GDPR Compliance for Blogs (Compliance Checklist Inside)

What is GDPR’s Full form?

The full form of GDPR is General Data Protection Regulation. Really the GDPR stands for European General Data Protection Regulation. The European Parliament and Council of the European Union made this as Law. It affects the blogs and websites worldwide. How can you make your blog fully GDPR Compliance?

GDPR Official Document Link

You can find the GDPR full legal document here.

Is this Law entirely “New” from the Ground?

Nope. This law replaces the “Data Protection Directive” which is in operation since 1995. The main motive of the “Data Protection Directive” is to make sure the personal data of ordinary people collected by various organizations are safe and not exploited.

The main difference of the Data protection directive from the new GDPR is, the older one was just a Directive which is needed to be passed by the legislation of individual countries of the European Union. But the GDPR is a Regulation which comes into effect directly without the approval of legislation of different EU countries.

Main Objective of GDPR Compliance

The GDPR is to protect the Personal data of all people who are residing in European countries. It tells the data controllers to take more responsibility and make them accountable for personal data protection.

The GDPR is the law came into practice from April 14, 2016, and will go into effect on May 25, 2018.

The previous one “Data Protection Directive” was also there for over 20 years but the online industry pretty has grown since then. There was so much threat for the personal data online. Indeed the giants Google and Facebook also not an exception.

The recent one is the Facebook Cambridge Analytica scandal brought the issue to the broad daylight. European Union announced this GDPR very earlier than that. So the particular scandal was just a relevant issue, not a simulator for the GDPR anyway.

Personal Data

What is the personal data we mean here? What are all the personal data this GDPR covers? Was that just a name and email?

GDPR Compliance for Blogs

Name and Email are the typical personal data we all share on the internet. But the personal data do not stop just there. These are the few of the personal data, blogs/websites collect from people directly. There are other personal data which is collected indirectly through many blogs/websites.

For example, if you read a website, there are much information is collected by the browsers regardless of whether you know it or not. The standard personal data is “Cookies” in your browsers. It receives so much information as what you buy, through which referral website you purchased, what keywords you search on Search engines etc., These are just a few of the examples commonly found, but there are different cookies; each of them collects unique data.

Protection of Personal data

This is where the data controllers come to play. Who are data controllers as per GDPR? Those who collect personal data from the people online are called data controllers. GDPR says these data controllers are responsible and accountable for the personal data they collect. GDPR also tells that the data collection and usage must be transparent.

Responsibility and Accountability

Assume you run a blog or website, and you collect email addresses of your readers. Now you are a data controller. Let us see as per GDPR how you are responsible and accountable for the protection of the personal data you collect.

#A) Personal Misuse

  • You should not mislead anyone to give you the personal data.
  •  You must make sure that the personal data you collected should not be used for any other purpose than what you initially told you will do when you receive.

#B) Safety

You must ensure that the personal data that you collect are safely stored and retrieved only for the promised purpose and never share the data with any third party. Data safety is your responsibility as a data controller.

#C) Data Theft/Misuse

In case of personal data theft and misuse, you are accountable to compensate the person for the loss. GDPR covers the compensation as the penalty. Thus you are responsible for the loss of the data even if it is stolen and misused.

#D) Data Changes Management

In case the user contacts you to make a change in his data or completely remove from your storage, it is your responsibility to make the changes or remove it entirely without backups. In case if you do not take the necessary action, the user may complain to the Data Protection Officer (DPO).

Transparency

The central theme of the whole GDPR implementation is “Transparency” in collecting and processing the personal data. I do not want to discuss what the transparency means here because it is a hard subject. For the simplicity, I tell you what Transparency you need to care about the personal data.

Personal Data Collection and Processing

The user must be informed upfront about why you collect the personal data. The reasons must be shown explicitly in the data collection forms/pages. You can’t hide them deep inside the broad terms & services page and just give the link to TOS page in forms. In fact, it is the current situation, and it isn’t working for the favour of the end user. That’s why the more stringent GDPR arises now to guard the European people.

GDPR rigidly tells that the personal data should be utilized only for the reasons you cited in the data collection pages. For example, as a blogger or website owner, it is a common thing to notice, everyone offers a freebie (an ebook or e-course) to encourage people to signup for the email list. But in the end, they keep on sending emails to the subscribers.

In case of GDPR implementation, you can’t do that. If your opt-in forms just said that to download the freebie they should give email addresses, then they can’t send any emails, blog posts, and promotional materials to them after the initial freebie download emails. If you want to keep them on your email list for the longest time, you must get their permission upfront through the checkboxes. Otherwise, you must inform in the email opt-in forms as “subscribe to the email list and get free bonus offer (freebie) that exclusive for the subscribers”. You should also tell them in the same space about what emails you will generally send to the subscribers.

