GDPR Compliance
I can't tell you how many PM's I've received from fellow WA associates that tell me my site is not GDPR compliant. There is so much misinformation and misunderstandings about what the GDPR is and what YOU need to do ~ or not. As someone who's an IT specialist, I thought it's about time I weigh in and give you the Coles Notes version.
What is it?
GDPR stands for the General Data Protection Regulation and was enacted in Europe (not North America, China, or Africa) in 2016 to give European residents better protection and privacy over their data and the use of it.
What is THEIR data?
The GDPR is specific to personal data and the processing of personal data – this includes the storage of, the exporting of, the sharing of, and transactional use of, personal data. The GDPR is specific to ONLY personal data, meaning that if I use the name Dave when making a blog post – that is NOT personal. Sure it’s personal to me, but it doesn’t tell you my last name (even if it did, it’s still at that point – NOT PERSONAL). There is absolutely nothing to connect you (the owner of a blog) to me (the reader of your blog). You don’t know my address, my telephone number, my birthdate, my medical number – nothing! See the snippit below from the GDPR on what exactly is personal data:
The Internet is Global - Does It Affect Everyone?
This is the biggest misconception/rumour being spread and the answer is NO. A thousand times NO! Please read that again – NO!
If you operate an affiliate website where you market a purse (insert anything instead of purse) and someone from Germany clicks on your Amazon link and proceeds to purchase the product, you do not need to be GDPR compliant. The transaction is not between you (you site) and the vendor (person from Germany). The transaction is owned by Amazon and therefor Amazon must be GDPR compliant, but not you or your blog.
If you operate an affiliate website where you do a product review of say headphones (my site) and people provide comments on your reviews, you do not need to be GDPR compliant. At no time am I (my site) collecting personally identifiable information, even if someone from France uses their full name (John Smith). The name alone does not identify John Smith, nor does it tell me where they live, etc.
If you operate an affiliate website where you routinely collect e-mail addresses for e-mail distribution lists so you can direct market your clients, then you must be GDPR compliant, but it depends. The following snippet explains this and the "loopholes" around it:
So if you’re collecting e-mail addresses for the direct purpose of e-mail marketing (this includes announcements or letting people know you have a new post on your site), then you must first have their consent and you must also ensure you continue to have their consent and give then options to opt out of your mailing lists. What I mean by this, is let’s say I sign up to your blogs mailing list and I give you consent to spam me from time to time. You are required to contact everyone on your mailing list to ensure they still wish to receive it after a certain amount of time (I couldn’t find the exact timeline in the GDPR legal document, but I believe it’s 1 calendar year (but don’t quote me on that)).
If you operate a website that sells products or services and your potential customers could be from the EU, then yes, you must be GDPR compliant. But if you operate entirely in say the USA or North America or (insert your country name here) and you do not ship or anything to anyone in the EU, then no, this does not apply.
Can I Be GDPR Compliant Anyways?
YES – GDPR is a good thing, but it’s not a must do. Many companies that operate outside of the European Union are extending the GDPR to them as well. What this means is they recognize that even though it doesn’t apply to them or their websites, they will follow the rules of the GDPR as it’s a decent law that protects people. A good example of this is Microsoft: https://www.techrepublic.com/article/microsoft-extending-gdp...
Facebook on the other hand is a great example of a company that operates globally and collects very personal information about people. They must be GDPR compliant.
What’s It Mean To Me?
Could be NOTHING (as in my case). I don’t own the actual transaction of personally identifiable information on my site – Amazon does that! But what it does mean to me is that protecting the personal information of anyone, regardless of where they live is important and should be taken seriously.
At the end of the day, the GDPR may or may not apply to you, however the laws of your own country (if you live outside of the EU) supersede and take precedence over the GDPR. The laws of your own country come first and you must always obey those laws.
I really hope this post clears up a lot of misinformation that is floating around, including on WA, about the GDPR and if someone says "OMG, you’re site is not GDPR compliant" – send ‘em my way.
Recent Comments
10
GDPR treats IP-address as personal data (which is stupid) and this falls under the online identifiers category.
If you have comments on your site, you are most likely storaging their ip-address, possible name and email address.
Even though the chances of identification are super small, the chances are there.
Great post though.
This is only the case of STATIC IP ADDRESSES, which are very, very rare. Most IP addresses assigned by a personal computer (and I'm going to say 99.9%) are dynamic addresses through your ISP, which are further filtered by being behind a firewall (router). The times you would use a static IP is if you were using a VPN service, which would hide/mask your IP anyway.
And you're right, the GDPR obviously had someone who knew nothing about computer networks come up with IP Addresses as a PI identifier. That's like saying I'll write a 9 digit number (and IP address) on the board and someone can identify who's it is. There's 1.8 million different combinations! Crazy...
What about the concrete case of Wealthy Affiliate?
I think the question is of interest to many people here.
.
I sent you a PM as I'd like to know the specific case details.
If you're talking in layman's terms about the Wealthy Affiliate site? Well, THEY do business with people in Europe; They take payment and name/address information, therefor THEY are the ones that need to be GDPR compliant. You and your blog sites - not at all.
If you're talking about a 'concrete' company? Then they would only need to be compliant if they were maintaining a listing of customers, which included their full names, addresses, etc.
Sorry your comment is a bit vague, so hopefully I answered it?
See more comments
Hey Dave, thanks a lot for sharing this.
To be honest I never paid much attention to this, but after reading your post I can safely say that my blog is not affected. Now there's one less thing to worry about !
Kudos to you though, I think you've explained this really well and I sincerely think that this posts deserves more recognition.
Thanks