How I made my blog GDPR compliant
The GDPR boogeyman is coming to get bloggers. You should be afraid, very afraid. Or not. The General Data Protection Regulation is coming into force on the 25th May and while most of the financial services world is still running around trying to get ready, bloggers are getting all hyped about what it means for them and their newsletter lists. Here's how I will deal with this all.
Disclaimer: none of the below is advice. You should do your own research and make up your own mind.
After reading pages upon pages of information about GDPR I have to say I was none the wiser and I know a lot of you feel the same. So I decided to talk to the real experts: the Information Commissionaire's Office. I went on the online chat first thing at 9am a week ago (so last minute) and had 3 main questions for them (by the way, it took them 24min to answer the phone, so I guess others were last minute too, lol!).
1. Am I, as a blogger (personal or professional), a data controller?
2. If yes, do I have to register with the ICO?
3. If yes, do I have to get fresh consent from my existing subscribers to comply with GDPR?
Here's how it went down (part of the ICO rep's name has been obscured).
JENNY KAKOUDAKIS: good morning ico_*******: Good morning Jenny ico_*******: How can I help? JENNY KAKOUDAKIS: hope you can answer some questions for me. I have a personal blog about interiors. People subscribe to my newsletter for years. I only collect their email address for this. ico_*******: OK JENNY KAKOUDAKIS: I also collect a name (which could be first name or first and last or alias) when they leave comments on the blog. Finally, very rarely, I RUN GIVEAWAYS SO i will collect the winner's name and residential address, which is deleted after they have received their prize. JENNY KAKOUDAKIS: Also, need to clarify, that while this is a personal blog, I am registered as an "affiliate" with a number of interiors and lifestyle companies, I do reviews about them and promote affiliate links in my blog (so if you click and buy through my link I earn a small commission). JENNY KAKOUDAKIS: With all that in mind, am I covered by GDPR ? JENNY KAKOUDAKIS: (and if it changes anything: this is not my day job, I do not earn my main income from blogging) ico_*******: OK so GDPR applies to any Data Controller who is processing personal data within its territorial scope. I would say from the information it is likely to apply to you. JENNY KAKOUDAKIS: Ok, 2) do I need to get my EXISTING subscribers to provide fresh consent going forward? Because, this is likely to result in losing most of my subscribers ico_*******: Please bear with me a moment ico_*******: It depends. In terms of marketing via email (which it sounds like this falls into in terms of newsletter) you will only need to consider updating your consent if you are currently relying on their consent and you do not believe it matches the current GDPR standards. JENNY KAKOUDAKIS: great. Now, when I asked you whether I am covered, you said it is "likely" to apply to me. How likely is "likely" and why is there not a yes/no answer? I don't want to do work I might not need to. This is a personal blog. I write about things I like in interiors. You don't have to subscribe to the blog to read it. It's personal musings. So why is a personal blog captured by GDPR? My holding a personal address book is not covered so WHY is a personal blogger considered to be a DATA CONTROLLER? ico_*******: So yes or no answers are not always possible in terms of legislation as it has to be interpreted. However, wherever you are processing personal data you become a Data Controller. It may be that you are not in terms of people just reading it. However, for example, if you were storing the personal details of subscribers in a filing system you definitely would be a Data Controller. JENNY KAKOUDAKIS: Q3: Do I then need to register with the ICO as a data controller? ico_*******: That I dont know unfortunately. You can assess the requirement to register using our online self-assessment tool; you can access this at the following link: https://ico.org.uk/for.../register/self-assessment/ If after using the online tool you are still unsure whether you are required to register it may help to discuss the matter in more detail with our registration helpline on 0303 123 1113 (selecting option for Registration - I believe it is option 2). JENNY KAKOUDAKIS: the assessment tool suggests that I should - the problem is, that would make my residential address available to everyone and that puts me and my family at risk. I travel often, the house is empty, people can see on my social media accounts that I am not around, my house can be broken into... Has the ICO considered the implications of this? Will the ICO issue (on your blog) a statement about personal bloggers to avoid interpretation issues? ico_*******: That is something you will need to discuss with our Registration. I don't work in that department so cannot advise on the specifics of the public register etc. If you call the team and select the correct option the queues are not usually long on that line. JENNY KAKOUDAKIS: ok thank you
Here's what you don't want to hear: I have found that the staff at the ICO Registrations helpline (and online chat) are unsure themselves and as such if you (whoever you may be) are trying to convince me categorically on what the requirements are, I say: HOW CAN YOU BE SURE WHEN ICO STAFF DON'T EVEN KNOW.
One thing is certain. We bloggers, are Data Controllers. We control the personal data of those who visit our blogs or register for updates, and this can include:
Email addresses when someone registers for your newsletter - And it doesn't matter if the email address itself cannot help identify the subject, for example if it looks something like Jennyhappyvibes@gmail.com as opposed to Jenny.Kakoudakis@gmail.com (and no, that's not my email by the way so don't use it).
Names - you may be collecting names together with email addresses when someone signs up for the newsletter (and I ask you: WHY? You don't need their name, so drop it from your sign up forms) or when someone leaves a comment on your blog posts.
Log files - anything to do with blog traffic, like geolocation, browser info, IP address etc. Arguably, IP addresses on their own are not enough to identify a user but over time and with other data (like device fingerprint) and account log in details you can use it to confidently say that this IP address is linked to Mr X. You would need a hell of a lot of data and an IT department behind you to do this, so don't sweat about it, the ICO cannot put you on the spot for it. You probably only see the end result of log files in what is better known as Google Analytics.
OK, I AM A DATA CONTROLLER.
DO I HAVE TO REGISTER WITH THE ICO?
I read the other day that as Data Controllers, bloggers need to register with the ICO and of course that means that we would need to have our addresses shown on the public registry. Very wisely, some of you will have concerns about your own privacy and having your address shown there.
Our entire lives are out there, and for those who are on social media, telling your followers that you are not going to be at home for a week is a real risk for your home's safety. I know I would not want random people (even blog followers) to know where I live.
The ICO suggests you do the Self Assessment to identify if you need to register or not.
Here is what I answered. Would you answer differently? And if so, which question and why?
To confirm the above I also spoke to the ICO Registration line today and got a verbal confirmation that my answers above were correct. I asked whether I could have it in writing and was told "NOPE SORRY WE DON'T CONFIRM, but "do the self assessment and save the results so that you have a record if you need it".
Which is what I document in this post. Oh and as evidence that I spoke to them, here's the call record (while showing 32 minutes, it was 24 min waiting time, LOL).
OK, I AM A DATA CONTROLLER. AND I DO NOT HAVE TO REGISTER WITH THE ICO.
DO I NEED TO GET FRESH CONSENT FROM MY ENTIRE NEWSLETTER LIST?
If you are a data controller then by default GDPR applies to you. And GDPR tells us that we need a subject's consent before we 'process their data" (aka email them our newsletters). Two things here:
1) UPDATE YOUR SUBSCRIPTION FORMS TO INCLUDE CONSENT
Again, this is what mine used to look like before... It comes up as a lightbox when you log onto my blog. It was missing the clear consent.
And here is what it looks like now:
So to sum up:
1) As a blogger I am a data controller.
2) As a data controller you may have to register with the ICO. I have done my Registration self assessment and saved the record. The result is that I do not need to register with the ICO and therefore I will not.
4) I have updated my subscription form so going forward it captures consent (and just for the sake of it age confirmation that the subscriber is over 18).
Even if you do not completely conform to GDPR from day 1, remember that it is not the end of the world. The 25th of May is only the beginning as the ICO keeps telling us. So best of luck and may the data protection force be with you.