{"id":115076,"date":"2018-05-22T13:04:31","date_gmt":"2018-05-22T13:04:31","guid":{"rendered":"https:\/\/www.vuelio.com\/uk\/?p=115076"},"modified":"2018-05-31T11:20:35","modified_gmt":"2018-05-31T11:20:35","slug":"gdpr-and-bloggers-what-are-the-rules","status":"publish","type":"post","link":"https:\/\/www.vuelio.com\/uk\/blog\/gdpr-and-bloggers-what-are-the-rules\/","title":{"rendered":"GDPR and bloggers: what are the rules?"},"content":{"rendered":"

John Adams of DadBlogUK.com recently wrote a guest post<\/a> for us proposing the need for a blogger association. As part of the subsequent conversation on Twitter, bloggers said some topics, like the GDPR, needed to be better clarified for bloggers (something an association would be able to do).<\/strong><\/p>\n

At Vuelio we\u2019ve been doing a lot of work around the GDPR, telling the comms industry what it means for them and what they might need to do. You can read our white paper<\/a>, guide<\/a>, listen to our webinar<\/a>, and see answers to frequently asked questions part one<\/a> and two<\/a>.<\/p>\n

Here, we\u2019ve put together some questions bloggers might have about the GDPR, with answers below:<\/p>\n

I\u2019m only a hobbyist, does the GDPR apply to me?<\/strong><\/span>
\nThe GDPR applies to anyone who is collecting and using EU citizens\u2019 personal data. It doesn\u2019t matter if you\u2019re a full-time blogger or work for free.<\/p>\n

What\u2019s personal data?<\/strong><\/span>
\nAnything that can identify an individual \u2013 whether it\u2019s on its own (an email address) or combined with another piece of information (a job title and a company). So, if you\u2019re collecting names, emails, personal preferences and anything else that could identify people, then you\u2019re processing personal data.<\/p>\n

Am I Controller or Processor of this data?<\/strong><\/span>
\nThe GDPR splits responsibility of data into Data Controllers and Data Processors. Controllers decide how data is collected\/managed\/used and Processors do what they\u2019re told by the Controllers to process the data in a lawful way that\u2019s compliant with the GDPR.<\/p>\n

So, if you\u2019re running a competition, starting a newsletter or doing a giveaway, you\u2019re deciding what information is collected, how it\u2019s stored and what you\u2019re using it for. You\u2019re a Data Controller. Your processors will most likely be software platforms you use, like your web platform, your host and your email platform.<\/p>\n

Can I get someone to sort this out for me?<\/strong><\/span>
\nNo (sorry). The GDPR is your responsibility. If there\u2019s one thing that\u2019s clear, it\u2019s that you need to understand your own obligations and compliance with the GDPR. Guides like this can only ever be guides \u2013 you need to understand why your data processing is compliant with the GDPR, and if you don\u2019t (or it isn\u2019t) you probably shouldn\u2019t be processing data.<\/p>\n

What kinds of areas am I processing personal data?<\/strong><\/span>
\nPossibly (but not limited to): newsletters, competitions, giveaways, comments, analytics tracking (if it includes identifiers like an IP address), inbound and outbound emails through your email platform, PR\/brand contact sheets and invoicing information.<\/p>\n

What does the GDPR say I must do when using this information?<\/strong><\/span>
\nYou must have a lawful basis for processing personal data. There are six, but it\u2019s likely you\u2019ll consider one of three: consent, legitimate interest and contract.<\/p>\n

Consent:<\/strong> This basis is all about giving individuals real choice and control. There are specific rules about consent, especially how clear you make the consent so people know what they\u2019re agreeing to up front.<\/p>\n

Consent must be a positive opt-in, so you can\u2019t make people opt-out by unticking boxes. They must be actively choosing to agree to whatever it is you want from them.<\/p>\n

In all cases, you must make it clear why you\u2019re collecting their data and what their data is being used for. So, if they\u2019re signing up to a newsletter, the data is being used to send them your content \u2013 that\u2019s a simple explanation. But, if you\u2019re then using that data to give it to partner brands or sell lists to certain PR agencies, that\u2019s more complicated and you must make it explicit on the sign-up form.<\/p>\n

This also includes the stages of processing and storage, and you must explain they will have a clear means to opt out at any point (and give them a clear means to opt out from any comms you send them). Not everything has to be written on a consent form; you could write detailed information in your privacy policy and link to it. But when in doubt about what to include, include it \u2013 it\u2019s better to have too much information than not enough.<\/p>\n

Legitimate interest<\/strong>: This is the broadest basis for processing personal data and you may use it when someone would realistically expect you to process their data for a particular purpose. For bloggers, this might be analytics tracking or storing emails with personal data in your inbox. You need to work out your legitimate interest and it must be weighed against the rights and freedoms of the person whose data you\u2019re processing. You must publish this and direct people whose data you\u2019re processing with a legitimate interest to it. One possibility is writing out the legitimate interest explanation clearly in your privacy policy and then linking it from emails.<\/p>\n

You must also give a clear means for people to opt out at all times, should they exercise their right to do so.<\/p>\n

Contract<\/strong>: Sometimes you have to process someone\u2019s information to fulfil a contractual obligation. This would apply for invoices and billing, but you still need to document that this is the basis you\u2019re using. If you\u2019re using contract as the basis, processing must not exceed what would be reasonably expected by the other party (so you can\u2019t sign someone up for your newsletter because you\u2019re billing them).<\/p>\n

Do I have to tell everyone that I have their data and how I\u2019m using it?<\/strong><\/span>
\nYes, but that doesn\u2019t mean you should be sending people emails to \u2018reconsent\u2019 (if you do, you could be in breaching PECR<\/a>, which is a whole other post!). If you\u2019re processing data under legitimate interest, you must still tell people you have their data and it\u2019s being processed on the basis of your legitimate interest.<\/p>\n

What if someone wants to stop me processing their data?<\/strong><\/span>
\nUnless you have a good, legal reason to continue processing their data (which would be in your legitimate interest), then you must comply. Your data storing platform should have a means for you to remove them without removing all of their details (so you don\u2019t accidentally re-add someone who requested removal).<\/p>\n

What if someone wants to know what data I store on them?<\/strong><\/span>
\nThis is called a Subject Access Request (SAR) and you have 30 days to comply. You have to let them know about ALL the data you\u2019ve processed that pertains to them \u2013 including information from your email platform, inbox, CMS, any spreadsheets and anywhere else you\u2019ve used or stored their data.<\/p>\n

Do I need records of what data I have?<\/span>
\n<\/strong>Probably, though it\u2019s different for different sized companies (see below). Records should include what data you\u2019re collecting, your lawful basis, types of processing, security measures and granular details like how and when you obtained someone\u2019s data. This is useful if someone wants to know what data you have on them.<\/p>\n

I don\u2019t process data very often, do I need to keep records?<\/span>
\n<\/strong>The Information Commissioner\u2019s Office (ICO) is responsible for policing GDPR compliance in the UK. The ICO states that if you have less than 250 employees, you only need to keep records for processing activities that:<\/p>\n