A Departure – GDPR for the Little Guy

In well over 900 blog posts, I have never turned No Facilities over to another person. I’m not going quite that far today, but, as the title suggests, this post is off the beaten path for this blog. It’s educational – which happens sometimes. It’s longer than normal – which happens sometimes, and I hope it’s useful.

The idea for this post started in the days leading up to May 25th, the day GDPR became law. I found people asking questions on their blogs, in comments on my blog and in direct emails to me. It’s no secret that I work in the docu-techy world, so I guess asking me seemed logical. While I understand this stuff, I decided to access to a much better source. I asked my good friend Steve Weissman, Poobah and Chief Pontificator at The Holly Group to answer a few questions about GDPR as it applies (or doesn’t) to bloggers.

I hope you find this interesting. If not, skip to the bottom for some pictures of Maddie and me as we enjoyed the break in the heatwave. Thanks for reading, and thank you, Steve for joining me today on No Facilities.

GDPR for the Little Guy (or Gal)

What is the GDPR?

The GDPR is the European Union’s General Data Protection Regulation, and as the EU’s new take on privacy protection, it took effect a month ago to much fanfare. Officially, it “protects fundamental rights and freedoms of natural persons, and in particular, their right to the protection of personal data.” Note the use of the phrase “natural persons,” which means, in the EU, in this context, corporations are not people!

Without getting too far into the nitty-gritty, the regulation states that personal information must be “processed lawfully, fairly and in a transparent manner in relation to the data subject,” “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,” and “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.”

In other words, be honest, be specific, and be protective when it comes to collecting personal information about people with EU ties. Simple, right?

Whom Does It Cover?

Right! Except the GDPR does not specify whom it protects (e.g., EU citizen, resident). Instead, as you just saw, it speaks in terms of “data subjects,” which boil down to anyone who is within the borders of the EU when their personal data is processed. It also states that “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.” This tenet also applies to the processing of personal data “by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” [Emphasis is mine.]

All of which means that the GDPR protects pretty much anyone who has spent any time in the EU, and its applicability has more to do with the location of the companies that are processing personal information than it does with the people themselves.

Does It Affect Me and My Little Blog?

Absolutely! Unless it doesn’t. Let me explain.

The language of the GDPR says it applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” So if you collect personal information about EU-based folks who engage with you, and you either save that information or plan to save it, then yes, it affects you.

Now, you may think you don’t collect any data from or about anyone, but, technically speaking, you probably do. For example, when someone leaves a comment on your post, you collect a user name, and email, a website address (maybe), an IP address (to get country of origin), etc. If you run Askimet (anti-spam) you are collecting and forwarding that data to Askimet for “processing” against their database of bad guys. If you run Google analytics, you pass that data onto Google in the same way.

The point is that we all collect data and give it to others to process – and even though most of the time it’s inadvertent, automatic, and invisible, it still counts and still may qualify you as a GDPR subject.

What If I Don’t Make Any Money Off My Blog. Am I Off the Hook?

Nope! Unless you are. Let me explain.

As it happens, there are a few possible “loopholes” in the GDPR, and it seems to me that they won’t be closed (or officially ruled open) until someone is taken to court.

Follow the logic thusly:

  • Recital 13 talks about the need to provide “legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises.”
  • Article 4.18 defines “enterprise” as “a natural or legal person [hmm, a company!] engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.”
  • But nothing in the regulation defines what constitutes an “economic activity”!

So as you see, the GDPR in this regard is open to interpretation. Previous EU case law suggests that no money need exchange hands for an “activity” to be considered “economic,” so if you, say, solicit subscribers for your free newsletter, you may well be on the hook for GDPR compliance. (Click here for more about this and other loopholes.) But since it’s not articulated clearly, you may not be.

Got all that?

What Are the Consequences for Non-Compliance?

By the book, penalties for non-compliance can be YUGE. Worst case, for violating certain provisions, they can involve “administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher” – per offense!

The question on everybody’s mind today is how seriously will the EU pursue violations as they come to light? And right now, there’s no clarity regarding that answer.

My guess – which has been validated by any number of so-called experts, but still a guess nevertheless – is that the EU developed the GDPR with companies like Microsoft and Google and Amazon in mind: very large multinational organizations with enormously deep pockets and massive databases containing vast amounts of personal information. Does this mean regulators won’t go after smaller organizations just to make a statement? No, it doesn’t. But if I’m them, I’m going after the biggest fish in the sea to be sure my point is made, and not incidentally, to collect the biggest penalty prize.

(This is probably a good time to remind you that I’m not a lawyer, and you should check with yours before deciding any course of action.)

Won’t My Blog Hosting Platform Take Care of All This For Me?

In a word, don’t count on it. (OK, that’s four words.) WordPress and its surrounding community, for example, have published lots of good information about how to become GDPR compliant, but nothing I’ve seen suggests anything other than you have to do it for yourself.

