The Date Protection Act can sometimes be a little daunting to follow, especially if you’re a personal blogger with no real clue. So, for everything you need to know about following GDPR principles, read on…
GDPR is a term I’m sure you’ve all heard, and one you should be aware of if you’re an active blogger. It basically places restrictions on the way that websites collect user data. This helps to promote clarity on how the data will be used, who will be using it, and most importantly, it asks for the users’ consent.
This is the reason those cookie consent popups have sprung up more and more on peoples’ websites; it’s all in the name of GDPR compliance. As a website owner, if you fail to meet the requirements of the GDPR principles, a user has the right to claim compensation for a data protection breach. This is why it’s so important to comply.
To avoid getting into trouble, it’s important that you know what the GDPR principles set out under the Data Protection Act are. By reading about the common mistakes bloggers make that violate these principles, and how to comply with them, you should be safe to blog until your heart’s content!
What is GDPR and the Data Protection Act 2018
In 2016, the European Commission issued a new General Data Protection Regulation (GDPR) to protect the collection of online user’s data. The regulation states that any company collecting the data of an EU citizen must:
- Tell the user who they are, why they’re collecting the data, and how long they will store it for;
- Get consent from the user before they use their data;
- Allow users access to their data with an option to delete it;
- Inform users if a data breach occurs.
Not following GDPR can lead to a maximum fine of 20 million Euros or 4 percent of revenue. It’s unlikely that the EU would seek out a blogger and punish them for this unless they’re a huge company like Buzzfeed, but it’s better to be safe than sorry.
The Data Protection Act was then brought into law in the UK in 2018, to comply with GDPR principles. The stated purpose of the act was to:
- Update the UK’s data protection laws to meet the modern digital age;
- Empower people to take control of their data;
- And ensure the UK had GDPR rights embedded in their own laws for after the UK left the EU.
How Many GDPR Principles are There?
We’ve briefly touched on the purpose of the GDPR legislation, but there are a total of 7 distinct principles contained in this document that you should make yourselves aware of.
The GDPR 7 Principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
The main things to remember are to specify a purpose for your data collection, make sure that the data is accurate, don’t take any data you don’t need, and dispose of it when you’re done with it but, up until then, keep it safe. If you can’t keep the data safe, you’re accountable for any misuse of it going forward.
What is Personal Data, Anyway?
At this point, you might be wondering what personal data even is, especially since you don’t want to be found in violation of its misuse. Personal data is any information relating to an ‘identifiable person’. Identifiable information covers things such as name, ID number, location, ethnicity, gender, or political standing.
The data doesn’t necessarily have to be sensitive or confidential to qualify as personal. For blogs, the kind of data usually collected is:
- Comment data (name, email, ID or any other information you require to leave a comment on a post).
- Traffic stats from Google Analytics or equivalent traffic monitoring software.
- Third-party hosted services such as Disqus or Jetpack.
- Email signup forms like Mailchimp.
- Contact forms in their many shapes, sizes and formats.
- Web host data.
If you collect any of this information on your blog, make sure you’re following the GDPR and Data Protection Act Principles.
Common Mistakes That Violate GDPR and the Data Protection Act
If you own a blog, it’s a good idea to learn from the mistakes of your fellow bloggers. There are some easy mistakes to be made in this sector, especially if you’re unaware of the personal data you’re collecting on a daily basis.
1. Using WordPress
Plug in and play Content Management Systems like WordPress are extremely useful for bloggers who want to write but aren’t very tech-savvy. However, because the systems haven’t been programmed by you personally you might not realise the kinds of data they collect.
If you have blog commenting enabled, WordPress requires all commenters to submit their name and email address in order to leave a comment. It also sets web cookies for anyone who logs into your site or submits a comment. These cookies can be considered personal data.
Any WordPress plugin you use also has the potential to require people to hand over their personal data so it’s a good idea to check before enabling them on your blog.
2. Web tracking or Profiling
If you use Facebook Pixel or Google Analytics to track page views and conversions, or MailChimp to track who opens your emails, you are technically collecting personal data. If this is the case, you could be found in violation of the GDPR Principles and the Data Protection Act 2018, if you don’t comply, that is.
3. Using a Web Host That Logs Visitor IP Addresses
It’s common practice for your web host to record the IP addresses of anyone who visits your site. This is because they want to protect you against malicious attacks and unauthorised access.
The problem is, this is classified as personal data under GDPR rules and is subject to the same regulation. This is just another example of you collecting data that you might not even be aware you’re collecting.
How to Comply with GDPR Principles and the Data Protection Act
So, bearing in mind that you might be collecting data you’re unaware of, what can you actually do to make your website GDPR compliant?
2. Check Third-Party Services
Now that you have a list of the data you’re collecting on your site, it’s time to look at any third-party services you’re using to collect data. If you’re using Iubenda, these should already be listed on your policy but it’s good to double-check the privacy policies listed on the sites of any 3rd party software you use. Integrate the information they share on their policies into yours, without copying and pasting, and you should be good to go!
3. Allow Email Subscribers to Opt-Out
If you use email addresses for a newsletter or subscription service, you need to provide an unsubscribe/opt-out option. You also need to make sure that the initial sign up form informs your subscribers of any data you are going to gather as a result, and how it’s going to be stored or used.
4. Have an SSL Certificate
An SSL certificate changes your site from an http:// to an https://, which means that any data a customer shares with you is encrypted. This makes it more difficult for hackers to attain any of the data shared by your followers and covers you in the event of a data breach. You can get a free SSL certificate from Let’s Encrypt, so there’s really no excuse for not protecting your user’s data with one.
Complying is Easy as Pie
This is the end of our post on how to comply with the GDPR and the Data Protection Act as a blogger. We briefly covered what the laws are and their purpose, common mistakes that could land you in trouble, and how to protect yourself from that huge 20 million Euro fine.
Blogging is an innocent passion; none of us have malicious intent behind our data collection, and many of us aren’t even aware we’re doing it in the first place. This makes the ignorance card an easy one to play, but I stand by the fact that it’s better to be safe than sorry and to have the law on my side if things turn sour.
I hope this post has been useful and you can continue to blog in relative bliss, knowing that you are being considerate of your user’s data. If you have anything to add, please do comment down below. I’d love to hear your stories, which may help put people’s minds at ease!