GDPR: what actions must a blogger take immediately?

GDPR is making website owners, businesses and social media platforms jittery all over the world. But that is good for the World Wide Web and you, the internet user and the BLOGGER. It is good for businesses themselves. It is a bitter pill that was required since long but has been delivered only now.

A bit of concepts before we go to the practical aspects of this new regulation from blogger's point of view. If you are interested in jumping to the practical bit, click here.

What is GDPR?

GDPR stands for General Data Protection Regulation. It has been enforced by the European Union for protection of private data of individuals. It clarifies various aspects of personal data, privacy and consent required from individuals while using their personal data. In simple terms, it is a mechanism to regulate how personal data is collected and handled, so that it is not misused.

The regulation has come into force from 25th May 2018.

You can get a quick glance of GDPR provisions on the European Commission website at the given link. This link is for even greater details on data regulations from the horse's mouth.

Why are such strict data protection rules required? Is personal data that unsafe over internet?

The moment an individual enters any internet based system, his personal information keeps being seen and stored, much of it without his consent. Even with consent, which is sometimes made automatic (e.g. while logging in) and sometimes taken innocuously (e.g as part of surveys), the data once captured can then be stored, analyzed and used for different purposes. It is also sold to others who may use the data for unethical works. Many cases of data being leaked from highly reputed companies have also been reported in the recent past.

There was a crying need to have strict provisions relating to how people's data is dealt with by receivers of that data. It is good that EU, which had been working on it for last two years, has finally brought the regulation in the form GDPR.

Why is there panic and why are the companies outside EU worried?

Panic because the rules have been applied from 25th May, 2018 and many companies have not prepared themselves for it.

Panic also because whosoever serves the EU citizens through its website attracts the provisions. GDPR applies to entities within the EU region as well as to those located elsewhere but giving services to EU citizens. That covers all major global companies and a large majority of individuals having a presence on the internet. In the internet world, there are no national boundaries and thus there is a scramble the world over for compliance. In addition, other countries may follow suit and bring their own similar laws.

GDPR is exhaustive. It starts with collection of data, for which it mandates proactively giving information on use of data and active consent of the individual whose data is being received. Those in the business of collecting, storing and processing data are also required to inform citizens how the data is used in the hand of the data collector. It then applies to the controller and processor of data. The controller is a person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data, and the processor is a person, public authority, agency or other body which processes personal data on behalf of the controller. That covers all entities who receive, store, process and use data.

The penalties are strict for any data/ privacy breach. The maximum penalty for corporates is mind-boggling: 4% of their global turnover!

On the very first day of coming into force of GDPR, Facebook and Google have been slapped lawsuits of over 3.7 billion Euros each, though both have rolled out quite elaborate policies and clarifications in advance!

A number of big sites are reported to be unavailable in many European countries from the 25th May.

As a blogger, do I need to do anything about GDPR?

Blogger automatically serves information to EU visitors.
As a blogger, you might be collecting data in some deliberate and/ or unknown ways. Cookies, for example, are the small bit of code that websites leave on the user's browser and capture data. Cookies are not malicious code, and they help in some ways such as fast loading of a website the next time. But they do capture data.

Comment forms - either in-build or third-party form - usually ask for personal data. Same with contact forms.

Bloggers usually collect information such as name and email when letting people subscribe to their feed/ updates.

Bloggers often collect data through emailers such as MailChimp.

On many blogs, the blogger adds plugins for interactivity, serving ebooks, etc. The opt-in forms for using these facilities capture personal details.

Some blogs ask readers to log in before proceeding further or for premium offers.

Therefore as a blogger you need to be transparent and proactive about how you collect personal information and how you use it, and give that person a choice. An expert has suggested the following and I agree with that: If you do not directly deal with people in the EU, and yet might have people from that region visiting your blog or even clicking on your ads and even buying a thing by clicking on your blog's ads, you need not worry. First, be clean about your doings: never abuse others' data. If you do that, you are already complying with much of all that is required. Second, inform everybody about your privacy and data policies. Third, take consent whenever collecting data.


Actions bloggers should take

  • If you are in the EU, and you are actively collecting user data while selling a product or when someone subscribes to your blog, you must already have registered with the EU Commissioner. 
  • Even if you are not located inside the European Union, into e-commerce or specifically serving European population, follow the general provisions of data protection regulation. They will help you in the long run. You will also be seen as a responsible blogger.
  • Have a cookie policy. Have data-use policy.
These policies are nothing but declarations on how you collect data, what data you collect, how you use, store and share that data. It is better that you jot down all data that you are actively or passively collecting on the blog, and be transparent about it. Put it in a stand-alone page and refer visitors to this page through a popup and also when you ask someone to opt in for subscription in future.
  • Ask visitors (especially first-time visitors) to look at the cookies policy and other policies before proceeding further.
  • If you use an email marketer (AWeber, MailChimp, etc), be sure that they have added the necessary warning to the form. Most big ones have already done that. 
  • Send an email to all existing email subscribers giving them a choice whether they want to retain the subscription, change data or unsubscribe. Major email marketing agencies already have a subscription alert template customized for GDPR.
  • If you use Google AdSense, any affiliate marketing (e.g. Amazon, CJ) code or Google Analytics code on your website, these codes will be collecting user data. You need to be sure that necessary actions are taken by the code-serving agencies. If you find them deficient, contact them and make this declaration also in your own policy document.
  • Do not have auto opt-ins - e.g. for collecting data when a person clicks on your link for ebook and you allow him to download the ebook on his entering his email, without telling him that you are collecting the data and would use it later for sending emails to him.
  • It appears that the users of Blogger, Wordpress, LiveJournal and such other free blogging platforms need not bother if they have not used any third-party facility on the blog. It is assumed that all such big platforms show up the basic consent form and other information when their blogs are visited by people in the European Union. Some platforms do not allow any such activity but paid accounts of Wordpress and all Blogger accounts can apply additional codes (analytics, plugins, widgets, etc) and so should be careful.
  • Bloggers who have monetized the blog in any way need to ensure that they comply adequately with the provisions of GDPR.
  • If you use a plugin for capturing data on people, announce that and seek consent before you capture data through that plugin the next time. 
  • Do not collect data if not required. 
  • Do not have opt-in forms in which there is pre-ticked boxes for consent.
Finally, - unless you are into big business through the blog - don't worry too much because the regulation is mostly meant to check data misuse by big companies. At the same time, be clear and ethical about collecting and using others' personal data. It always helps to be transparent even if the law does not operate in your country.

Disclaimer: This is not a legal and legally-binding opinion but a general advisory on use of data according to GDPR.