Getting GDPR Compliant

If you’ve been following digital privacy news lately, you’ve probably heard of GDPR (General Data Protection Regulation) and know that it’s going into effect. I’m loosely aware of it, but understand enough to know that it affects both websites of organizations based in the EU and websites that collect info from EU citizens.

But wait! This does in fact have something to do with writing (a little). Because this blog is both a record and instrument of my adventures in writing, I think it’s appropriate to write about any and all topics that affect this journey.

That sentence should make it clear that I’m not a lawyer or digital privacy expert—so don’t read this as legal advice or a guide to best practices. It’s just what I’m doing to try to make sure this blog complies with international law.

Note that I’m not trying to be dramatic! These regulations are primarily about the information websites collect from/about visitors, so I believe they were largely written with big organizations and social media in mind. On this blog, I’m not aiming to collect a ton of information—just share this adventure and the occasional insights with those who are interested.

But.

The Internet is all about data. By simply visiting, your device is sharing your IP address with the server hosting this website. And while I personally don’t do anything with that data, the GDPR still regulates how it can be used (and what EU citizens can do with it). You can read all of that on the official website.

Right now, the blog/I only collect data when someone posts a comment. Before you post, you’re required to input a name and email address (and optionally, a website). When you do, that data gets stored in order to show the comment (your name gets displayed above your comment—your email doesn’t). With GDPR, you as a commenter would need to explicitly give the blog/me consent to store that data (such as checking a checkbox that grants permission).

Posting a comment seems like an obvious example of someone granting permission at first, but you may not realize that your email remains stored, and is associated with that comment. GDPR is meant to offer users more transparency and control when it comes to that kind of data, so you can decide how it gets used.

For example, down the line, I’m thinking of creating a newsletter mailing list. With GDPR in effect, everyone I put on that list would need to give explicit permission, confirming that they’re signing up to receive those kinds of emails. I couldn’t, for example, create some sort of giveaway asking for email addresses, and then proceed to email those people my newsletter. Or go through a list of comments on this blog and add all the email addresses of commenters (not that I would do that). And when people sign up and grant permission to use their emails for just that newsletter purpose, I couldn’t turn around and sell that list to another party (again, not that I would do that in the first place).

Things like buying and selling mailing lists and using giveaways to collect people’s information are common marketing tactics. But the digital environment has exponentially increased the number of entities who have access to that information—and therefore, the number of ways it could be accessed by parties who don’t have permission to use it.

The official GDPR website says, “​The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world …”. All this may be inconvenient (and boring (and inconsequential for a small-time writer’s blog)), but ultimately, it’s meant to help all of us (well . . . people in the EU) secure the digital parts of our lives. I don’t think I even have EU visitors, but I’m on board with the underlying principles.

So. What am I going to do about it? Well, I need to create a privacy policy that explains how I use visitors’ data. I’m also trying to find a WordPress plugin that lets commenters know the site will store some of their data. And going forward, I’ll be sure to be super clear if the newsletter mailing list ever comes to fruition (not to mention continue to monitor relevant sites for more information on how these regulations *specifically* impact bloggers).

Note: James T. Kelly’s posts “GDPR for Indie Authors” and “My GDPR Journey” were an immensely helpful resource in researching/navigating this topic. Thanks, James!