On May 25th this year Data Protection laws in the UK change. GDPR is a European Union law and therefore the same law applies to all member states. Interestingly, the law also applies to foreign organisations holding the data of EU citizens EU So what does this mean for websites?
Disclaimer : This post is not legal advice but is my interpretation from what I have read so far. For full information please seek professional legal advice.
Personal Websites & Bloggers
Happily for those who run personal websites and non money making Blog sites – GDPR regulations do not apply. If you’re not a business and not making money out of your site then you don’t have anything to worry about.
If you’re a private individual running a blog making a little money from affiliate links but not storing personal data then again the rules don’t apply. Comments on posts can count as storing personal data.
What if your users can register on your site? Post comments and leave their email addresses, names or register for notifications via email? Well, if you’re not making any money from your site and you’re not a business you’re fine.
So what’s the bottom line? If you’re making money from your site AND holding personal data then GDPR is going to apply. What a great year to start a new Blog!
To re-iterate because it’s important. If you process (keep) personal information AND are processing it as part of an enterprise GDPR applies. Article 4(18) defines an enterprise as ‘a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity’.
And to be clear re the personal data, the definition of personal data found in Article 4.1 of GDPR states :
“personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Storing an email address of firstname.lastname@example.org is covered by GDPR.
Storing an email address of email@example.com is not covered by GDPR.
Of course Blogs more often than not allow readers to reply to their posts in comments. And with their posts are personally identifiable information (personal data), such as names and email addresses.
This means comments to posts containing email addresses / Facebook account information etc., are covered by GDPR. But only if you’re making money. But don’t panic, read on – things don’t have to get too complicated – or expensive.
Sole Trader / Micro Business Websites
This is easy – and hardly worth a header of it’s own.
If you take any kind of personal data (see above for definition) whether you need to be GDPR compliant.
If your website does not take orders, does not have a contact form or accept or process any personal data in any way – you’re OK.
You need to also ensure if you use any kind of visitor analytics, it does not store things such as IP addresses.
Confusing Compliance with Registration
There is some confusion between what you need to do to comply, AND if you have to register with the ICO (cost £35 a year).
To be compliant you need to ensure the personal data you have is secure. Also, the data can’t be used for anything other than you have permission for. It must also be needed for your daily business or must have a lawful basis.
ICO registration may be required if you’re using personal data for anything beyond that. Helpfully, the ICO provides a self assessment tool for if you need to register.
Simple Rules Can Help
Some simple rules can help take the headache out of GDPR for small websites.
- Don’t collection any personal details if you don’t have to.
- If you collect personal details ensure that your users opt in, and collect details of the opt-in such as time, date, IP.
- If comments aren’t of value to your website, turn them off.
- Ensure any analytics / web logs collect only the information required. You can collect ip addresses for security, integrity and confidentiality. For example if necessary to collect to prevent against illegitimate use, hackers etc.
- Ensure your WordPress plugins aren’t collecting any data they shouldn’t – you are responsible for them also.
- Keep a lookout for Plugin Updates and new Plugins which will help with GDPR. There really isn’t a lot about at the moment but you can bet there will be as the 25th May approaches.
There is a lot of mis-information and panic around GDPR but for those of us who run personal websites and Blogs and don’t make any money it doesn’t have to be scary.
I doubt this will be the last GDPR related post before or after the deadline.