The Blogger's Guide to GDPR

Introduction to this guide

Disclaimer: This guide has been created to help bloggers and site owners better understand GDPR. We are not lawyers and we take no responsibility for the advice provided. It is entirely your responsibility to be aware and fully compliant with regulations.

Ok, now that's cleared up, let's take a look at GDPR! 🧐

First and foremost, do not be anxious/stressed/worried about GDPR. The information in this guide may sound scary, however it is really meant to help you keep your website in tip-top shape. GDPR covers a lot of the internet, however it is more of an issue for big companies such as Facebook and Google.

 

What is GDPR?

In 2016, the European Commission approved a new General Data Protection Regulation (GDPR). In short, GDPR states that if a website collects or stores data related to an EU citizen, you must comply with the following:

  • Tell the user who you are, why you collect the data, and how long it will be stored.
  • Get clear consent before collecting any data
  • Let users access/delete their data
  • Let users know if data breaches occur

This infographic from the European Commission is a great summary.

 

When does GDPR start?

GDPR comes into effect across the European Union on 25th May 2018

 

Why is GDPR important?

GDPR adds some new requirements regarding how websites (and therefore blogs) should protect individuals' data. It also raises the stakes for compliance by imposing greater fines for a breach. The maximum fine for non-compliance is 20 million Euro or 4% of revenue 💸

Even though the likelihood of a blogger being fined in extremely low (in our opinion, the EU has bigger fish to fry!), the principles behind GDPR should be followed to make the internet better for everyone.

According to the European Commission, the process for non-compliance is as follows:

The important thing to note here is that even if your blog is not fully compliant with GDPR, the first stage of the process is a "warning".

 

What is the definition of "personal data"?

Under GDPR, personal data is any information relating to an "identifiable person". Identifiable information includes such things as a name, ID number, location, ethnicity or political standing. Data doesn't have to be confidential or sensitive to qualify as "personal".

When looking at most normal blogs, personal data will include:

  • Blog post comments data (name, email, IP)
  • Traffic stats plugins/tools such as Google Analytics
  • 3rd party hosted services such as Jetpack, Bloglovin' and Disqus
  • Email signup forms such as Mailchimp or FeedBurner
  • Contact forms
  • Issues relating to the location of your web host. E.g. data is transferred to servers outside the EU

 

What should I do to make my blog GDPR compliant?

Ahhh the 20 million Euro question. The good news here is that WordPress is working on updates to help make your site GDPR compliant behind the scenes (example here). We're assuming that Google is also working on similar updates for Blogger/Blogspot too. This will go a long way in making the core of your site compliant with GDPR.

With that in mind, the main features you should look at are:

  • Create a Privacy Policy (consider using a service such as Iubenda). Link the Privacy Policy in your main menu, it can be in a dropdown. Do not copy and paste a Privacy Policy from another site. Iubenda offers a free plan which we highly recommend using, as this will be tailored to the features you have on your site specifically.
  • Check 3rd party services for information about their compliance (e.g. Disqus, Jetpack, rewardStyle and Skimlinks). You will need to list any information about 3rd party services in your Privacy Policy. We can confirm that your pipdig theme is fully GDPR compliant (see section below). Services such as Iubenda make this very easy by automatically adding 3rd party services to your Privacy Policy.
  • If you gather email addresses as part of a newsletter or subscription service, you must provide the ability for people to opt-out or unsubscribe. You should also ensure that any signup forms inform users of what data you gather and how it is stored/used. If you're using a third party email service such as MailChimp, you won't need to worry about these features since they will provide the required options/settings for you. You can read more about Mailchimp and GDPR in this post.
  • Ensure that your site is installed on https rather than http. Contact your host for help with this if you are unsure (SiteGround provide a free SSL certificate with any of their hosting plans).
  • Ensure WordPress is updated to the latest version.
  • Ensure that all themes and plugins are updated to the latest version. Enable automatic updates if possible (e.g. SiteGround provide automatic updates will all hosting plans).
  • If you use Google Analytics, we recommend using this plugin. Then enable the options shown in this screenshot. More information on Google Analytics and GDPR can be found in this guide.
  • Check if any plugins on your site are no longer maintained by the author. We have more information about that process in this guide.
  • Share this guide! The more bloggers that make their sites GDPR compliant, the safer our online community will become. If we all work together we can make the internet a safer place for everyone 🌍

We will keep this guide updated with any new advice/information as GDPR evolves.

 

Frequently Asked Questions 🤔

I don't care about the details, what's the main thing I need to do??

If you only have time to do one thing to help with GDPR compliance, create a Privacy Policy, it takes 5 minutes and goes a long way in helping your readers see how data is controlled and handled on your site.

I'm not located within the EU, does GDPR impact me?

Your site should be GDPR compliant if anyone inside of the EU can access it. Unless your site is completely blocked for all EU citizens, GDPR will impact how data is managed on your site.

What about Brexit?

🇬🇧 Despite Brexit, the UK is committed to stay compliant with the GDPR.

What is the new "Data Retention" option in Google Analytics?

See my reply to Elsa in the comments below.

Do I need to email my subscribers and ask them to re-subscribe?

No, not if they provided consent for you to email them when they initially subscribed. See this article for more information.

What about cookies?

🍪 When cookies can identify an individual via their device, it is considered personal data. This means if you're using Google Analytics or similar services, you need to comply with GDPR. Regarding Google Analytics, you can make a big step towards compliance by setting a "Data Retention" to 14 months. See the "Set the options" section of this guide.

We have a cookie banner/notification available on this page for WordPress and this page for Blogger/Blogspot.

What if I don't actually store any data on my site?

Even though the data might be stored externally via a 3rd party (e.g. Mailchimp), the data still runs through your site's widgets/features, so you would still need to comply with GDPR. Even though you might not think your site stores the data, it probably works with it behind the scenes.

What if I share my traffic stats with 3rd parties?

It is common practice for a PR agency to request traffic stats for a sponsored blog post. GDPR does not impact this if no personal information is included (for example email addresses or IP information). If you are sharing aggregate traffic stats, e.g. total number of views for a post, then you do not need to worry.

Is my pipdig theme GDPR compliant?

Yes, all pipdig themes are compliant with GDPR. So that's one less thing you need to worry about 🙌

All of our themes escape and sanitize data to ensure security and protect data that passes through the theme's code (you can read more about that here if you're feeling geeky). If you are using a theme from another provider, we recommend reaching out to them to check. Ensuring GDPR compliance is not an easy task and may be missed by less experienced development teams.

 

Final thoughts

We hope you have found this guide useful. Again, we'd like to stress that this guide is for informational purposes only. We are not lawyers - hence the over-use of Emojis. GDPR is a big issue for the internet as a whole, but as long as you've taken steps to make your blog more compliant, then you needn't worry about legal action. If you only have time to do one thing to help with GDPR compliance, create a Privacy Policy, it takes 5 minutes 🚀

Finally, share this guide! The more bloggers that make their sites GDPR compliant, the safer our online community will become. If we all work together we can make the internet a safer place for our data.

If you have any questions or extra information you think we've missed, be sure to leave a comment below! 🤸

Spread the word:

Was this article helpful?