I come from a commercial editorial background. In my career I'd never run a competition without rigid terms of entry, or use data collected from website users in an unlawful and unethical way. Now as a blogger (or owner of a small web-business), I like to play by the book because I can and I don't think there's an excuse for companies not to.
I should point out that I'm not a lawyer and have limited legal training when it comes to digital marketing and publishing content online, but I'm smart enough to realise that some of the changes which come into effect as a result of GDPR do effect me.
For small websites, the main thing is the collection of users' personal data. You might think you're not collecting data from users, but you probably are. For a blog website the most common ways are through contact forms or Google Analytics.
To ensure I was compliant, I made sure that it was very clear how data submitted through my contact forms was used and reassure users that it was safe for them to enter their name and email address on my website. This was partly achieved by switching my server to SLL, doing so places the green "https" padlock in the website's address bar to tell users the website is safe. Sending personal data through a secure/encrypted method is an important part of GDPR, and actually it's not that hard to set up. I used CloudFlare
to do this, which is free and is as simple as checking a box.
My content management system logs all submissions through the contact form, it stores them forever. I don't think this is inline with the data retention elements of GDPR, which state that data should only be stored for as long as necessary. So, to combat this I created an automated task which deletes all messages sent after seven days. This way they are still available in my CMS should they not get through to my email inbox for any reason, but they're not being necessarily stored in a database.
We all know that open rates on email are pretty low, so the chances of your audience actually opening an email and clicking a link to confirm their subscription is slim. I would argue that for a small website or blog, this isn't really necessary, especially if your subscribers have specifically given you their details in order to sign up to your newsletter. This effects large companies more, they often send marketing emails to customers who ticked a box (or failed to untick a box) when they signed up to their service. As you're a blogger, it's unlikely this will be the case for you.
But, like I said, I like to play by the book and wanted to ensure I wasn't send newsletter emails anyone who I didn't have explicit consent to contact. I knew that if I sent a re-subscribe email out the response would be low... but figure that if those people don't open emails anyway, then what's the point in having them as subscribers? I decided to make things easier by removing inactive subscribers. It may seem extreme, but they were providing no value anyway.
This was pretty easy in MailChimp, I found instructions here
. I deemed my inactive subscribers to be anyone who hasn't opened a single email of mine in the last ten weeks. This turned out to be 89% of my mailing list... so I binned them off. If they weren't opening emails anyway then I've protected myself without having to bother people with another GDPR email, and I've lost nothing.
If you're reading this, you're probably not a lawyer, so it's unlikely you'll have the expertise to write a watertight policy document, but at the very least putting together a page which tells your readers about your data control process, no matter what they are. The minimum you should include is:
- why you collect this data
- what you use this data for
- how you keep this data secure
- how long you keep the data
At the end of the day, don't betray the trust of your readers and don't use the personal data you collect from your users in any way that you wouldn't want your own data used. Don't share it, sell, rent it, or in any other way abuse it.