DISCLAIMER – I am no expert, so please do your own investigation. This is to help share my understanding from a lay person’s perspective, my opinion. There are massive gaps in my knowledge, but I figure it may be a stepping stone for you towards understanding.
I was alpha testing a GDPR questionnaire for a friend.
Me: “I don’t think I fall into scope for GDPR for Reaching Aspiration, so I’ll pretend I’m answering for my day job (of course making some of it up for testing purposes).”
Clearly I shouldn’t be in scope.
Her: “I am almost certain that the GDPR would apply to Reaching Aspiration – if you like, there is a small 5 question quiz that you can do on the d8amatiks website which you can use to see if the GDPR is applicable to you.”
Clearly I should be in scope.
“Wow, from what I’ve seen of GDPR, I’d rather shut it down or change it to contain no personal information (if that gets me out of it?).”
I was ready to quit at least half my websites and dumb down the rest.
“Haha, I think it is unlikely that you would be targeted under GDPR but at the same time I don’t think you would have to make significant changes in order to be GDPR compliant after May next (now this) year – you have a very simple set up so I don’t think it will be too over the top.”
I had until May, I put it in my diary to do early January, I have since moved it repeatedly.
Until this morning, when I made sure there was nothing else to do and I gave myself more time than needed. It did not excite me, but it is also hanging over me, so I finally decided it was time to just get it done.
What is GDPR?
GDPR is the General Data Protection Regulation. It basically encompasses all existing laws and regulations, and then wraps up any gaps not covered, which is where the “General” part comes from. It affects anyone dealing with data from EU businesses, residents, or citizens.
It comes into force 25 May.
There are three key principles that I keep in mind:
- Personal Data – What and how it is collected for, then what it is used for are key
- GDPR is proportional to risk – compliance steps are much more for a big company than a blog
- Privacy by design – Secure
GDPR is a good thing. It enforces best practice that we should be doing already. It isn’t just something to be compliant with, it’s the right thing to do.
In simple terms, the important thing about GDPR is to take care when using personal data to use it appropriately and secure it properly.
Personal Identifiable Information (PII)
Personal data is basically anything that can identify a specific person. Ironically, a person’s name may not fall under this. There are multiple people with the name David Colley.
So, generally it is any two pieces (could be one) of information that aligned could narrow it down to a specific person, this is what is considered personal data. For example someones name added with a phone number or e-mail address or date of birth.
With personal data, there there needs to be a clear reason to collect and store their data and consent may be required. It can only be used for the purposes described and only what is needed should be collected. The individual then has the fall back of “right to be forgotten”. This is weighed against legitimate business needs, so someone who owes money, couldn’t just phone up and ask to be forgotten.
“Consent” is actually not the only legal basis for storing and processing someone’s personal data – others that could possibly be relevant include Contracts and Legitimate Interest. The term Legitimate Interest hasn’t been specifically defined but is being investigated at the moment.
Actual consent and explicit consent are the same in some respects, as consent requires granularity. If you rely on consent it must be clear, unambiguous, specific, etc. For most Personally identifiable information (PII) you can rely on some of the other grounds other than consent. For special categories of PII you can only collect, use, and process it IF you have received consent.
Explicit consent is not needed to store and process PII, only normal consent is. Explicit Consent is only required when you are processing sensitive data (health, religion, orientation, etc.) or if you are profiling (using computers to make decisions with legal ramifications). The difference between the two is debatable, but in my view explicit consent requires a separate statement and tickbox on its own.
In some ways you should try to avoid requiring needing to get consent as much as you can, this is as consent is fairly difficult to maintain. It is important that in your privacy notice/policy etc. you need to set out the grounds for using the data which you rely on and for what purpose it is used.
There are some dubious practices around competitions and other promotions in an effort to attract subscribers to a mailing list. These should be discouraged and avoided on principle as well as regulation.
GDPR is proportional to risk
At this stage, it is unlikely that the average blogger will be targeted and fined.It’s based on risk, so you won’t be fined unless you have millions of “units” of Personal Information in your databases. The fines are often proportional to the income earned.
