three questions/tests:
Purpose Test: are you pursuing a legitimate interest?
Necessity Test: is the processing necessary for that purpose?
Balancing Test: do the individual’s interest override the legitimate interest?
All together this is called the Legitimate Interest Test (LIA) and you must keep a record of this test when deciding to use legitimate interest as your lawful basis. So, let’s break this down:
PURPOSE TEST: Identify what your legitimate interest is. But an interest can be your own commercial interests, societal interest, in the interest of a third party. The definition seems a little woolly…is a mailing list or giveaway a legitimate interest? The smaller the interest the harder it is to justify. However marketing is specifically mentioned in the GDPR as a legitimate interest.
NECESSITY TEST: Is it necessary to process the personal data to achieve your purpose? Is there a less intrusive way to do it? If there is then you don’t have the right basis to process the personal data.
BALANCING TEST: Balance your interests and the individual’s interest. Your processing must be reasonable and proportional, where the individual may expect you to use their data in a particular way.
The reason I don’t like to use legitimate interests is the same reason why it is so useful. It’s flexible and can be used to cover a lot of ground. Personally, I prefer the fairly clearly defined principles of gaining consent from my users. Consent builds trust between you and your users, rather than trying to guess at people’s interests they tell you what they are. We’ve all had unexpected email and phone calls from companies that we don’t remember signing up to. This could be because I signed up to one company who decided it was in my/their legitimate interest to pass on my details to a third party. Basically they thought their “legitimate interest” was, in balance, more important than my interest in not getting a pointless phone call or email.
Another reason I am avoiding this lawful basis is because of the upcoming Privacy and Electronic Communication Regulations (PECR). I haven’t done as much research on this, but it covers marketing and (don’t quote me on this!) I believe consent is needed and legitimate interests wouldn’t cover it.
However, I do plan on researching the PECR and doing another Blog it Out post about the parts that are relevant to us, so keep an eye out!
Where’s your Privacy Notice?
I’ve referenced having a privacy notice or privacy policy (they are the same thing) already in this post. And, if you look at the bottom or sidebars of most websites you will find a link to an organisation’s privacy information. It’s been a requirement for a while, GDPR doesn’t necessarily change this too much. However, have you ever actually clicked on an organisation’s privacy notice? It’s like it’s in a completely separate language. GDPR doesn’t allow this. It needs to be concise and in easily understood language, so when you do ever click on that link, you know exactly what it’s saying.
However, before GDPR it never really occurred to me that we might need a privacy notice, so we haven’t had one. At the time I am writing this, we still don’t have one. But there is a draft and by the time 25 May comes round, it should be on the site. I imagine we aren’t the only blog that didn’t think about privacy policies until GDPR came around!
Firstly, lets address what is a privacy policy and why is it important?
A privacy policy/notice tells your users what information you collect, how you use it, who processes the data, who you share it with and how their details can be removed or amended. This is all within the principle of ensuring that data processing is transparent and fair.
Now, this doesn’t mean that just having a privacy policy means that what you are doing is transparent and fair. But, it is an essential step. As a small entity a privacy notice is a fantastic tool for protecting both our users and ourselves. We can be very clear about what we are doing and how we are doing it and it is all in one convenient place for us to link people to.
But transparency and fairness isn’t always that simple, especially if you don’t rely on explicit consent. In these cases’ a privacy notice isn’t always enough and I recommend you look up Data Privacy Impact Assessments (DPIA or PIA) and take it forward from there.
What should I put in my privacy notice?
Firstly, lets address the way you write your privacy notice before we get to the content. It should be:
- Concise
- In straightforward easily understood language
- Contain no jargon or legalese
- Truthful – don’t over promise things
Secondly, lets look at the content. There seem to be a number of points that a comprehensive privacy notice should cover:
- Who you are
- What your purpose(s) is/are
- What you will be doing with the personal information
- Who it will be shared with (even if you share with no one, you should state this)
- What your lawful basis is, especially if you are not using consent
- How people can withdraw consent or have their data removed from your databases
- A contact name and contact details (email address is sufficient)
- Date you last updated the privacy notice
Seems simple, but, you should carefully consider and even map the flow of your personal information to ensure that you are as transparent as possible.
