What you need to know about GDPR for bloggers and entrepreneurs

GDPR for bloggers and entrepreneurs

A clear guide to complying with GDPR consent

With GDPR laws coming into effect in May, we’re seeing the biggest change to privacy laws since the 1990’s.

A lot has changes since then, including the digital revolution – so here’s how the change in data protection law affects bloggers and entrepreneurs and what you need to do to make sure you’re treating data the right way.

If you take nothing else away, GDPR is about being open, honest and safe with personal data. Read on to find out more.

Sounds like serious stuff, but why should I care?

GDPR relates to the protection of the privacy of people’s data. That’s email addresses, names, telephone numbers – even photos and social media updates! It’s anything that can be regarded as personal data that could be used to identify a person against their will.

If you collect, store, or use any form of personal data, you’ll need to make sure that your data is up to scratch and that you add new processes to make sure you’re compliant.

How long do I have?

You have until 25th May 2018 to get your data and processes in order, to make sure you’re complying with GDPR.

But we’re going through Brexit, are you sure I have to comply?

The quick answer here is yes. You do need to comply. The government has confirmed that Brexit will not affect the GDPR start date in the UK. If you want to get into semantics, then the UK will be creating its own law which will mirror GDPR… here’s hoping they call it something catchy.

What is GDPR?

GDPR stands for General Data Protection Regulation. It’s an EU law but will be applicable in the UK both during and post Brexit.

Here’s a quick bulleted summary of what the GDPR changes to consent are, with what they mean for you below:

  1. People must clearly consent to be contacted by you by any means
  2. Consent must be freely given – not with the ruse of any offers or gated content
  3. People must be able to clearly withdraw consent at any time
  4. You need to be able to clearly state when and where the person consented and what they consented to
  5. People’s data has a time limit – you cannot store their behavioural data for more than 2 years.

What do these changes in GDPR mean for my blog/website?

1. People must clearly consent to be contacted by you by any means

This means bye-bye to auto opt ins. No more automatically ticked boxes on sign up forms, or sneaky sign ups of people who comment on your blog. No.

When people are signing up to receive updates from you, you need to make sure there is a clear box for them to tick to say something along the lines of “Yes, I want to receive emails from you about X, Y, Z”. If you do not CLEARLY, EXPLICITLY and in PLAIN LANGUAGE state what you’re going to do with that data?

You’re not compliant.

Once they’ve clicked that button, you’ll then need to send them an opt-in email where they need to make a positive action to confirm their subscription or preferences. This makes sure that people can’t accidentally (or maliciously) add anybody to email distribution lists, or contact lists against their will.

This also means that any data you are currently contacting (or wish to contact), needs to undergo the same treatment. If they haven’t explicitly signed up to receive your marketing emails? You won’t be able to contact them after May. Call it a data detox if you will.

By May, you’ll need to make sure that anybody who will receive an email from you has explicitly  opted in to keep on receiving emails from you.

via GIPHY

2. Consent must be freely given – not with the ruse of any offers or gated content

Quite a lot of bloggers and entrepreneurs currently lure in new email sign ups with gated content – that is, something that you’re providing that they can only access if they give you their data.

Sign up to receive this download…

Get an exclusive 10% off when you sign up…

Sound familiar?

With the new law? You can’t do this, it’ll be seen as not giving free consent. You’re holding something behind a wall that they can’t otherwise give you without providing their data.

To provide their data to you, there must be no win/lose scenario. Just think… if you can liken what you’re doing to the child-catcher with his lollypops in Chitty Chitty Bang Bang… you’re doing it wrong *shudder*.

via GIPHY

3. People must be able to clearly withdraw consent at any time

As well as making sure that you have unsubscribe buttons clearly visible in all of your emails, this also means that people should be able to withdraw consent of you contacting them by any means at any time.

via GIPHY

4. You need to be able to clearly state when and where the person consented and what they consented to

This one is a toughy. You’ll need to make sure that you can account for EVERYBODY that you contact from May onwards to say that this is how they consented (and what they consented to).

That means you’ll need to store opt in information on the location of sign up (website etc) as well as the date that they signed up. There needs to be a chain to show that they explicitly signed up to receive updates from you.

