GDPR: Bloggers must take this into account
The General Data Protection Regulation (GDPR) has been in force since May 25 and punishes not only corporate violations, but also bloggers. So that you as an influencer are not suddenly warned, you must now pay attention to a few points. We reveal how you can make your blog GDPR-compliant.
GDPR scope: Also relevant for bloggers
There will be severe penalties for violating the GDPR in the future. Staggered, these vary between ten million euros or two percent of annual sales and twenty million or four percent of annual sales.
- However, private individuals can breathe deeply, because already in the second article the law excludes the use of "natural persons for the sole purpose of performing personal or family activities".
- Nevertheless, the GDPR is not only aimed at large companies such as Facebook and Google, but also affects everyone who needs to collect data from their careers. So blogs also fall within the scope of the DGSVO as soon as a commercial benefit can be demonstrated here. B. Placing advertisements or working with affiliate links.
- However, if a blog is only operated privately and without a profit intention, the GDPR and its penalties do not apply.
How do you get my blog GDPR compliant?
Since most blogs make money in one way or another, they have to follow the requirements of the GDPR. However, this is easier said than done, because the GDPR is not exactly a clear work and many of its requirements can almost only be implemented with greater legal and technical know-how. We have summarized the most important changes that you have to make due to the GDPR here.
- Data protection declaration: The most important thing is a current data protection declaration. This should deal with all innovations of the GDPR and address them explicitly. You don't have to formulate the whole thing yourself. There are suitable data protection declaration generators on the Internet that spit out a finished statement after answering a few questions. Please note, however, that your explanation can be reached with one click from every subpage.
- Processing directory: In addition, a processing directory is required according to the GDPR. This is a largely informal letter in which it must be broken down which user data is collected at all and for what purpose (e.g. for newsletter registration or audience analysis). You will find numerous suitable sample letters on the net.
- Opt-ins for cookies and Google Analytics: If your blog uses cookies or other user data-gathering tools such as Google Analytics, you must notify users of this when you first visit the website and have them explicitly consent (opt-in). You don't necessarily need a lot of technical understanding to implement the function. With the Wordpress plugin "Pixel Mate" from Soulsites you can have these facilities done automatically. All information on this topic can be found in a separate article.
- Dealing with user-generated content: Even with contact forms and comments, users must now be informed about the collection of their data. However, the WordPress plug-in "WP GDPR Compliance" can be used for this.
- Secure data transfer: You must also ensure that the data transfer is as secure as possible. If not yet available, an SSL connection is an absolute must. You can find out whether your blog connects via SSL in its URL. Then "//" must appear here instead of "//".
- Attention for web shops: If you run a web shop on your blog, you also need a so-called "data protection impact assessment." However, it is still not entirely clear from the official side which business models are actually affected. At the latest here, a consultation with a lawyer is urgently advisable.
Special features of the GDPR for website plugins
The GDPR poses particular problems for US web hosts and plug-in operators. Please note the following points:
- Contract data processing contract (AVS): If you are a user of Wordpress or other US services, you should check the data protection standards particularly carefully, because outside of Europe the GDPR is not applicable. In this case, the responsibility lies entirely with you. It therefore makes sense to conclude a so-called "contract for order data processing" with all plug-in providers used. This regulates how both contractual partners have to handle user data. Good sample documents can also be found on the Internet.
- Exception - The E-Privacy Shield: Some US plugin providers, such as the newsletter plugin "Mail Chimp", have also registered with the GDPR for the so-called "E-Privacy Shield". All members undertake to respect data protection and GDPR. These companies can therefore be assumed to act in compliance with the GDPR; an AVS is therefore not necessary.
- Be careful with Google and Facebook plugins: Caution is particularly advisable with plugins from Google and Facebook, as these regularly collect user data as soon as they are embedded in your own blog. Even with Facebook, Google or Twitter buttons embedded in the page, it must be pointed out that user data can be collected as soon as the respective button is clicked.
The steps listed here are only the essential part of the changes that have to be made to your own blog within the framework of the GDPR and do not replace traditional legal advice. Together with our GDPR checklist, you are already well prepared.
The next page shows how you can implement the GDPR in WordPress.