In well over 900 blog posts, I have never turned No Facilities over to another person. I’m not going quite that far today, but, as the title suggests, this post is off the beaten path for this blog. It’s educational – which happens sometimes. It’s longer than normal – which happens sometimes, and I hope it’s useful.
The idea for this post started in the days leading up to May 25th, the day GDPR became law. I found people asking questions on their blogs, in comments on my blog and in direct emails to me. It’s no secret that I work in the docu-techy world, so I guess asking me seemed logical. While I understand this stuff, I decided to access to a much better source. I asked my good friend Steve Weissman, Poobah and Chief Pontificator at The Holly Group to answer a few questions about GDPR as it applies (or doesn’t) to bloggers.
I hope you find this interesting. If not, skip to the bottom for some pictures of Maddie and me as we enjoyed the break in the heatwave. Thanks for reading, and thank you, Steve for joining me today on No Facilities.
GDPR for the Little Guy (or Gal)
What is the GDPR?
The GDPR is the European Union’s General Data Protection Regulation, and as the EU’s new take on privacy protection, it took effect a month ago to much fanfare. Officially, it “protects fundamental rights and freedoms of natural persons, and in particular, their right to the protection of personal data.” Note the use of the phrase “natural persons,” which means, in the EU, in this context, corporations are not people!
Without getting too far into the nitty-gritty, the regulation states that personal information must be “processed lawfully, fairly and in a transparent manner in relation to the data subject,” “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,” and “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.”
In other words, be honest, be specific, and be protective when it comes to collecting personal information about people with EU ties. Simple, right?
Whom Does It Cover?
Right! Except the GDPR does not specify whom it protects (e.g., EU citizen, resident). Instead, as you just saw, it speaks in terms of “data subjects,” which boil down to anyone who is within the borders of the EU when their personal data is processed. It also states that “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.” This tenet also applies to the processing of personal data “by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” [Emphasis is mine.]
All of which means that the GDPR protects pretty much anyone who has spent any time in the EU, and its applicability has more to do with the location of the companies that are processing personal information than it does with the people themselves.
Does It Affect Me and My Little Blog?
Absolutely! Unless it doesn’t. Let me explain.
The language of the GDPR says it applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” So if you collect personal information about EU-based folks who engage with you, and you either save that information or plan to save it, then yes, it affects you.
Now, you may think you don’t collect any data from or about anyone, but, technically speaking, you probably do. For example, when someone leaves a comment on your post, you collect a user name, and email, a website address (maybe), an IP address (to get country of origin), etc. If you run Askimet (anti-spam) you are collecting and forwarding that data to Askimet for “processing” against their database of bad guys. If you run Google analytics, you pass that data onto Google in the same way.
The point is that we all collect data and give it to others to process – and even though most of the time it’s inadvertent, automatic, and invisible, it still counts and still may qualify you as a GDPR subject.
What If I Don’t Make Any Money Off My Blog. Am I Off the Hook?
Nope! Unless you are. Let me explain.
As it happens, there are a few possible “loopholes” in the GDPR, and it seems to me that they won’t be closed (or officially ruled open) until someone is taken to court.
Follow the logic thusly:
- Recital 13 talks about the need to provide “legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises.”
- Article 4.18 defines “enterprise” as “a natural or legal person [hmm, a company!] engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.”
- But nothing in the regulation defines what constitutes an “economic activity”!
So as you see, the GDPR in this regard is open to interpretation. Previous EU case law suggests that no money need exchange hands for an “activity” to be considered “economic,” so if you, say, solicit subscribers for your free newsletter, you may well be on the hook for GDPR compliance. (Click here for more about this and other loopholes.) But since it’s not articulated clearly, you may not be.
Got all that?
What Are the Consequences for Non-Compliance?
By the book, penalties for non-compliance can be YUGE. Worst case, for violating certain provisions, they can involve “administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher” – per offense!
The question on everybody’s mind today is how seriously will the EU pursue violations as they come to light? And right now, there’s no clarity regarding that answer.
My guess – which has been validated by any number of so-called experts, but still a guess nevertheless – is that the EU developed the GDPR with companies like Microsoft and Google and Amazon in mind: very large multinational organizations with enormously deep pockets and massive databases containing vast amounts of personal information. Does this mean regulators won’t go after smaller organizations just to make a statement? No, it doesn’t. But if I’m them, I’m going after the biggest fish in the sea to be sure my point is made, and not incidentally, to collect the biggest penalty prize.
(This is probably a good time to remind you that I’m not a lawyer, and you should check with yours before deciding any course of action.)
Won’t My Blog Hosting Platform Take Care of All This For Me?
In a word, don’t count on it. (OK, that’s four words.) WordPress and its surrounding community, for example, have published lots of good information about how to become GDPR compliant, but nothing I’ve seen suggests anything other than you have to do it for yourself.
Which is why, by the way, we’ve all started to get message after message – via email or as Web page pop-ups – notifying us of changes to privacy policies and asking us to accept them. Organizations of many stripes, including we bloggers, are putting the issue as front-and-center as the regulation requires, and because this much is relatively easy to do, you are hereby encouraged to do it. Whether that’s enough to qualify as compliant, however, is still being debated. But at least it’s a start.
One final note in this regard: if you keep seeing privacy notices, or your readers are complaining about repeat notifications, you should know there are multiple reasons that this is happening. Among these are:
1) The site isn’t set it up properly, and no cookie is created to store the acceptance.
2) The reader is accessing the site in Private Mode, in which cookies aren’t accepted.
3) The reader has cleared his/her cookies and the acceptance thus is lost.
4) The reader is using a different browser, which can’t make use of the original acceptance cookie and needs one of its own.
It’s important to bear this in mind because becoming GDPR compliant isn’t a one-shot deal. As the technology changes, as your outreach expands, and as GDPR case law is established, you’ll likely have to adjust your approach to match. To what degree, and how urgently, at the moment appears to be up to you as a smaller fish in a pretty large ocean. But the law is on the books, and you’ll have to manage your risk as you deem appropriate.
Steve Weissman is The InfoGov Guy™, an uncaped crusader who brings order and discipline to the use and protection of business-critical information. Principal Consultant at Holly Group and Co-Founder of the Information Coalition, he specializes in information governance and process innovation, and optimizes everything from strategic planning and needs assessment to vendor selection and user adoption. Reach him at firstname.lastname@example.org or 617-383-4655.