May 23, 2018

GDPR – A Bloggers Guide

I think I can speak on behalf of everybody in the blogging world by saying we are fucking sick of hearing the abbreviations GDPR and ICO. I have spent the last few weeks being totally mind fucked by it, writing my privacy policy and editing to add bits I’ve missed every 2.3 seconds. I’m pretty sure I’m not the only one who’s brain has considered melting out of their ear hole from trying to understand it all. People all around the blogosphere are losing their shit, deleting their blogs, disabling their comments, throwing their laptops into traffic (ok maybe not that one) but let’s all just stop, change our pants and chill for a minute because it’s really not as terrifying as it all seems.

Anyway, I have just spent about 84 years (1 hour and 2 minutes) on the phone to ICO themselves and finally understand it (mostly). The following information is my interpretation of GDPR and the affect it will have on bloggers. I’m not a lawyer or any sort of GDPR professional, this is just my interpretation of what information I have been given by ICO directly. I questioned it several times and three managers were asked in the process so I’m pretty confident I understand it enough now to make a decision. I am just relaying the information I was given during this phone call. Don’t come with your torch and pitchforks if you follow my advice and the ICO come for you, alright? …Alright.

What the hell is GDPR and ICO?

GDPR stands for General Data Protection Regulation.

ICO stands for Information Commissioners Office.

Do I need to register?

I would advice taking their quiz and when that confuses the utter fuck out of you ring the ICO helpline because I now understand it enough to make an informed decision. I spent about 90 years on hold and over an hour actually speaking to a human and you know what? They don’t really know 100% either. Blogging is such a grey area because on one hand, we fall under the “advertising, marketing and public relations for others” category because we are technically advertising the products we write about, so from that alone we should register, but because GDPR is about personal data and not our job title, we need to assess whether we are actually processing personal identifiable information.

I only blog for a hobby, do I need to register?

No, if you are only blogging as a hobby and don’t host sponsored content, guest posts, brand or product features or accept products from brands or PRs for review then you fall under the “domestic or recreational reasons (ie information relating to a hobby)” bracket and are exempt.

What is Personal identifiable information (PII)?

This is data that can identify an individual, living person whether this be Jane Doe from down the road or Kylie Jenner.

A lot of us are worried about comments and such but unless you put the IP or email address of the commenter visible to the public or it’s linked to a social media account which has things like their location, full name, job, etc (Facebook for example) then you are not processing PII within your comment system. If someone puts their own full name and links their facebook then that’s up the them, they are physically entering it themselves and therefore we can assume they’re ok about us seeing that. Do include that their IP address is collected by your comment system or any plug ins you may have in your privacy policy though.

Am I processing personal identifiable information?

Are you promoting brands or companies by writing reviews or featuring them on your blog (this can be paid features or just receiving products for free in exchange for some kind of mention/promotion like reviews or gift guides, that sort of thing)?

Are these products sent to you and/or are you receiving payment in exchange to feature these brands or companies?

Are the brands or companies you are collaborating with/reviewing/advertising/featuring go by an actual person’s name (eg. Orla Kiely, Charlotte Tilbury, Ted Baker) or do they have general names (eg. Johnson’s, Organix, L’Oreal, Tesco, Matalan) or am I including a name of somebody within that company (eg. the founders name) within my blog?

If you answered yes to all of those questions you should be registering with the ICO. 

To clarify – Say I own a make up brand and I call my line Georgina Gardner, if a blogger wanted to review one of my products and wrote a post about them they would obviously need to include my brand name which just so happens to be my actual name. This would be classed as processing identifiable information because I (an actual person) could be identified from their blog post. Same goes for reviews where you may include the company founders name.

If I named my brand  LipstickRus (I’m bad at naming shit ok) then that wouldn’t be personal identifiable information because you can’t identify me as an individual from that brand name.

If I reviewed LipstickRus but mentioned that Georgina Gardner was the founder then I would be processing personal identifiable information, so I would need to register.