Don’t spam and keep data secure, is probably the best advice I can give.
It is important to keep in mind that the regulators are not the ones that any business/blogger, needs to watch out for, but it is the end-users and visitors that have significant rights to complain, request access, corrections, be forgotten etc. While a regulator may, initially, not become involved or investigate, they may become involved after the end-user has commenced his/her own complaint process.
Proportional, does not mean no risk and there are some action points below.
“Privacy by design”
This is the buzz phrase I hear around the office. The data needs to be secure and being secure is probably in our interest more than only for GDPR compliance. As a bonus Google also gives additional “points” to secure and encrypted websites.
My Action points – Use them for yourself if you like, but you will probably need to add yours
- Take down Jamberjon – It had an Instagram and Facebook log in. With some under 18s information which falls under sensitive data. It was a fun idea to drag #BoredKids away from their tablets, but I cannot adequately devote the time to set up the proper procedures I would need. If I decide to reinstate it in the future, I may leave out the gamify part.
- Delete other users and disable registration from ClassUp.Online (I don’t want to get consent again). I am only keeping it up as I plan to document the journey and learnings as part of me Personal MBA.
Mailing List – Mailerlite (or your equivalent)
- I turned off auto-optin or more specifically, switched on double opt-in. Double opt-in is suggested, and things like pre-checked consent boxes should be avoided at all cost. Any consent that is old and not GDPR compliant should be refreshed before 25 May 2018.
- Edited my confirmation e-mails to “If you received this email by mistake, simply delete it. You won’t be subscribed if you don’t click the confirmation link above. By clicking on the download/form/whatever/registering/link it is, you agree to receiving occasional e-mails from Reaching Aspiration, but don’t stress, we don’t like cluttering inboxes and you can unsubscribe at any time with one click.” Unsubscribing should always be as easy as subscribing, so I suggest a single-click from an email.
- Keep lists separate. – Only those with a legitimate interest.
- Send email to my existing subscribers.
It seems a bit like the warning that my coffee is hot, but I need to make sure that anywhere where comments or someone can contact us, they need to consent to having this stored and displayed.
- Add disclaimer to contact us – See plug-in below.
- Add disclaimer to comments (need to check Facebook comments option) – See plug-in below.
- Bloggers should list the 3rd-party processors they use that store or process the PII they absolute must disclose any third party they use which processes information on their behalf, e.g., mailchimp, AWS, etc. – For me Mailerlite and Siteground (referral link)
- The LOCATION of the PII, is important. If you are storing EU contact data OUTSIDE the EU, there are a number of different checks you need to do, depending on the country where the data is being stored. With the advent of Cloud and Blogging Platforms, I’d suggest bloggers check where their PII is (what country, what data centre location) and understand the steps they need to take depending on the outcome. (Search: EU-US Privacy Shield). – My data hosted in the data centre based in London and Vilnius, Lithuania.
- What data I collect – Already in policy
- How I collect it – Already in policy
- What I do with it – Already in policy
- How long I store it – Added
- How I keep it relevant and up-to-date – Added
- Where do I store it – Added
- How I secure is it – Already in policy
- How you it be updated – Added
- How to contact in case of an issue – Added
- Request or delete it – Added
- What is done when there is an issue (incident) – Added
- Cookies – Already there twice, so deleted the one and linked it in.
- Make sites https with an SSL certificates. This is becoming more standard and easy to do with most hosting options. I use Siteground (affiliate link), because their support (for the digitally impaired) is excellent.
- Have Captcha for all log-ins
- Backups need to be secure.
- Install Cookies Consent plugin – I personally find the consents annoying, like any pop-up. This one is less intrusive and conforms nicely to the themes I have. Consent is refreshed every 30 days.
- Install WP GDPR Compliance – It has a few simple questions and tries to automatically detect commonly used plug-ins that will possibly need to be amended to comply. For my limited needs, perfect.
If your risk is greater or you want some more advice, I’d suggest heading over to d8amatiks.