Of course, with number 3 in mind, you also need to have a way that they can withdraw their consent at any time too.

via GIPHY

5. People’s data has a time limit – you cannot store their behavioural data for more than 2 years

If you’re storing data on people from over 2 years ago? It may need to go. Email providers have already started to make these amendments by deleting behavioural information from contacts over this time. That means that if you are storing any of that data externally? You need to make sure it’s gone.

Don’t be that weirdo that they haven’t heard from in ages. If in doubt, don’t use it.

via GIPHY

Other changes to be aware of…

As well as the changes to consent, there are also changes to processing of data, that I’d suggest knowing more about.

  • Secure all personal data that you keep – encryption etc
  • Work out a way that data can have a ‘right be forgotten’ – removing it entirely
  • This doesn’t affect the ability to send process-based emails – such as order confirmations. But it does mean that they cannot contain any marketing messages.

If you’ve found this useful, please make sure you share it and pop a comment below (don’t worry, I won’t store your email address).

The GDPR deadline is 25 May 2018

More info: Official EUGDPR website.

One thought on “GDPR for bloggers and entrepreneurs

  1. This is something I wasn’t aware of before reading your post. I am going to have to check that my blog is compliant with the new rules. #fortheloveofblog

  2. The ICO has lots of useful info on GDPR that’s worth looking at. I’m actually relieved I never bothered with a newsletter or going self-hosted as it means I don’t physically store anyone’s personal data. OTH, if Google aren’t compliant I am so screwed …

    1. Ha! It’s a big relief if you don’t store their data/ use it for marketing purposes. Always worth knowing about in case you want to add it at a later date.

    1. That’s an interesting point. It may be worth you being aware that the rules are relevant for the person who holds the data rather than the person who stores it… so if you store/use data on anyone that’s in the UK/EU (or Canada/America come to think of it…) then the rules apply as it’s the way that their data has to be dealt with internationally. Hope that distinction helps!

  3. Great advice here and very clearly explained. In a previous job, I used to give advice on Data Protection law and knew changes were coming soon so thank you for reminding me of it! #fortheloveofBLOG

    1. Probably not very long to be honest – Canada adopted it quite early on but without much warning so a lot of companies lost a LOT of data because they couldn’t go back and ask people to opt in once the law suddenly changed. It’s worth knowing that the law relates to how EU data is treated, so if any business uses EU data then they have to legally comply. Not sure how they enforce that but them’s the rules. 😉

  4. That seems like a great change. It’s been like that in the states for quite some time now. As long as you have clear disclosures, you’re pretty set! Good luck to everyone with the changes! Hope it’s a positive experience!
    #ForTheLoveofBlog

    1. I think you’re right, but that’s not a bad thing. If people want to keep up to date, then they will still sign up… equally, if they just want the freebie and then they go on their way, then that’s fine too – those people may not be the best engaged in your other content anyway. Time will tell!

    1. I think a lot of businesses are unsure of that point at the minute. But most free platforms that offer an opt in as standard should record that sort of data automatically. Otherwise, you’ll need to capture the event of an opt in (either from clicking an email) and make sure that you can marry up the data. Bit of a faff, but once systems amend to capture the data it should be automated. Just a pain to get data up to standard.

  5. This made me panic so much but I think clarity is the issue here. Be clear in what you’re getting people to sign up for and then you’re ok. I’m looking to do a course in May, but ive set up a separate list to the one where my weekly posts roundup goes out to. so I assume from above I’m setting it up correctly and in line with the new laws? #fortheloveofBLOG

    1. That’s fine – as long as you’re not setting them up to receive the normal emails as well (unless they have opted in to receive it), then you’re fine to offer an email based course. Of course… they still need to opt in to the course if it goes past the May deadline 😉

  6. So useful, thanks so much for breaking this down in a way I can understand it! I hope I am compliant. I use MailChimp which sends my sign ups an email asking if they’re sure they want to subscribe. However I do use opt-ins as a sweetener to encourage people to sign to my mailing list so I think I need to go back and check the language on my sign up forms. x

Leave a Reply

Your email address will not be published. Required fields are marked *