This also goes for mentioning other bloggers or people in general. GDPR couldn’t give a fuck if Sally, Sam or Sandra comment on your blog but they do care about you writing about Sally, Sam or Sandra.

If you want to talk about another blogger, maybe they’ve given you a quote or done a guest post for you, you’ve used photos of their face perhaps in that guest post, or maybe you just loved their blog so much you wanted to link to it, any scenario where you are directly talking about another living, identifiable, person on your blog publicly, by name, then you need to register with ICO. I had completely overlooked this until I spoke to them directly.

Are demographics personal data?

No, they are general data. The percentage of men or women, what device they are using whilst visiting your site, etc are not enough to identify an individual person so don’t worry about your media kits. Just cover that you collect and share this information to PRs in your privacy policy.

Do I need a Privacy Policy?

Yes. You should have one anyway really. You also need a cookies banner. This is the absolute bare bones of what you need to do.

But I don’t want my address made public!

According to the ICO, you don’t need to put your full address on the register, you do need to put your full address for the contact part of it (which isn’t published) but the address actually visible to the public you can just leave your house number out or use a family members address (with their permission obvs).

Am I going to get fined millions of euros if I fuck up?

That’s extremely unlikely. For a start they would more than likely warn you first and the figure is actually 4% of your annual turn over if it ever did come to that so unless you’re Zoella, they ain’t gunna be charging you that.

Talking to the ICO, the first people they will more than likely target are those who have missed their renewal. Apparently the GDPR department who deals with the ones who fuck this shit up doesn’t even exist yet so it’s going to be a while before they come in with their torches.

That doesn’t mean to say you should slack because as of 25th May 2018 if you’re not complying with GDPR, you’re breaking the law. Try not to panic, but also don’t stick your head in the sand because you need this shit done by then. Honestly, this completely fucked with my brain for ages until I finally understood it. It’s like riding a bike. A shit, joy sucking, complicated bike.

What you need to do…condensed

>> Check your privacy policy covers the points stated by the ICO. You need to be really transparent about what data you collect, how you collect it, why you collect it, what you do with it, how long you keep it and how people can opt out. Check your plug ins because some of those will be collecting peoples data whenever they visit your site (Google Analytics for example).

>> Install a cookies banner.

>> Register with the ICO if you find that you are processing personal identifiable data (which you more than likely are if you are earning money or receiving products).

I hope that explains some of the things everyone is losing their shit about and you feel a little calmer about this whole law change jargon. I made a long ass list of everything the ICO told me this morning so hopefully I can help someone out here!

If you have any questions feel free to ask!

7 responses to “GDPR – A Bloggers Guide”

  1. Lisa Dimaline says:

    Great post certainly had helped clear some things I’ve been thinking about the last few days.

    Lisa ❤️

  2. Becky says:

    Thanks for this, really useful. What I don’t know is what I register as on the ico site, as there is no drop down for blogger! Any thoughts? X

  3. Catherine says:

    Thank you! Very useful post 🙂 I’ll need to do something about it, I’m just not a fan of the cookies banner at all… it’s not like I have a big blog but I do use analytics. The banner is so troublesome as an user experience perspective.

    Thank you for spending the time writing this!

  4. Fab post! It is all quite confusing, although for me, I used to do this as part of my day job so wasn’t too bad to get my head around it.

    Also relevant to bloggers, if you run giveaways, you should also always register with ICO – because you gather identifiable personal information from entrants and winners (IP address, name, email address, and for winners obviously postal address too). I’ve been meaning to re-register with ICO for ages now. De-registered as I stopped running giveaways but ah I’m back in the game now 😀

  5. Elizabeth Seal says:

    This has taken a huge weight off my mind, even if I’m still confused by many parts of it haha! This is so useful to hear it from a fellow blogger, thank you for taking the time to write this all out 😀 xx

    elizabeth ♡

Leave a Reply

Your email address will not be published.