Are you a blogger or influencer? Have you heard of GDPR and you’re wondering if it applies to you? When it comes to the law things can get complicated very quickly, so we put together this guide to give you a solid foundation on which you can assess and determine your own obligations under these new regulations.
What is GDPR?
The European Union’s (EU) ‘General Data Protection Regulation’ (GDPR) is a set of laws designed to protect the personal data and privacy of EU citizens. The old rules were put in place in 1995 and were grossly insufficient for the current digital world. You can be financially penalized for non-compliance. You can find the regulations at https://gdpr-info.eu/.
What is ‘Personal Data’ Exactly?
It is any information related to a person (not a business) that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, blog comments, cookies or a computer IP address.
Note: The GDPR only applies to personal data – not data regarding an organisation or business.
I’m Only a Small Blogger and I Don’t Live in the EU – Does GDPR Apply to Me?
This isn’t a simple ‘yes or no’ – these two questions will tell you if you need to take action…
- Q – Do you, or might you in the future, collect or store email addresses or any other types ‘personal data’ from someone living in the EU?
- Yes – Keep reading!
- No – Don’t worry, GDPR doesn’t apply to you.
- Q – Are you making money from your blog or other influencing activities?
- Yes – Keep reading!
- No – Don’t worry, GDPR doesn’t apply to you.
How Long Have I Got?
Compliance with the regulations is mandatory from 25 May 2018.
Am I Allowed to Collect Email Addresses?
Building an email list is a priority for many bloggers. Under the GDPR, you can only collect or store an email address from someone if:
- The individual has given clear consent for you to process their personal data for a specific purpose.
What is ‘Clear Consent’? Can You Give Me an Example?
Any time you ask someone for their personal data you must tell them:
- The data you are collecting and storing;
- Why you need the data;
- The specific ways you will use their data; and,
- That they can opt-out easily at any time.
If you have a signup page that is only for this purpose, this would be a good example of a compliant request for the reader to opt-in:
It is important to note that the details you collect in this example can only be used to provide the person with a newsletter. You can not use their email address in the future to send them marketing material or anything else.
If you wanted to ask someone to sign up for your newsletter AND also ask them to allow you to market to them in the future, then this example would be GDPR-compliant:
Note: You cannot pre-fill checkboxes. You must give the user the chance to actively opt-in.
And another note: You cannot ‘bundle’ consent for different things. For example, if you offer a free video download, and you need their email address so you can send them the video link – then that’s ok. BUT, if you also want to use their email address to send them your newsletter then you need to break your opt-in form into two sections, giving them the option to opt-in to the video, the newsletter, both, or neither. If you also want to use it for marketing, then you’ll need a third section.
But I Use MailChimp – Surely That Means It’s All Compliant?
No, definitely not.
In terms of data storage, yes, MailChimp is secure and they are now GDPR compliant.
But in terms of opt-in language and the way you need to specifically ask for consent – that comes down to how you have worded your signup page/form.
MailChimp has redesigned their form builder to make this easier – but it still relies on you to ensure the wording is compliant.
Does ‘Double Opt-in’ Solve Any of These Issues?
Double opt-in is good industry practice for ensuring quality newsletter signups, but it is not mandatory under GDPR.
It is the language you use that matters. Just because someone opted in twice to a non-compliant signup form, does not suddenly mean that it is compliant.
What About All the Email Addresses and Other Data I’ve Collected Over the Years?
This is where it gets a little tricky.
- Q – Does the signup page you have used in the past comply with the new GDPR requirements (as per the examples above)?
- Yes – You can keep using that data (only for the express purposes that you communicated to those persons).
- No – Keep reading!
If you answered ‘No’, then these are the 3 options available to you:
- Redesign your signup page, and then send an email to everyone (or just EU persons) asking them to opt-in again; or
- Delete your list and start from scratch, ensuring your new opt-in form is GDPR compliant.
Does it Matter if I use a Facebook Pixel on My Blog?
The pixel does contain personal data, and so it is important that you disclose this to anyone visiting your site and give them the chance to opt-in to you re-targeting them at a later date.
We recommend updating your cookie popup to include a separate tick box for this purpose. eg “We use a Facebook pixel to help provide you with additional information or services that may be of interest to you at a later date. Please tick the box to indicate your consent.”
But, here’s the thing…
What if someone doesn’t consent? By landing on your page you’ve already collected their data. To truly provide protection, you would need to create a separate ‘holding’ page (without a pixel) where the user could give, or not give consent. If they give consent they are directed to your main site. If they don’t give consent then they are not taken any further. We are yet to see this being implemented anywhere!
This is one excellent example where the practicalities of implementing GDPR have not yet been tested in the real world, or in a court of law.
This is probably the most critical thing you can do.
Things it must include:
- Who you are;
- What data you collect and why;
- What you do with each piece of information;
- The specific GDPR ‘lawful basis’ you are using to justify the collection of the data; and
- If applicable, who you share their data with (eg. other marketing agencies).
What Right to My Readers Have Regarding the Data That I Store or Process?
Anyone who has provided their personal data has the right to request that you:
- Show them the data that you store on them;
- Tell them how you use their data; or
- Erase their data ie. the ‘right to be forgotten’.
A written procedure or data management system isn’t strictly necessary to enable you to comply with a personal data request, but it would be very helpful if you did create such a document to describe your current, and future data management activities, thereby providing reassurance that it will only be used in ways that they have permitted.
Imagine if you continued collecting data from various sources (cookies, membership sign-ups, CRM information, email sign-ups, giveaways, etc) for several years without organizing it so that you can retrieve personal data, and then one day a person asks you to provide them with a record of all the personal data you’ve collected on them, how it’s been used, and where it’s stored.
Trying to go back and collect all the information after the fact would be a nightmare. Setting up a storage system and retrieval process now shouldn’t be that difficult if the data you collect is simple and straightforward, and it could save you a lot of headaches down the road.
We Store a Lot of Data in MailChimp, Google Drive and Other Software Systems. Does This Matter?
Yes! To ensure that the personal data you store is secure, it is critical that any software you use is GDPR compliant.
The best way to ensure this is to either check their website or to contact them directly. You will find that most organizations are stating their compliance publicly, and that this is happening more and more, the closer we get to 25 May.
We Share Personal Data with 3rd Parties for Them to Process. Does This Matter?
Yes! It is critical that any 3rd party data processors are GDPR compliant.
This could include:
- A contractor or influencer company that uses your contact data to recruit influencers for your campaign; or
- An analytics organization that processes influencer campaign data.
The best way to check this is to contact them directly. For large organizations this probably won’t be an issue, however smaller businesses or individual contractors may be lagging.
Is There Anything Else I Should Be Aware Of?
Ongoing compliance with the GDPR is mandatory, so we recommend scheduling in an annual internal audit of your documentation, site design, and processes.
This All Sounds Like Too Much Work. What Happens if I Don’t Comply?
As digital businesses, we cross international boundaries. As we know, most laws have not yet caught up with this business model.
Whether you care about complying with regulations and laws such as GDPR is your own ethical and business decision — however here at UpThink we strongly support making every effort to comply with the laws of the countries in which you are doing business, as practically as possible.
You can be fined up to 4% of your annual turnover, or 20m Euros for non-compliance. But of course, this relies on someone auditing you and finding a deliberate non-compliance, or one of your readers reporting you to the authorities for failing to comply.
Is that likely? As for audits, probably not. But your readers? Who knows.
You know your business and your readers best, and how you respond to these new regulations is totally up to you — and we hope this guide has provided you with some clarity on the best path forward!
If you have any further questions, please feel free to contact Andrew from UpThink at firstname.lastname@example.org