Anyway, I have just spent about 84 years (1 hour and 2 minutes) on the phone to ICO themselves and finally understand it (mostly). The following information is my interpretation of GDPR and the affect it will have on bloggers. I’m not a lawyer or any sort of GDPR professional, this is just my interpretation of what information I have been given by ICO directly. I questioned it several times and three managers were asked in the process so I’m pretty confident I understand it enough now to make a decision. I am just relaying the information I was given during this phone call. Don’t come with your torch and pitchforks if you follow my advice and the ICO come for you, alright? …Alright.
What the hell is GDPR and ICO?
GDPR stands for General Data Protection Regulation.
ICO stands for Information Commissioners Office.
Do I need to register?
I would advice taking their quiz and when that confuses the utter fuck out of you ring the ICO helpline because I now understand it enough to make an informed decision. I spent about 90 years on hold and over an hour actually speaking to a human and you know what? They don’t really know 100% either. Blogging is such a grey area because on one hand, we fall under the “advertising, marketing and public relations for others” category because we are technically advertising the products we write about, so from that alone we should register, but because GDPR is about personal data and not our job title, we need to assess whether we are actually processing personal identifiable information.
I only blog for a hobby, do I need to register?
No, if you are only blogging as a hobby and don’t host sponsored content, guest posts, brand or product features or accept products from brands or PRs for review then you fall under the “domestic or recreational reasons (ie information relating to a hobby)” bracket and are exempt.
What is Personal identifiable information (PII)?
This is data that can identify an individual, living person whether this be Jane Doe from down the road or Kylie Jenner.
Am I processing personal identifiable information?
Are you promoting brands or companies by writing reviews or featuring them on your blog (this can be paid features or just receiving products for free in exchange for some kind of mention/promotion like reviews or gift guides, that sort of thing)?
Are these products sent to you and/or are you receiving payment in exchange to feature these brands or companies?
Are the brands or companies you are collaborating with/reviewing/advertising/featuring go by an actual person’s name (eg. Orla Kiely, Charlotte Tilbury, Ted Baker) or do they have general names (eg. Johnson’s, Organix, L’Oreal, Tesco, Matalan) or am I including a name of somebody within that company (eg. the founders name) within my blog?
If you answered yes to all of those questions you should be registering with the ICO.
To clarify – Say I own a make up brand and I call my line Georgina Gardner, if a blogger wanted to review one of my products and wrote a post about them they would obviously need to include my brand name which just so happens to be my actual name. This would be classed as processing identifiable information because I (an actual person) could be identified from their blog post. Same goes for reviews where you may include the company founders name.
If I named my brand LipstickRus (I’m bad at naming shit ok) then that wouldn’t be personal identifiable information because you can’t identify me as an individual from that brand name.
If I reviewed LipstickRus but mentioned that Georgina Gardner was the founder then I would be processing personal identifiable information, so I would need to register.
This also goes for mentioning other bloggers or people in general. GDPR couldn’t give a fuck if Sally, Sam or Sandra comment on your blog but they do care about you writing about Sally, Sam or Sandra.
If you want to talk about another blogger, maybe they’ve given you a quote or done a guest post for you, you’ve used photos of their face perhaps in that guest post, or maybe you just loved their blog so much you wanted to link to it, any scenario where you are directly talking about another living, identifiable, person on your blog publicly, by name, then you need to register with ICO. I had completely overlooked this until I spoke to them directly.
Are demographics personal data?
Yes. You should have one anyway really. You also need a cookies banner. This is the absolute bare bones of what you need to do.
But I don’t want my address made public!
According to the ICO, you don’t need to put your full address on the register, you do need to put your full address for the contact part of it (which isn’t published) but the address actually visible to the public you can just leave your house number out or use a family members address (with their permission obvs).
Am I going to get fined millions of euros if I fuck up?
That’s extremely unlikely. For a start they would more than likely warn you first and the figure is actually 4% of your annual turn over if it ever did come to that so unless you’re Zoella, they ain’t gunna be charging you that.
Talking to the ICO, the first people they will more than likely target are those who have missed their renewal. Apparently the GDPR department who deals with the ones who fuck this shit up doesn’t even exist yet so it’s going to be a while before they come in with their torches.
That doesn’t mean to say you should slack because as of 25th May 2018 if you’re not complying with GDPR, you’re breaking the law. Try not to panic, but also don’t stick your head in the sand because you need this shit done by then. Honestly, this completely fucked with my brain for ages until I finally understood it. It’s like riding a bike. A shit, joy sucking, complicated bike.
What you need to do…condensed
>> Install a cookies banner.
>> Register with the ICO if you find that you are processing personal identifiable data (which you more than likely are if you are earning money or receiving products).
I hope that explains some of the things everyone is losing their shit about and you feel a little calmer about this whole law change jargon. I made a long ass list of everything the ICO told me this morning so hopefully I can help someone out here!
If you have any questions feel free to ask!