GDPR and bloggers: what are the rules?
John Adams of DadBlogUK.com recently wrote a guest post for us proposing the need for a blogger association. As part of the subsequent conversation on Twitter, bloggers said some topics, like the GDPR, needed to be better clarified for bloggers (something an association would be able to do).
At Vuelio we’ve been doing a lot of work around the GDPR, telling the comms industry what it means for them and what they might need to do. You can read our white paper, guide, listen to our webinar, and see answers to frequently asked questions part one and two.
Here, we’ve put together some questions bloggers might have about the GDPR, with answers below:
I’m only a hobbyist, does the GDPR apply to me?
The GDPR applies to anyone who is collecting and using EU citizens’ personal data. It doesn’t matter if you’re a full-time blogger or work for free.
What’s personal data?
Anything that can identify an individual – whether it’s on its own (an email address) or combined with another piece of information (a job title and a company). So, if you’re collecting names, emails, personal preferences and anything else that could identify people, then you’re processing personal data.
Am I Controller or Processor of this data?
The GDPR splits responsibility of data into Data Controllers and Data Processors. Controllers decide how data is collected/managed/used and Processors do what they’re told by the Controllers to process the data in a lawful way that’s compliant with the GDPR.
So, if you’re running a competition, starting a newsletter or doing a giveaway, you’re deciding what information is collected, how it’s stored and what you’re using it for. You’re a Data Controller. Your processors will most likely be software platforms you use, like your web platform, your host and your email platform.
Can I get someone to sort this out for me?
No (sorry). The GDPR is your responsibility. If there’s one thing that’s clear, it’s that you need to understand your own obligations and compliance with the GDPR. Guides like this can only ever be guides – you need to understand why your data processing is compliant with the GDPR, and if you don’t (or it isn’t) you probably shouldn’t be processing data.
What kinds of areas am I processing personal data?
Possibly (but not limited to): newsletters, competitions, giveaways, comments, analytics tracking (if it includes identifiers like an IP address), inbound and outbound emails through your email platform, PR/brand contact sheets and invoicing information.
What does the GDPR say I must do when using this information?
You must have a lawful basis for processing personal data. There are six, but it’s likely you’ll consider one of three: consent, legitimate interest and contract.
Consent: This basis is all about giving individuals real choice and control. There are specific rules about consent, especially how clear you make the consent so people know what they’re agreeing to up front.
Consent must be a positive opt-in, so you can’t make people opt-out by unticking boxes. They must be actively choosing to agree to whatever it is you want from them.
In all cases, you must make it clear why you’re collecting their data and what their data is being used for. So, if they’re signing up to a newsletter, the data is being used to send them your content – that’s a simple explanation. But, if you’re then using that data to give it to partner brands or sell lists to certain PR agencies, that’s more complicated and you must make it explicit on the sign-up form.
This also includes the stages of processing and storage, and you must explain they will have a clear means to opt out at any point (and give them a clear means to opt out from any comms you send them). Not everything has to be written on a consent form; you could write detailed information in your privacy policy and link to it. But when in doubt about what to include, include it – it’s better to have too much information than not enough.
Legitimate interest: This is the broadest basis for processing personal data and you may use it when someone would realistically expect you to process their data for a particular purpose. For bloggers, this might be analytics tracking or storing emails with personal data in your inbox. You need to work out your legitimate interest and it must be weighed against the rights and freedoms of the person whose data you’re processing. You must publish this and direct people whose data you’re processing with a legitimate interest to it. One possibility is writing out the legitimate interest explanation clearly in your privacy policy and then linking it from emails.
You must also give a clear means for people to opt out at all times, should they exercise their right to do so.
Contract: Sometimes you have to process someone’s information to fulfil a contractual obligation. This would apply for invoices and billing, but you still need to document that this is the basis you’re using. If you’re using contract as the basis, processing must not exceed what would be reasonably expected by the other party (so you can’t sign someone up for your newsletter because you’re billing them).
Do I have to tell everyone that I have their data and how I’m using it?
Yes, but that doesn’t mean you should be sending people emails to ‘reconsent’ (if you do, you could be in breaching PECR, which is a whole other post!). If you’re processing data under legitimate interest, you must still tell people you have their data and it’s being processed on the basis of your legitimate interest.
What if someone wants to stop me processing their data?
Unless you have a good, legal reason to continue processing their data (which would be in your legitimate interest), then you must comply. Your data storing platform should have a means for you to remove them without removing all of their details (so you don’t accidentally re-add someone who requested removal).
What if someone wants to know what data I store on them?
This is called a Subject Access Request (SAR) and you have 30 days to comply. You have to let them know about ALL the data you’ve processed that pertains to them – including information from your email platform, inbox, CMS, any spreadsheets and anywhere else you’ve used or stored their data.
Do I need records of what data I have?
Probably, though it’s different for different sized companies (see below). Records should include what data you’re collecting, your lawful basis, types of processing, security measures and granular details like how and when you obtained someone’s data. This is useful if someone wants to know what data you have on them.
I don’t process data very often, do I need to keep records?
The Information Commissioner’s Office (ICO) is responsible for policing GDPR compliance in the UK. The ICO states that if you have less than 250 employees, you only need to keep records for processing activities that:
- Are not occasional
- Could result in a risk to the rights and freedoms of individuals
- Involve the processing of special categories of data or criminal conviction and offence data
What about breaches?
If you find out that the personal data you hold is subject to a breach (it’s been hacked into or you’ve left a logged-in laptop on the train) then you MUST report it to the ICO within 72 hours. If it’s an accident and you generally have good processes in place to comply with the GDPR, then the ICO will look more favourably on you. If you’ve not got any evidence you’ve considered the GDPR or processed data lawfully, then the ICO has the power to fine you up to £17m. Yikes!
What if I’m collecting data for a third party, like a brand or PR agency?
This must be clearly explained in your privacy policy – the GDPR is all about people knowing how and why their data is being used.
What about the platforms I use?
You are responsible for ensuring you’re using only GDPR-compliant platforms. Check your terms, email any help desks you have and find out how they’re complying with the GDPR. If they don’t seem right, or aren’t being helpful, shop around – this is important and all companies should be taking it seriously. At Vuelio we’ve taken our responsibility as both a Data Controller and a Data Processor very seriously, and communicated this to our clients and the industry we work in. We believe every software company should be doing the same.
Want to know more? The ICO’s website may help or you can tweet us and we can do our best, but remember – you must understand the GDPR and you are ultimately responsible for complying.
Leave a Comment