What about the indirect personal data? How to make them GDPR compliance?

Apart from the name, email, mobile number, address etc., kind of direct data, there are browser cookies, IP address recorded in Web hosting control panels, Google analytics cookies, affiliate tracking cookies and many more indirect data generally collected in blogs & Websites.

As a data controller, you are responsible for the transparency in informing the audience about such data collection and usage of the data. How to tell about all the data? It is easy to convey if it is on opt-in forms, but the indirect data collection happens in backends. How to express explicitly or is it enough to ditch them under unreadable and not so human-friendly TOS and Disclaimer pages?

You can’t ditch it for the GDPR sake. You must expose them at appropriate visible areas. I have few ideas.

You may put this info on top of sidebars at first fold.

You may inform at blog posts about the affiliate links contained in the post.

You may inform in the top of the header about all the cookies you collect.

You can show the popup with all info, before entering the blog first time in a session.

Google Analytics & Affiliate Cookies

Google Analytics is one of the ordinary web traffic tracking cookies we as a blogger/website owner use often.  Our website visitors do not seem aware of the Google Analytics and what it does. It is our responsibility to tell the audience how &why we use Google Analytics.

Affiliate cookies are general sales & commission cookies we as a blogger or website owner use to track the sales referred by us. In the interest of users, it is our responsibility to inform the users about for what products we use affiliate cookies, what info cookies collect, and the intention of collecting the cookies.

What about your personal identity as the data controller?

It is Ok now you understand how you must handle the personal data of your blog/website visitors. What about yours? Can you hide that from the audience? GDPR does no exemption in the freedom of handling your personal data. As per GDPR, you must show your personal identity without hiding or faking. The transparency makes sure that user has the rights to know, to whom the user gives it. You can’t collect others data anonymously. You must show your Name, that too your real name; you can’t escape with a nickname or a fake name.

Data Minimization

One of the critical areas of GDPR implementation is that GDPR makes it a stringent rule that unnecessary data need not be collected. GDPR tells of following data minimization policy unless otherwise more personal data needed for providing the services.

As of today 25th May 2018, the GDPR comes to fully active. Google, WhatsApp, and Facebook already today have started getting legal notices about poorly implementing the GDPR law.

GDPR & NOYB: Latest GDPR Development in Law Front

A non-profit organization NOYB (None Of Your Business) filed a legal case against the Google, WhatsApp and Facebook companies on behalf of its users.

The complaint is that the mentioned companies are forcing the users to give the personal data and tracking permissions to use the services. GDPR is against that in nature. As per GDPR, unless otherwise the personal data is must have by kind of the service, the service provider should not collect the personal data.

In my opinion, NOYB will win the cases. Google, FaceBook and WhatsApp do not seem to implement the GDPR in the best interest of users. Instead, they implemented in a way it does not harm the commercial benefits of the companies.

Go on More User-Friendly – Not Just GDPR Compliance

Instead of looking ways just to be compliance with the GDPR, I strongly suggest you care about your users’ personal data. GDPR may seem a more forcible law at this moment. But from a few years now, there will be more need for protection of personal data. Hence I suggest taking GDPR an opportunity to care about your users’ personal data.

#1. GDPR is for European Users

As I said just now, you do not need to implement GDPR just for the benefit of European users. You consider the GDPR an opportunity to protect the personal data of all users worldwide. Personal data protection no need to be a choice, it is for everyone. So, you, please implement the GDPR for all the worldwide users.

#2. Personal Data Protection is first

I am seeing the blog posts rounding the online about how to implement the GDPR without hurting the leads, sales and conversions. I do know this kind of half-baked implementations would not help users at anyway. What they do is, they try to self-interpret the law in their favor and just protecting their sales, not in the best interest of users. Avoid getting the advice from such blog posts.

#3. Third Party Services

You own a blog, and you collect some personal data. You explicitly tell about it to your users and take responsibility for the protection of the personal data you collect. Now consider this – Your web hosting company collects IP addresses and records it for web traffic analytics purpose.

What if that data misused at some time? Are you responsible or not? You are responsible for that. You can’t show your index finger to someone in a critical situation. That’s what GDPR tells that you are as a data controller, accountable for the personal data.

Contact all the third party services (hosting companies, email marketing service providers) to inquire about how they follow GDPR. You also need to mention what personal data such third-party services collect and how the data used by them.