Which is why, by the way, we’ve all started to get message after message – via email or as Web page pop-ups – notifying us of changes to privacy policies and asking us to accept them. Organizations of many stripes, including we bloggers, are putting the issue as front-and-center as the regulation requires, and because this much is relatively easy to do, you are hereby encouraged to do it. Whether that’s enough to qualify as compliant, however, is still being debated. But at least it’s a start.

One final note in this regard: if you keep seeing privacy notices, or your readers are complaining about repeat notifications, you should know there are multiple reasons that this is happening. Among these are:

1) The site isn’t set it up properly, and no cookie is created to store the acceptance.

2) The reader is accessing the site in Private Mode, in which cookies aren’t accepted.

3) The reader has cleared his/her cookies and the acceptance thus is lost.

4) The reader is using a different browser, which can’t make use of the original acceptance cookie and needs one of its own.

It’s important to bear this in mind because becoming GDPR compliant isn’t a one-shot deal. As the technology changes, as your outreach expands, and as GDPR case law is established, you’ll likely have to adjust your approach to match. To what degree, and how urgently, at the moment appears to be up to you as a smaller fish in a pretty large ocean. But the law is on the books, and you’ll have to manage your risk as you deem appropriate.

Steve Weissman is The InfoGov Guy™, an uncaped crusader who brings order and discipline to the use and protection of business-critical information. Principal Consultant at Holly Group and Co-Founder of the Information Coalition, he specializes in information governance and process innovation, and optimizes everything from strategic planning and needs assessment to vendor selection and user adoption. Reach him at sweissman@hollygroup.com or 617-383-4655.


    • Thanks Dan. I think “clear as mud” is a common feeling right about now. The most common response I hear is “we think we’re OK” and that’s from businesses who really have to get this stuff right.


  1. Almost a few minutes ago I commented that I’m waiting for your next post and here it is. Well, in the past four years India (and I as Indian) have seen so many laws being implemented, some social, some political, some economic, and some digital that I have lost count of it. In fact, the people have become immune to it. Every day you log in to a news channel or pick a newspaper there is something about the new rules and regulations. I’m sure most Indian bloggers wouldn’t even know about GDPR in the first place because we have our own third world country issues.

    Liked by 2 people

    • Thanks Sharukh. We will likely see more of these laws in the coming years. We won’t really know what they mean until someone gets a huge fine, and takes the issue to court. The old saying “the law means what the judge says it means” will end up defining GDPR and other such regulations.

      Liked by 2 people

  2. I want to say thank you for the info but I have to go take something for my headache first….there. OK. Very informative and concise and I read every word. Do I fully understand the inplications? No. Sometimes I just want to go live in a cave, i mean, this world is driving me bat sh…carzy anyway..🙄 Those flowers are hydrangeas. We have tons of them in the South and they actually grew almost wild in CR. And I love portulaca. They grow anywhere and don’t mind the heat much. Nice to see you and Maddie enjoying the sunshine. Hope your week is peaceful.

    Liked by 4 people

    • Thanks for reading Cheryl and for pointing out the hydrangeas. I probably could have asked the Editor, but I was late gathering the pictures for this post. The laws probably won’t touch us, but it’s good to know what to look for. I go with: “if I take some steps, I can say I tried to comply” maybe someone points out that it wasn’t enough, but I feel safer knowing I tried.

      Maddie is one tired puppy dog today. Big walks, lots of time sitting and watching. I think she’ll sleep all day, but she was happy this weekend.

      Liked by 1 person

  3. Thank you, Dan, for throwing in photos of Maddie and a cold Corona because reading this with my coffee was definitely not enough. I can’t imagine going after a New England blogger versus Amazon, but, hey, stranger things have happened. I wouldn’t have a clue how to protect myself beyond assuming that WordPress is doing it, and we all know what depending upon ‘assume’ really means. So, do we small bloggers with no interest in using your personal data hang it up? I guess I’ll creep along and see where this goes. Thanks for keeping us up to date with this very well written but scary post.

    Liked by 1 person

    • Thanks Judy. I know my audience, so the pictures of Maddie were essential today.

      I don’t really think most of us have anything to worry about. Some people do actively collect email addresses and other contact information, for newsletters and promotions. Again, I wouldn’t worry about the EU coming after you. However, if you send someone an email, and they turn around and ask you to “forget” them, you need to know hoe to do that,

      I won’t be reaching out to anyone who didn’t leave a comment here, so I think I’m safe.

      Liked by 2 people

  4. Thanks for this info, Dan. I started reading the first part of your post and realized I need to be fully awake and have some time to take this all in. To comprehend. I’ll be back…

    First thing on a Monday morning, though, I can take in photos of flowers and Maddie and beer. :-)

    Liked by 1 person

  5. My hot cup of bayleaf tea is not enough to help my brain wake up to process this information. Let me see if I get this right…I can’t assume that WP has taken care of “it”? I should put a disclaimer/notice/statement about GDPR on my blog? How do I even word that? I have no control over Akismet, for example. I’m going to have to read through this post a few more times. I wish I were that squirrel. He isn’t worried about GDPR! 😀

    Liked by 2 people

  6. Nice post Dan. And all this time I thought GDPR was something you told your urologist was not working ! And something one never said in polite conversation when a temporary absence from the bar was in order….

