It seems that all around me there are whispers about how scary the GDPR is that is coming into effect in May and yet no one really seems to understand why they are scared or what they need to do to protect themselves. The GDPR stands for General Data Processing Regulations and takes over from the old Data Protection Act. It comes into force on 25th May 2018 and the main goal is to give people control over their own data and who holds their data. First let me state that the information I am providing here is not legal advice, these are the steps that I am going to follow for my blog at the moment, although this may change as more information is released.
I am not telling you to do the same, but I wanted to share the process I am taking with you to see if it will help.
I have spent hours and hours and hours reading various reports, documents and blogs and watching various webinars about the GDPR and I feel that I have a good grasp on how it will affect us as bloggers at the moment. Feel free to argue with me if you think that any part of this information is wrong and bear in mind that things are still changing, and guidelines will continue to be developed up to and past the May 2018 date.
As this is a blog post for bloggers I will be focusing this article on the types of data I hold for my blog and the way I use them.
As a blogger, I hold and process peoples’ personal data all the time. Sometimes I just store it away with no use for it apart from the fact that it has been given to me and sometimes I use the data given to me to send newsletters or blog posts. I also share personal data with other organisations on occasion such as competition winners.
The first thing I will do as a blogger is write down all the different places that I store peoples’ information and what I use it for. There is a 12 step guide and getting ready for GDPR documents on the ICO website which help to take you through this process. The ICO website also has a great section on Documentation including a template on how to lay it out to ensure compliance.
See the list below with some examples of the data I hold and what I do with it.
Comments – store
Newsletters – send
Competitions – share data
Cookies – store
Analytics – store and process
Emails – send
Plugins – store/analytics
Now I know what I am currently doing with peoples’ personal data I need to decide which lawful basis I will use when processing that data. This is just a fancy way of saying why I do it and rather than go into all of them I am going to look at the two which are most relevant to us as bloggers and why I think both apply at different times.
LEGITIMATE INTEREST – The legitimate interest lawful basis is the one that I will use for most of the things I do as a blogger. Legitimate Interest basically means that I have a good business reason for storing or using that data. For example, collecting cookies and analytics on my site. I don’t share these details with anyone else, but I use them to show how well I am doing. I need to update my policies to reflect these. I would also use the legitimate interest to store comments on my site. I do not need consent to store this data if my data protection policy is also updated to reflect the GDPR changes.
CONSENT – I would use the consent lawful basis in the following examples. Giveaway entrants must give consent for me to share their details with the company who will send out their prize. I must make it clear in my terms and conditions who I will be sending this information to. I would also use consent for newsletters, consent must be an opt-in choice and I must make it clear what they are opting in to receive. An example is if someone signed up to receive my blog posts via email but then I started a plumbing business I couldn’t use those email addresses to send a newsletter about my new business.
There has been some discussion about having to scrap old mailing lists and deleting comments. This is not 100% wrong but there will be very few people who will need to do this. If I had a pre-ticked opt-in box to sign people up for my newsletter then I am sorry to say I would need to gain consent all over again. However, as I didn’t have a pre-ticked box then I don’t need to do this. As for comments, as I am not processing that data and I am only storing data that they provided to me in a secure manner then these are fine. There has also been talk about deleting comments after 12 months. I do not need to do this, as my policies state that I can hold this data until such time as I decide to close the site so this is perfectly fine. My policies also give the member of the public the information they need if they wish for me to delete their information before that time. The GDPR does not stipulate a length of time but states I shouldn’t hold data that is not necessary to my business. Blog Comments are a necessary part of a blog.
Now I have audited the date I use and process, decided which lawful basis I will use for processing my data, I know that I need to update all of my policies, I am almost at the end of what has been a fairly painless process. There are just a few more things to consider.
The aim of the GDPR is so that a person is in control of all their personal data. So, if someone asks me to provide them with a copy of the data I hold about them I must do so. This means I need to have a process in place that allows me to find that data quickly and if requested completely delete all data I hold about that person. I will use the ICO templates to create a list of all the places that I might have personal data stored such as comments, emails, giveaway widgets, newsletter lists etc.
The last thing I need to be aware of is if I get hacked I will need to let the ICO know and make them aware what information was available to the hacker. I need to talk to my web host to see if they can recommend ways to make my site more secure and as I store data on my laptop and my phone then I need to ensure these are password protected.
My to-do list before the May deadline
Check that I am registered with ICO – it is £35 a year and they have a free advice line, so they can help with any questions
Create a folder right now that consists of the following documents –
Table showing all data held, where, and how it is processed and the lawful basis using the GDPR template
A list showing all places I need to look for someone’s information if they submit a data access request
Update my website policies to GDPR compliant documents–
I hope this has helped to ease your worries but also given you things to think about. My to-do list is easy to action and won’t take long. If you have any questions just drop them in the comments below and I will do my best to answer them for you or why not give ICO a phone on their GDPR hotline for small businesses. I definitely recommend that you give the ICO website a read and we will update this post as we hear more news as things are still changing and new templates are still being released.
We will also share details on our social media channels when we hear that certain sites and plugins are adapted to make the GDPR compliant which we know is currently being worked on by a lot of the popular ones.