The GDPR affects all bloggers that collect data. That is the short answer.
In principle, that is quite a straightforward statement. But when it comes to the application of the principle to blogs, there are quite a few pressing concerns and persistent gaps in understanding of the GDPR. There are diverse interpretations that exist also due to limited expert knowledge available specifically for blogs.
Though blogs are a small piece of the puzzle, but considering the huge advances in the number of bloggers across nations, the clarity on the subject becomes more crucial. According to the data from blogging.org, there are more than a billion active websites online and interestingly more than 300 million of them are blogs.
Blogs vary widely in their scope and content; from personal blogs at one end to business blogs at the other end of the spectrum. Characteristics of blogs vary along with the purpose. So which blogs come into the purview of the regulation?
The GDPR talks about the concept of ‘economic activity’ and how every ‘enterprise’ that indulges in data collection for any economic activity is bound to comply. This factor gives added dimension to the complexity of the issue.
What if the blog does not generate revenue? What if the blog has limited readership? What if the bloggers do not visibly collect any data?
Bloggers and GDPR: Frequently Asked Questions
There is a lack of consensus amongst blog owners about the common questions that concern their blog and their responsibility towards GDPR.
While the legalities concerning blogs will be detailed and defined more with the development of the regulation after it comes into force, I have tried to bring the various concerns on one page and answer them according to my research.
What if the blog does not generate revenue?
While there are definitive guidelines for business blogs available as online resources, the case for non-business blogs is blurred. But let me clarify the basic principle.
Revenue or no revenue, that is not the basis for compliance with the GDPR. The GDPR concerns with the data collection. If the blog is collecting data then it will surely need to comply.
Let me clarify with a few examples:
Even if the charity does not have any revenue or profit collection, it will still come under GDPR if it store emails or addresses. It will also need to engage volunteers and donors while executing the principle of ‘clear consent’ in place of ‘implied consent’.
2. Residential societies
Housing associations can be privy to a lot of data including banking details, email addresses, and even health data. While the purpose of such associations may not be to generate revenue, they will need to rigorously upgrade their data policies.
So I have a public blog, but not within the EU?
A blog can be further subdivided into the following main categories based on ACCESS
- Public – anyone can access
- Private – Only blog authors can access
- Private – Only specific readers can access
The ‘public’ category, as clear from the name, has the blog being universally accessible. While this means that anyone can view the content of the blog, universal accessibility also implies that you cannot restrict any specific country to view the contents.
So, it would be safe to state that all public blogs are global.
With a global reach, and no country restriction, people from all over the world are welcome to be the readership of a blog; including the EU citizens. In doing so, the details and data of EU citizens also comes into the scope of the public blog, irrespective of the fact that the blog is not located specifically in the EU.
As a corollary to this, we can state that public blogs across the world stand to be affected by the GDPR and therefore must act to comply.
Any public blog will collect background data in the following levels
- the comment section, or
- remembering the IP addresses to identify returning customers
My blog only collects hair color details, is that personal data?
There is no precise answer to what constitutes personal data. But to be safe, it is best to take the side of precaution as against error. Even if you are unsure of whether data collected is personal data, it would be worthwhile to voluntarily opt for compliance.
What if I do not collect any data from my blog?
Many people who blog do so more for the fun of it, or to reach like-minded communities, rather than to collect heaps of data. Most bloggers with a normal public blog, do not actively seek data collection. However data is being collected, in the background.
At the most basic level, if you have a comments section, you are storing data. Visitors leaving their email addresses are another basic area of data collection.
You might think that you are not collecting data, but all blogs do collect data in their default settings.
What if my blog is private?
You may be exempted from the regulation if your nature of keeping record is for household purpose.
If you have a blog like a diary on your PC only for the purpose of organisation of the household and not any economic activity, you do not need any special implementation of the GDPR.
When faced with the question – ‘does the GDPR apply to my blog’, it is best to be safe than sorry. The fine for non-compliance is £20 million or 4 percent of turnover (whichever is greater). That is a lot of money for any organisation, especially if it is a small undertaking like a blog.
One can argue that there are ‘bigger fish to fry’ and tracking blogs may not be feasible course of action for the government.
However, think of the fact that this law is actually for betterment. The regulation will not only improve trust between consumers and businesses, it will actually restore faith in the internet itself.
Voluntary compliance will do no one any harm. Take it as a responsibility towards your society; one that you do not need a regulation to force upon you, but one that you feel good about.