    Liked by 1 person

  7. Wow!! I will have my daughter read both your blogs since she has a blog. Not sure this effects me since I’m only a ‘commenter’. This is waaaay over my head.

    Hydrangeas are beautiful. No rainbow yet, but I like what you did capture. Maddie and her ears flying says it all. She’s in her glory.

    Walks, naps, beer, great weather….doesn’t get better than that!

    Liked by 1 person

    • Thanks. I’m going to go with ‘better safe than sorry’ but most of this doesn’t effect most of us, so…

      I knew I could save the day from a boring post if I added enough Maddie pictures – I just love her ears.


  8. Okay, yeah, I guess I’ll write another thing. Seems I do need a thing. Just in cases. Glad you were able to help me determine I probably need a thing.
    I’m glad for the pretty pictures — very healing after such a read :D

    Liked by 1 person

    • Haha – see, we do need things.

      I’m glad Steve could help. I think it all falls into the better safe than sorry bucket. I knew I’d need some nice pictures. I like Maddie’s approach to the whole thing.

      Liked by 1 person

  9. I was going to say exactly what Dan Hen said about it being as clear as mud to me. :)

    I also thought WP was taking care of it.

    Having a beer, sitting with Maddie, or walking with Maddie enjoying the flowers is what I’d rather be doing.

    Liked by 1 person

    • Maddie has the best approach to problems. Just sit and don’t think about them. Watch the birds, the bunnies, the squirrels (have a beer if you like) and, if you nod off, don’t worry.

      You shouldn’t feel bad. They made the regulation hard to understand on purpose. They want it to be vague so it applies to people and businesses in the gray areas. I figure a few simple steps can’t hurt and don’t take too much effort,

      Liked by 1 person

  10. Thanks so much, Dan. Between you and your guru, the info was very informative. Actually, it was better than that, user friendly and interesting. So why do I still not know what what I should do, being a little blogging fish in a America? I guess being aware is the most important thing.

    Liked by 1 person

  11. Seems far fetched that it could be a problem, but stranger things are happening, so who knows. I did take your suggestion to add the banner. I hate it and think it will put people off. Oh well…

    Liked by 1 person

  12. The GDPR is the second reason why I’m not paying for the extras on my blog. I don’t feel I know enough to be THAT responsible for reader’s privacy. My first reason is I just can’t afford the extras. I don’t mind the notices all that much. They remind me that the site is complying.

    I noticed something in your photos of Maddie. She always has her leash on outside, even when you two are just sitting. Is she one of those dogs who think she needs to be “connected” to you to keep you safe?

    Liked by 1 person

    • Maddie does prefer being on the leash. Even when we just take her out to play, she cycles back to us at some point to get connected. She has some neurological issues. She’s on medication and she needs a level of attention like no other dog we’ve ever had, but we deal with it. Sitting (on her cot) is one of the things that helps keep her on an even keel. If we don’t get to walk and / or sit for a few days, she gets very hard to deal with. We even bought her a vest last year so we could sit in the winter.

      However, the entire time we’re out there (often over an hour) she never pulls on the leash.

      Liked by 1 person

    • You’re welcome. I hope this was useful.

      I squeeze a little natural lime juice in there. It doesn’t have the visual appeal, but the flavor is perfect. If you sit with Maddie, I’ll serve the Coronas.

      Liked by 1 person

  13. Thanks, everyone, for reading my little ditty and for your kind comments. And thanks, Dan, for letting me drive for a bit!

    All I’ll say is that, not having a Maddie (our cat is wonderful but isn’t really into the walk thing), my response upon completing the piece was to run screaming to Cape Cod and stick my head in the sand for a week.

    Hey, if it’s good enough for ostriches, it’s good enough for me!

    Liked by 1 person

    • Thanks so much, Steve for taking the time to research and respond to the questions.

      We may all be searching for a place to bury our heads. Still, I don’t think any of us are willing to give up our presence in this community. Just don’t come back and ask us to forget you!


  14. I couldn’t read this earlier because I thought I’d worked through mail chimp’s directions and done the initial set up for my ridiculously tiny email list and needed a break. Was real proud of myself for getting that far. I haven’t send out a newsletter since mid may, thinking I’d do it after I get this all figured out. Hit a snag today (apparently didn’t save the names to the GDPR segment properly or something) and have to go back in there when I work up the courage. Thanks for your explanation. At least the comments indicate that I’m not alone in being overwhelmed. Will look into the WP part.

    Liked by 1 person

Add your thoughts or join the discussion. One relevant link is OK, more require moderation. Markdown is supported.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.