Have you reached “peak GDPR” yet? No doubt you’ll likely have noticed a mad rush to meet the May 25 deadline to meet the requirements of the General Data Protection Regulation (GDPR). In this article, I will attempt to give you an overview of the what, why, and wherefores of the GDPR. And, how it might affect the blogging community.
So, what is This GDPR Thing Anyway?
The GDPR is a kind of mega upgrade to the earlier Data Protection Directive that the European Commission brought out in 1995. Way back then, the number of people using the Internet was around 16 million; today it is over 4 billion. The GDPR is a reaction to the ubiquitous nature of the Internet in our lives and the explosion of digital personal data that online services rely on.
The GDPR is about protecting the privacy and security of the personal data of EU citizens. This right to privacy follows the citizen wherever they go and whomever they do business with – even if your organization is outside the EU. And it isn’t about organization size – the GDPR is about how much data you process, not how many people you employ.
On May 25, 2018, and not a day later, the GDPR will become enforceable. This means that if you deal with EU citizen data, and this can be customers, blog readers, employees, freelancers, consultants, etc., then you have to abide by the rules of GDPR on how you handle that data
The Consent, the Rights, and the Security
So, what are these data privacy rules that you have to abide by?
GDPR is all about data so let’s start there. The GDPR specifies two classes of data:
Personal data: Examples of personal data are name, address, date of birth, etc. It can also be location data too.
Sensitive personal data: This covers special categories of data such as religion, political beliefs, ethnic origin, and so on, and has stricter rules on its use.
Consent: You probably have heard the ‘consent’ word bandied about in connection with GDPR. Consent is a part of GDPR because the regulation has a lot to do with having respect for people and their data. Consent has to be acquired to allow you to process any personal data you collect. The GDPR specifies that consent must be:
“freely given, specific, informed and unambiguous indication of the data subject’s wishes”
Data Rights: There are eight ‘data subject rights’ – allowing users to:
- be informed about the use of their data;
- have easy access to their data;
- be able to ask for data rectification;
- request data erasure;
- request that you restrict processing of their data;
- be able to move the data – data portability;
- be able to object to the use of their data; and
- not to be subject to automated decision-making including profiling.
Security: Security is a big deal under GDPR and this is a good thing. Since 2013, there have been almost 10 billion data records breached. Major data breaches like Equifax and Uber in 2017 have highlighted the need to make sure that data protection is taken seriously by organizations. This is where things like access control and encryption come in.
The GDPR doesn’t say that encryption is mandatory. However, it does state that you must use methods to protect the “confidentiality, integrity and availability” of the data you process. This includes controlling access such as setting a password and second factor (like an SMS code) to login to see data. You should also protect the data while it is at rest (e.g. on a server) and also, importantly, while data is being collected and transmitted. This is done by always using a secured website. Websites are secured using digital certificates known as SSL certificates – like the free SSL from Host Media. A secured website URL starts with HTTPS – S for secure.
Does the GDPR REALLY Apply to Bloggers?
The simple answer to this is yes, if you collect data and use it as part of a business model where you engage in economic activity – for example, you sell ad space on your blog – This is true even if you offer free ad space/goods.
Your blog newsletter: If you collect any personal data for newsletter sign-up, e.g. name and email address you need to collect consent. The old ‘opt-out method of pre-ticking the “I consent to allow” box is out. The user has to choose to actively tick that box.
Competitions: Same as above. Also, with any data collection, you need to make sure you separate out the consent. So, a tick for each action, “to use for the competition” “to agree to your T&Cs”, and so on. Don’t use the collected data for anything other than that consented to.
IP addresses and tracking: IP address is seen as personal data under GDPR so you have to minimize your collection wherever possible. If you use Google Ads you have some choices. Google is about to launch a solution that allows for non-personalized ads which will help to reduce the GDPR overhead.
Forms: You need to collect consent as with any collection of personal data. You also need to control access to the data, and ideally, encrypt the data. Controlling access is usually a password and, if available, a second factor (like an SMS text). Depending on the form system you use, there may be a copy of the form created and stored. Check with your form software that the copy is GDPR compliant.
Comments: Again, when someone posts a comment, if you collect personal details, it needs to be consented and protected. If you can avoid collecting name, etc. from comment posters, do so.
Plugins that collect data: Many blog plugins collect data, Mailchimp being an example. Even if you don’t directly collect and store data yourself, if a plugin does, you have to comply with GDPR mandates like consent, etc. Check out Mailchimp’s GDPR compliance.
Do I really need a Data Protection Officer (DPO)?: A DPO is someone who oversees the data processing activities of an organization. But they are not mandatory. They are only required under GDPR if you are a public body, process large amounts of data, or are processing very sensitive data. Bloggers tend not to fall under any of those categories.
The GDPR Handshake for Bloggers
The GDPR can seem daunting, especially to a lone blogger. It can also take up a lot of time and energy. But it is a serious attempt by the EU to control the tsunami of data swirling around the Internet. Time will tell how this regulation will be policed. There is a structure that requires if you do have a breach you have to report it. And, the fines are scary reading, with the maximum being 4% of global revenue or 20 million euros whichever is higher. However, I’m fairly sure they’ll be keeping those big fines back for the corporates.
Ultimately, bloggers represent the human side of the Internet and our interactions with our readers are hands-on and collaborative. The basic ethos of the GDPR fits well with the blog community – and respect for the personal information that our reader family gives us, should not feel like a chore.
Disclaimer: I am a data security specialist and have advised a number of small organizations on meeting GDPR compliance. However, I am not a lawyer, the advice here is for information purposes – if there is any doubt do consult a lawyer.
Susan has been working the security sector for over 20 years. She is currently Head of R&D at Avoco Secure and specialises in designing solutions for consumer and citizen identity systems. She has a lot of experience of the good, bad, and ugly of data security and privacy. She always tries to put the human being at the centre of technology whilst balancing security – this can sometimes be a challenge.
You can read Susan’s security and identity blog “Future Identity” here: https://www.csoonline.com/blog/future-identity/