#4. Implementation in the interest of users

Do not implement the GDPR in a rush or in an incomplete manner or just for the sake implementation. I give you the GDPR Compliance checklist in the best interest of users.

GDPR Compliance Checklist:

#1. List of Personal Data

As a data controller, first, you must know what all the personal data you collect directly and indirectly are. Have a list of them.

#2. Reasons to collect Data

Now you need to tell your users about what all the personal data you collect are and what for you collect them.

#3. How you are going to display GDPR concern?

Decide where you are going to show the indirect data, all in one place or in different areas. A forcible popup before entering the website would help or in the top of the sidebar, before the header as the slider or slider from the right side or from the bottom side. It is the best way to collect the indirect personal data with transparency.

#4. Decide where you are going to show the compliance messages.

It is best to explain the info near to exactly where you collect the data. For example:

Opt-in forms – Show the info in the opt-in form itself.

Landing Page – Exactly before the Opt-in form, not just at the end of the page or disclaimer pages.

#5. Third Party Services

Display what personal data collected by the third party services you use. Send emails to the third party services to know whether they are GDPR compliance and if they do not care GDPR, you please move to other service providers who care for it. You must do business with only who is genuine concern about GDPR and implement in the fullest interest of the user.

#6. Data Minimization

Take the list of personal data and strike down the data which without you can run your blogs usually. Data minimization reduces your responsibilities to store more data, and it is a win-win situation for both you and your user.

#7. Existing Personal Data

What are all the personal data you have collected and keep with you? Take steps to tighten the security. Do not keep such data on your mobile devices. In case of theft, the data will be at severe risk. It is best to inform your email list about your care for GDPR and the action you have taken because of it.

Conversion Ratio and GDPR:

GDPR and Conversion ratio both go hand in hand. You need to balance both definitely. But do not saturate GDPR at any cost. GDPR is not about terms or services page or disclaimers page. GDPR is about Law that approved by the Honorable Parliament of European Union. The poor implementation could cost you high. The GDPR non-compliance penalty is so high. Though the officials say that they would not force the penalty for now at such very early stages, you can’t expect.

GDPR Penalty

GDPR law says that it could fine up to 4% of the yearly global turnover of the company or 20 million Euros, whichever is higher. Undoubtedly the GDPR penalty makes you lose more than what you lose little with conversion ratio. Take the GDPR more severe than conversion.

How to become GDPR compliance & preserve Conversion Ratio?

There are few things you can do to avoid losing conversion rates. It would be a spoon feeding if I said each and everything as how to do the opt-in form, how to do the landing pages form, and how to do the sales page things etc.

But in general, I have ideas for you to preserve conversion rates while complying with GDPR.

#1. Test it multiple times

Wherever you feel you could miss the full potential of conversion rates, You need to make tweaks and test it out with A/B testing. Example: In an opt-in form, If you change the words “Free Download Ebook on Topic A” to “Subscribe to newsletter & Get Free Ebook for Subscribers”, then the conversion to email subscription definitely could reduce.

Best way to keep on getting the same conversion rate, you need to tweak the conversion-reducing headlines to some other thing and does A/B test for few days. Try multiple variations and definitely one will give you back the conversion rates you were getting previously.

#2. Bring together Transparency

Instead of mentioning the GDPR compliance terms, disclaimers in multiple places (header, sidebar, content area, footer), better to show all the matters as a popup before accessing the website and let the people click on the closing button and enter in your site. But do not force to accept all terms to open the website, if you do that, it affects GDPR rules.

The popup must not tell the visitor to accept the terms to enter the website. It is a way of forcing the user. Instead, the GDPR-friendly popup should display two options – one with reasons to collect personal data like cookies and another one with entirely opt-out collecting any kind of personal data as cookies.

To Summarize

GDPR came into fully active on May 25th, 2018. But it is a newborn still. It needs to face few obstacles to achieving the personal data protection for all European people.

Bloggers must show their commitment to the GDPR in some way even not full compliance for now. They should bring all the transparencies slowly in phases. GDPR compliance instantly can drag your conversion rates. Hence it is best to implement GDPR compliance activities in stages. This time gap can help you to test the tweaks and to do A/B split testing so that the conversions remain the same.

GDPR is an opportunity to show your concern & care about personal data protection of your blog visitors. Make use of it. Minimalize the data you collect. It reduces your responsibilities. Try to install an application to turn on/off all the personal data collective activities in a single button, and the button should be available for the visitors.

What steps have you taken to become GDPR compliance? Share the experiences that could help here so many people like you. I will also update this page whenever something newsworthy things happen about GDPR.

Leave a Comment