You’ve all heard of it, but what exactly is GDPR and how do we comply with it as bloggers? As a digital marketer, I’ve had my fair share of meetings within my company and with GDPR experts regarding handling the new rules so thought I would share my wisdom with you! The number one thing I’d like to stress is that it’s not as scary or difficult to understand as it seems! 

You will need to do 5 main things – that is all!

Make a drink, open a text document and follow this as you go along. There is a lot of information out there, but I have broken it down in the best way I can. It’s a long one, but hopefully simple enough to follow. Please comment if you need any extra help and I will try my best for you.

GDPR comes into affect on 25th May 2018, but I don’t believe there will be anyone knocking your day straight away so don’t panic, don’t worry. Here’s what you need to do. 

Obviously, as I said above, I do marketing and am not a legal expert. Any advice you take from this is your responsibility and I would suggest doing further research to ensure you are following guidelines.

I’m sorry I am posting this so late, but thought there would be 1001 articles all saying the same thing. After a Twitter poll I did, it seems 77% of voters still needed more information. I have realised I am in a position to offer knowledge based on what I have learned in work and from further reading. 

What is GDPR?

General Data Protection Regulations (GDPR) have been being discussed all year, but a lot of companies have been working behind the scenes until now. Hands up if you’ve had email after email asking you to re-subscribe to everything this last couple of weeks? Yep, all of us!

GDPR replaces existing law regarding how personal data is used, but is more of an addition to what is used now. Personal data is anything that can identify a person, such as an email address, physical address, full name, etc.


Another aspect of GDPR is only using personal data as it was intended by the person. For example, if somebody enters a competition, their details should not then be added to a marketing or mailing list unless explicitly agreed. This is why all major companies are asking for people to re-subscribe to their emails.

The main worry for companies is that there are fines of up to £20million! However, this only applies after a warning and if a company continues to be non-compliant.

There are so many grey areas that GDPR has caused some major confusion and even has some contradictions within itself. However, as time goes on, regulations will become more refined.  For now, we are given guidelines on expectations.

Right to be forgotten

All users can now request to be forgotten. This means not only unsubscribing them from your marketing lists, but completely removing all trace of them from your data.

How does this affect bloggers?

You may think that if you make no money and don’t operate your blog as a business that GDPR does not apply to your website, but it does. It applies to all websites and there are a few things you need to do to comply.

To make this process as simple as possible, here is a list of things that bloggers need to do to be compliant right now!

1. Audit your data and data collection practices.

Think about how you collect data and why you need it. Where exactly do you collect and store data? At first you might not think you have any, but as bloggers, we have people commenting on our blogs and providing details, subscriber lists, marketing lists, emails from competition winners and more.

Thankfully, most emailing and commenting platforms are used via third parties who will be doing their own GDPR audits. You have likely received emails from them, so please read them. Despite this, it is still your duty to ensure that your audience is protected and therefore you must check and be satisfied that all third party companies you deal with are GDPR compliant. It would be worth keeping a record of the companies you use and their GDPR policies.

You also need to be careful about how you store personal data. Is the data only available on a password encrypted computer? Can anyone else access this data?

A few questions to ask yourself:

  • How do you collect data?
  • Why do you collect that data specifically?
  • Do you need that data?
  • Is there a legitimate interest from the website user to receive communication from you?
  • Did the user or subscriber opt in for this particular information or marketing?

If you cannot answer with a good reason or answered no to any of these questions, you will need to re-evaluate how you collect and store data. If email subscribers were not fully aware of being added to the list or

How and why do you collect data – justify everything. 
Check your third parties and their policies, ensure they are up to GDPR standards.

2. Create a privacy policy.

This is the one that took me a while because it’s difficult to know what you need.

Things to add to your privacy policy I have looked at too many resources to list and taken inspiration from many companies, so please Google if you require further information.

For each point, consider how data is collected, stored, used and why you need it.

  • Who are you/website?
  • Cookie policy
  • Google Analytics and other tracking third parties you might use
  • Mailing list
  • Blog comments
  • Advertisers details
  • Competitions
  • Data shared with other brands/companies
  • Reassure reader they can amend or delete information.
  • Date of last update and when it will be updated again.

You should place this is an easy to find place on your website. Mine is under the About Me in the menu. You can read and take inspiration from my Privacy Policy here.

Follow the list and add any other third parties or ways you use data.

3. Add a cookie policy.

Cookies collect data at each point of a website that a user visits in order to track your users and allow you to analyse their behaviour on your website. If you use re-targeting ads, these will also be able to follow readers to other websites in order to re-target them with your advertisements.

If you open this website in a private browser, you should see mine at the bottom of the page. This must show on any page that the reader first hits.

Luckily, most blogging platforms have a plug-in that can be used for this. It must state why you are collecting cookies, have a button to ‘agree’ and it is best to add a link to your privacy policy.

Mine simply says: This website uses cookies to improve experience and analyse traffic. By continuing your visit to this website, you are agreeing to the use of cookies. Read my privacy policy for more information. 

Usually an available plug-in or available within the blogging platform you use – add a short note about your cookie policy.

4. SSL Certificate

An SSL certificate allows Google to know that your website is secure and is therefore important for users and for keeping you ranking! Google is going to get more picky about this with GDPR in place so it’s best to look into this.

You can do this via your blog platform or your website hosts. It will be different for everyone, but research for your own platform.

Get SSL certificate.

5. Email marketing

If readers have not explicitly signed up for emails, you must ask them to opt in to the emails again. If you are confident that people signed up specifically for the emails you are sending, you do not need to worry, but it would be good to remind readers that they can unsubscribe at any time, even if this is in your next email.

Going forward, you should only give an option for people to sign up and never sign them up automatically to a. mailing list or add them to one they are not aware of. There should always be a way to opt-in and you should not use pre-ticked boxes. Again, most people will be using. third party that will have this covered, but always check!

Be transparent with your marketing, get readers to opt-in if not confident they signed up for these specific emails.

Last bits!

Do you need to register with the Information Commisioners Office (ICO), the commissioning body for GDPR? 

It’s unlikely if you are a smaller blogger or do not treat your blog like a business, but this has been up for debate. You can do this handy quiz on the ICO’s site to see if you’re exempt from registering with them.

Data breach.
If you suspect there is a data breach on your website, it is your duty to tell affected parties. Businesses get 72 hours to report a data breach, but you should let anyone affected know as soon as possible.

The end! You did it!

I hope this has helped some of you that were still worried. I’m sorry its so long, but hopefully it answers your questions regarding the new regulations. Again, please feel free to ask me for any advice, but remember that I am not a legal expert and you are responsible for your own website and data.

Share this post to help others!

GDPR for Bloggers: 5 easy steps for your blog to comply #GDPR