For example,
You are hosting a giveaway on behalf of a third party. The third party is going to send the prize. What is the flow of information:
- Individual enters giveaway giving personal details i.e. name and email address
- Winner is picked and asked for their address
- Winner sends the address
- You pass on the address and name of the winner to the third party
- The third party sends that prize
In that scenario you have shared two pieces of personal information to a third party: the name and home address. If this is the case though you need to inform someone BEFORE they enter that giveaway that you are hosting it for a third party; who that third party is and that the winner’s information will be shared with them. This allows the entrants to make an informed decision about entering the giveaway.
Within your privacy policy you need to mention that personal information is shared with third parties in the context of giveaways. Not only must you do that, but with each individual giveaway post (NOT in the privacy policy), it must be clear who the third party is and what information you will share. If you had a list of all the possible third parties you may do a giveaway with, the privacy notice wouldn’t be concise for very long!
(There are further things to consider with third parties, which I will address later in this post.)
That’s the privacy notice. In terms of layout my current thoughts for Under the Covers is to have general information, such as who we are, our lawful basis and contact information in the first paragraph. Then have subheadings such as: Mailing List, Giveaways, Comments etc and under those subheadings the details of what data is collected; how it is used; how people can withdraw; who it is shared with. Of course, this could still change as it isn’t finalised yet!
What about third parties?
When I talk about a third party, this is anyone who isn’t you, but has access or will be given access to the personal data you have collected. This means you need to be careful who you give access to. If anything goes wrong, if there’s a data breach, which includes data being lost or stolen, shared with an unauthorised party. Even if it you weren’t the one who did this, it is still your responsibility.
This means chose your third parties carefully. If you use a mail service for your newsletter or to host your giveaways that’s a third party. Ensure that they are GDPR compliant, if they aren’t find a different service. And if you are using a specific service, for example MailChimp for your newsletter, ensure that you have this in your privacy notice.
Another third party who you may possible share information with, but don’t need to add to your privacy policy as it isn’t a regular service is: publishers, authors, other blogs and businesses. Ensure when you share information with them that you have consent or have a fully justified legitimate purpose.
I used the example of a giveaway in the “Privacy Notice” section of this post. Let’s take this a step further. In the scenario, you had hosted a giveaway for the third party. You have given them the address and name of the winner, which, you had gained consent for before they entered the giveaway. If the third-party then comes back and asks for the email address of everyone who has entered the giveaway. You CANNOT give them this list. You did not gain the entrants consent to do so. And, as the owner of that data you are responsible for it and thus responsible for anything they do with that data.
What if I have a data breach?
First thing. Don’t panic. Data breaches do happen and when they do, the best tool to deal with it is a good process or plan.
Let’s define a data breach:
• Access by an unauthorised third party
• Sending personal information to the incorrect recipient
• Loss of personal data- including through theft
• Alteration of personal data without permission
• Loss of a devices such as computers and phones that contain personal data
The isn’t an exhaustive list, but one thing that every type of incident has in common is that there has been some kind of breach; the data has been altered without authorisation, lost, disclosed without authorisation or stolen.
Should you report this to the governing body (like the ICO)? That depends on the severity of the data breach. Some thing that will have a severe damaging affect – whether economically, physically or mentally – needs to be reported, both to the ICO (or equivalent) and to the individual.
Something less severe, such as accidentally deleting a record, but being able to recreate it soon afterwards you would not need to report to the ICO or the individual. However, you should document any breaches you have and the actions taken by you to mitigate the breach.
Conclusion
Under the Covers is not a big organisation or even a small business, we are a relatively small (but wonderful) blog. So why are we worrying? Because although small, we still hold 1000s of pieces of people’s personal data and we take that responsibility seriously. And, although it may seem horrible and complicated, for a entity our size and with our “purpose” there are some relatively straight forward steps that we can take to ensure we comply.
I hope this has been helpful! If you have any question or comments then please let me know and I will do my best to answer them. Like I said, I am no expert, but I have done so much research that I am starting to dream about GDPR!