GDPR & Data Protection For Bloggers & Small Websites

May 21, 2018 8:23 PM
GDPR & Data Protection
If you're reading this, you don't need me to tell you what GDPR is. Over the last few months you're likely to have received hundreds of emails from companies and organisations either telling you they've made changes to their privacy policy or that you need to confirm your subscription to your mailing list. As a blogger or someone who runs a small website, this might have left you wondering if you should be making any changes and reaching out to reassure your audience that you care about their privacy.

I come from a commercial editorial background. In my career I'd never run a competition without rigid terms of entry, or use data collected from website users in an unlawful and unethical way. Now as a blogger (or owner of a small web-business), I like to play by the book because I can and I don't think there's an excuse for companies not to.

So, my website for many years has had a terms of use page and a published privacy policy. Until recently this privacy policy just promised not send users spam or pas their email address on should they contact me using a form on my website. I also have a newsletter, which I run through MailChimp, more on that later.

I should point out that I'm not a lawyer and have limited legal training when it comes to digital marketing and publishing content online, but I'm smart enough to realise that some of the changes which come into effect as a result of GDPR do effect me.

For small websites, the main thing is the collection of users' personal data. You might think you're not collecting data from users, but you probably are. For a blog website the most common ways are through contact forms or Google Analytics.

To ensure I was compliant, I made sure that it was very clear how data submitted through my contact forms was used and reassure users that it was safe for them to enter their name and email address on my website. This was partly achieved by switching my server to SLL, doing so places the green "https" padlock in the website's address bar to tell users the website is safe. Sending personal data through a secure/encrypted method is an important part of GDPR, and actually it's not that hard to set up. I used CloudFlare to do this, which is free and is as simple as checking a box.

Under the contact forms on my site I added in a line of text, which said "by using this contact form you're agreeing to our privacy policy, including the 'use of personal data' clause, and our website terms of use." I think this line is very transparent and makes it clear that privacy is a consideration and that there are processes in place.

My content management system logs all submissions through the contact form, it stores them forever. I don't think this is inline with the data retention elements of GDPR, which state that data should only be stored for as long as necessary. So, to combat this I created an automated task which deletes all messages sent after seven days. This way they are still available in my CMS should they not get through to my email inbox for any reason, but they're not being necessarily stored in a database.

The next issue to tackle was my newsletter. Switching to double-opt in does make it compliant with GDPR, but holding the personal details and sending communications to anyone who signed up before double-opt in may not be compliant... although it is a grey area. Big companies are handling this differently, some are assuming you still want to be contacted but telling you they've updated their privacy policy, others are asking all email subscribers to confirm their subscription.

We all know that open rates on email are pretty low, so the chances of your audience actually opening an email and clicking a link to confirm their subscription is slim. I would argue that for a small website or blog, this isn't really necessary, especially if your subscribers have specifically given you their details in order to sign up to your newsletter. This effects large companies more, they often send marketing emails to customers who ticked a box (or failed to untick a box) when they signed up to their service. As you're a blogger, it's unlikely this will be the case for you.

But, like I said, I like to play by the book and wanted to ensure I wasn't send newsletter emails anyone who I didn't have explicit consent to contact. I knew that if I sent a re-subscribe email out the response would be low... but figure that if those people don't open emails anyway, then what's the point in having them as subscribers? I decided to make things easier by removing inactive subscribers. It may seem extreme, but they were providing no value anyway.

This was pretty easy in MailChimp, I found instructions here. I deemed my inactive subscribers to be anyone who hasn't opened a single email of mine in the last ten weeks. This turned out to be 89% of my mailing list... so I binned them off. If they weren't opening emails anyway then I've protected myself without having to bother people with another GDPR email, and I've lost nothing.

The final piece of work I carried out was to update my privacy policy, simply to reflect this changes and ensure I was being upfront and transparent about how I handle personal data. I looked through many other bloggers' website that I rate and follow, I couldn't actually find a terms of use or privacy policy on any of them. Perhaps it's not necessary, but I don't think there's any harm in a reassuring your audience that their data is safe.

If you're reading this, you're probably not a lawyer, so it's unlikely you'll have the expertise to write a watertight policy document, but at the very least putting together a page which tells your readers about your data control process, no matter what they are. The minimum you should include is:
- why you collect this data
- what you use this data for
- how you keep this data secure
- how long you keep the data

At the end of the day, don't betray the trust of your readers and don't use the personal data you collect from your users in any way that you wouldn't want your own data used. Don't share it, sell, rent it, or in any other way abuse it.

You May Also Like

Comments