Data Protection, GDPR and all that…
Many years ago (in 1998) the UK government introduced the Data Protection Act. I remember it well – I was working for a Bank and in order to comply with the Act various members of staff were trained as ‘Data Controllers’. We all had to undergo basic training too. And, of course, the Bank had to register with the ICO.
Fast forward twenty years or so and I was part of the dot-com boom. My business partner and I built and ran dating sites (which we later sold). Of course, we registered with ICO and naturally, we followed the principles of the Act in the way we managed and used personal data.
When we sold the sites I kept one of the domain names which somehow mutated into my own personal blog. Originally intended as a bit of fun, I got hooked on blogging. At the time I started the blog I considered registering with ICO – after all, I was holding personal data (from comments left on the blog) and I was still working with third-party providers to manage my small opt-in mailing list and competition entry lists. I can remember thinking perhaps I should register. I didn’t at the time though.
Where does GDPR come in – well, it’s an EU wide directive that governs the management of personal data? If it’s an EU directive, surely it won’t apply after Brexit you may ask? The answer to that is an emphatic yes – it will apply because the government has decided it’s in our best interests. In the UK the ICO is the body which regulates that process – and registration with the ICO, if it’s appropriate to you as a blogger, involves the payment of a modest fee which funds the ICO.
There’s a very useful checklist on the ICO website that will allow you to work out whether you need to register or not.
I’m not a lawyer, but my own interpretation of it is that essentially, as a blogger if you only hold personal data for your own marketing and promotion and you don’t use that personal information for ‘journalism or media’ then you don’t need to register. As the ICO puts it – You are only processing personal data for the core business purposes (of writing your blog). You, therefore, do not have to register with the ICO. Hopefully, that means one of my friends who writes a blog as a personal diary and another who documents her grandma’s recipes as a way of preserving them for the entire family won’t be expected to register – although they do hold some personal data, it is not for any commercial purpose.
But, if you run giveaways or sponsored posts or any kind of reviews designed to aid a third-party’s PR or marketing, you have to register because you are processing personal data with a commercial interest.
And, everyone, regardless or not of whether they need to register with the ICO, DOES need to comply with GDPR and to adhere to the principles. Once again, there’s a carefully managed check-list that we can all follow.
In terms of compliance, there are a few areas where I think there’s a lot of confusion.
Firstly, it’s important to understand that businesses can hold personal information without a tick-box opt-in. So, a bank could reasonably expect to hold name, address, date of birth and transaction history of customers in order to run their business. They would only be required to ask for opt-in if they intended to market other products and services to those customers.
Similarly, as bloggers, we hold the e-mail addresses of people who have left comments on the blog. We can reasonably expect those commenting to leave an email address (especially if it’s not mandatory) so that they can get a personal mail back from us. A good example would be one of my own posts about the 5:2 diet where some of the comments are asking for personal advice. Where appropriate I would always mail the individual back directly rather than reply publicly. Under GDPR there may be some requirement to delete that data on a regular basis and respond promptly to any enquiries from people on what information I hold on them, offering them the right of deletion.
Mailing lists seem to be a grey area. If you never pass your mailing list data to a third-party and your customers opted in to receive mail from you in the first place then you probably don’t need to ask for permission a second time. If your mailing list came from encouraging people to download the latest e-book you’d written or was the way to enter a competition or giveaway then yes, you will need to ask for permission again. No doubt, you’ve seen many such requests lately.
So, here’s my own checklist in the count-down to GDPR
1. Do the ICO questionnaire and register (you may not need to do so, but my results show I should – and it currently costs £35 rather than the £40 it will be after GDPR!)
2. Carry out a data audit as recommended here
3. Delete any data that is not necessary for my blog going forward
4. Ensure that my cookie statement includes details of my data-management processes (I have used a wordpress plugin called EU cookie law to do that for me)
5. Update my privacy statement to include a statement about data management.
6. Be prepared to respond to any requests for personal information held or deletion promptly.
It’s not that scary. I don’t believe individual bloggers are the target for the ICO. And, I suspect the grey areas will become much clearer when GDPR is implemented.