GDPR – the General Data Protection Regulations – is worrying many business owners at the moment. It’s a fundamental change to how we store, manage and process personal data relating to prospects, customers, clients and staff.
Businesses with blogs are particularly affected because of the global nature of the people we interact with. Yes, GDPR is a European regulation, but it affects your business if you deal with European citizens. And if you blog, that’s likely to mean it affects you.
Let’s look at GDPR for bloggers. If your business has a blog, this article will help you work out where to start focusing your efforts. I’ll look at 10 things bloggers need to know about GDPR.
But first, let’s go back to basics.
You should know that I’m not a lawyer and this article does not in any way constitute legal advice or business advice. I’m just someone who has done a lot of research about GDPR. I am happy to recommend Suzanne Dibble’s GDPR Documentation Pack which I use in my own business (more on this at the bottom of the article). Always take advice from your legal team.
What is GDPR?
You may have already heard about GDPR. The regulations come into force on 25 May 2018 across Europe. The Information Commissioner’s Office (ICO) in the UK is currently running campaigns to raise awareness of the changes. It’s doing a lot to business owners comply and the ICO guidance is helpful.
Your organisation’s legal experts may already be working on what GDPR means for you, but have you truly considered how it affects your blog? If you use your blog as a source of new leads, and to build your email list, then you need to be aware of the changes and how you can continue to operate successfully within the law. Because the fines are huge! While it seems unlikely that small businesses will be hit with the largest fines, you should know that under the law it’s possible to receive fines of up to €20m or 4% of global turnover.
GDPR applies to personal data.
What is Personal Data?
The ICO defines personal data as:
“Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
That definitely covers things that bloggers are likely to have on file such as:
- Name, for addressing emails
- Address, for posting out products or because EU VATMOSS rules require you to know where a person is based
- Email address. Doh. For emailing.
- Data of birth, in case you do promotions based on birthdays
- Location data gathered from browser history
- Online identifiers, like social media user names, IP addresses or information from cookies. While you might not have these last two directly to hand, your blogging tools and host may have these on file.
Here are 10 things bloggers need to know about GDPR.
1. GDPR Isn’t Just About Europe
This is probably the big headline for bloggers, as we have international readerships.
If you process data belonging to people who are based in Europe, the regulations apply to you.
If you capture the personal data of blog readers from the European Union, you need to be aware of what GDPR means for you. Options are: comply with GDPR for your EU audience, or stop adding EU readers to your list.
It’s also relevant if your staff or contractors are based in the EU – perhaps you have a VA here? And if you use EU suppliers.
2. You Need To Know What Data You Have
GDPR requires you to have a data inventory. This tracks what data you process and for what purpose.
The GDPR Template Pack I recommend includes a data inventory template.
3. GDPR Applies To Paper Records Too
If you collect business cards at a conference, you need to apply the principles of data protection to them too.
This is perhaps less relevant to your business blog, but my business certainly seems to generate a lot of paper! The key is to ensure that you aren’t keeping paper records with personal data on beyond their usefulness. Get a good shredder and if you have no business reason under GDPR to continue to store the information, destroy it securely.
4. You Need To Know Where Data Goes
Where do you send or process your data? Here are some of the tools I use:
There are others too – and your blog probably has a number of other tools that you use to run your business and manage your various activities.
You need to be confident that all your suppliers are handling personal data in a way that is compliant with GDPR.
5. You Need to Capture Adequate Consent
This is a tricky GDPR for bloggers question. You need to be sure that you are capturing adequate consent. Double opt in might be enough but in many cases it’s not enough.
Having looked at the regulations in detail and taken advice, I will be changing how I capture consent.
Consent should be freely given and explicit for a particular purpose. You need to make sure GDPR compliant wording is present at the point of collecting personal data (so that’s where you show your sign up box on your website). And you should signpost the user to your Privacy Notice. Don’t have one? There a sample in the GDPR Template Pack I recommend.
Looking at consent means…
6. You Might Have To Re-Consent Your List
You may have read that you don’t need to write out to your list and ask them to reconfirm their consent to receive information from you.
It’s true, you don’t have to ask everyone to opt in…. if…. And it’s a big IF…. you captured adequate, GDPR-compliant consent in the first place.
Let’s face it, many of us can’t prove that we did. For a while, my blog had opt in boxes pre-ticked before I realised I could switch that off in ConvertKit and have no boxes at all. That made my sidebar look a whole lot better. Equally, I migrated to ConvertKit from MailChimp, and I now have no record that those MailChimp people were adequately consented back in the day. Perhaps they were. But I can’t prove it.
If you add people to your mailing list after they have got in contact with you about something, then that’s a no no too. This happened to me recently: a subject matter expert in my field, someone I respect greatly and who has an amazing reputation, got in touch to ask me to support his latest webinar with some social promotion. I was happy to. But then I found myself on his mailing list. No thanks.
Be honest with yourself: should you be re-engaging and reconsenting your list? Even if you are confident in your compliance, it’s good practice to only email people who want to hear from you.
6. You Need a Process for Managing Opt Outs
This one is actually quite easy! Your email service provider should be able to do this for you.
Add unsubscribe links to each email that you send. If someone contacts you, you should be able to remove them from your database.
If you store customer data outside of your email marketing system, then make sure you have a process to deal with requests for removal.
7. You Need a Privacy Notice
A privacy notice explains how you use personal data.
Your blog should have one. Put it on your website and then add a link to it from the footer. You can also reference it in contracts, at the point of sign up or anywhere else where people need to hear about how you will be using their data so they can make an informed decision about whether to go ahead in their relationship with you.
8. Think About Deleting Data
You need a retention policy. A retention policy explains how long you keep different types of data for. Some good practices for businesses are set by professional standards or law. For example, documents relating to accountancy must be kept for 6 years from the end of the last financial year, in the UK.
You can’t hold customer data forever – you don’t need to. If there are no mandated standards for document retention, create your own retention policy that you can justify and then stick to it.
9. Train Your Team
Many business bloggers have a team – either because the blog is part of a small business but not the only part of the business, or because you can’t do it all yourself and outsourcing helps you keep all the plates spinning.
Your team also need to know the rules. Make some time to ensure they are comfortable with what GDPR means for your organisation.
GDPR for bloggers has specific implications, but GDPR has wider reaching implications for the rest of your business too. Don’t get into a situation where your team put you at risk.
10. Consider the GDPR Risk
And talking of risk…
The fines for lack of compliance are significant, certainly enough to throw any small or medium business into disarray for some time. And even if common sense says that the ICO (in the UK, or the equivalent body in your country) isn’t going to slap entrepreneurs with the largest fines, there is always a chance that the sanctions they do impose still create issues for the day-to-day running of your business.
For example, the reputational risk of being identified in the media as a company that doesn’t treat customer data with the respect it deserves.
Know the risk, and do something about it. The easiest thing is to get the GDPR Template Pack I am using in my own business and work through the checklist included. Then you’ll know that you are covering all the bases.
What I’m Doing To Become GDPR-Compliant
I’ll be updating my blog here with a new privacy notice and complying with new regulations around signing up to my newsletter. To all intents and purposes, you probably won’t notice much different, but you can rest assured that if you subscribe to my newsletter, your data is held securely and processed in line with GDPR guidelines.
If you run projects, check out 10 GDPR Questions to Ask Before Starting a New Project.
If you run a small business, I highly recommend Suzanne Dibble’s GDPR Pack. It includes a readiness checklist, sample documentation and more, all aimed at getting you compliant in the least possible time and it’s very cost-effective.