GDPR, blogging and DefinIT
Sam McGeown
So…this is a frustrated sort of post. As you are most likely to already know, the new data protection laws (GDPR) are coming into effect on the 25th May 2018. I must emphasise that I am not an expert on GDPR, this post is my layman’s conclusion for my specific circumstances. I run this blog as an exercise to help others, provide information and as a hobby. There is a lot of speculation around how this will affect bloggers, and a lot of panic and mis-information too. I’ve seen a few people this week simply shut down and delete their blogs - which is both upsetting and sad.
Once again, here is my disclaimer: I’m not a lawyer and I’m not providing you legal advice. Contact your legal council for help interpreting and implementing the GDPR. This article is provided for entertainment purposes, and amounts to nothing but my interpretation of the GDPR.
My general approach to GDPR is one of avoidance - I will avoid collecting any Personally Identifiable Information (PII).
Please feel free to get in touch via twitter (@sammcgeown) with any suggestions or updates and I’ll gladly share them (at least, the non-personally identifiable parts :))
General
Some general privacy best practices, which help towards GDPR compliance
- I already use SSL to secure the site through LetsEncrypt, and HTTP redirects to HTTPS, so that’s good.
- I already back up the site regularly, and encrypt my backups
- My web server is patched and updated regularly
- My WordPress and all Plugins are updated regularly
Privacy Policy
The main requirement from GDPR is that you clearly detail a Privacy Policy. The latest version of WordPress has a new “Privacy Settings” page that allows you to link to an existing, or create a new, Privacy Policy page. It also has some good pre-canned text and a guide to modifying it to fit your site. This has been the starting point from where I have modified the DefinIT Privacy Policy
Comments
All comments on DefinIT.co.uk have been disabled, and any existing comments have been deleted. I’ve done this because it seems to be the most efficient way for me to remove the risk that Personally Identifiable Information is collected and stored on the site.
Also, managing comment spam is a pain in the a***
To disable the comments site wide, I used the Disable Comments plugin, which allowed me to disable comments site wide and delete all existing comments. So here it is, 1498 legitimate, productive, helpful comments removed from the site to protect me from GDPR. I’m sorry to all those who put effort into discussions and helpful input.
Analytics
This is tricky. I’ve read a lot of conflicting info about analytics and GDPR. My settled opinion is that I can keep using my 3rd party provider (Google Analytics) as long as I clearly state that in my Privacy Policy, and that people have the option to opt out. With Google Analytics I can update my Plugin Settings and Privacy Policy to detail how the information is used, and link to Google’s Privacy Policy.
I use the Google Analytics Dashboard for WP (GADWP) plugin and ensure IP addresses are anonymised. That’s the only PII collected by Google Analytics, but we also enable user opt-out, and compliance with Do Not Track.
Sharing Links
For now, I’ve disabled social media links - the reason for this is that they tend to be trackers for the social media platforms that they link back to. I may revise this at a later date when I understand the implications better for each platform.