Blogger and data protection: EU General Data Protection Regulation (GDPR) in force from May 2018

The new EU-wide General Data Protection Regulation, or GDPR for short, will come into force on May 25, 2018. It aims to improve data protection for EU citizens. Companies based here as well as companies located elsewhere with EU customers or their data must adhere to the new rules. In addition to online shops and email marketing companies, this not only affects social networks, but also bloggers who, for example, send out newsletters or organize competitions. I have put together a few hints, tips and sources on the subject for you here.

Attention: This article is not intended as legal advice, but only reflects my research results to the best of my knowledge and belief!

EU GDPR - Change in data protection law 2018

Instead of the Federal Data Protection Act (BDSG) and other German laws, the regulations of the European Union will soon also come into force in Germany. This standardizes data protection for consumers and their personal data. Among other things, cookies and the information on their use (or consent to the storage of cookies) are affected. A good video on the subject, especially on the use of cookies on websites, blogs and shops, is available here (in German):

Worth reading: The blog post mentioned in the video

General data protection regulation for bloggers

The new EU data protection regulation applies to all companies that handle personal data. Whether mailing list, customer data, forum users or cloud services - there are many examples. If you, as a blog operator, collect, store and use data from readers, then you should also take a look at the EU GDPR. Because personal data starts with the name and email address. Overall, this includes these data:

• Name + address
• Email address and phone number
• Birthday, ID number, etc.
• Account details + credit card number
• Vehicle registration number (car, motorcycle, etc.)
• Location data + IP address
• Cookies

Do I have to ask my newsletter subscribers for permission again?

As far as I've read: No. Data already collected and cookies, etc. set by the end of May do not need to be treated separately again. So if you already have dozens, hundreds or thousands Newsletter If you have subscriptions, then not every subscriber has to agree to the use of their data in EU-GDPR-compliant form. But you should make provisions for upcoming subscriptions, future cookies and the like.

What is a data protection impact assessment?

Companies that collect and use personal data (on a large scale) must carry out a data protection impact assessment. This means that you have to check whether the personal data is secure, cannot be viewed / used by unauthorized third parties and / or whether the data owner could be at risk. The data protection impact assessment is therefore a classification of data security and its possible consequences. If these turn out to be negative, adjustments may be necessary.

Own assessment: are US mailing services safe?

The GDPR also applies to companies that have EU citizens or EU companies as customers or clients. Therefore, US mailing service providers such as MailChimp would also have to stick to it. A clue that everything is going well is, for example, the "double opt-in", i.e. the double consent for the newsletter subscription - once when you register and once via a confirmation link in the corresponding e-mail.

However, the security issues continue afterwards. For example, the data for MailChimp newsletters are stored on US servers - outside the EU and as an attractive target for hackers and secret services. It is questionable whether this is 100% d'accord with the EU GDPR. For this reason, some people from my circle of friends and customers are currently moving their newsletter lists from MailChimp to Cleverreach, Klick-Tipp or other German newsletter service providers. If you want to check out all providers, then click here:

• MailChimp
• Click-Tip
• CleverReach
• RapidMail
• Newsletter2Go

In theory, a contract is necessary

With further research is with this post noticed. It describes, among other things, that one would have to enter into a contract with MailChimp in which the order data processing (from May only "order processing") is clarified in accordance with the new regulation. External providers such as Google Analytics, as I understand it, do not require a written contract that you have to send back and forth. Here the provider, i.e. Google, can regulate the formalities digitally at the push of a button. In the account management of Analytics you can do this in the menu item "Addition for data processing". MailChimp could theoretically retrofit such an automatism.

An overview of important changes

But what changes in detail now, what do you have to pay attention to in the future, and which existing regulations, ordinances and laws will be expanded? I did a little research and among other things in this source information found on this. So here are a few important points that you as a data processing entrepreneur, blogger, shop operator and mailing marketing company should consider:

• Duty to assess the impact of data protection and to document the handling of data
• Data processing activities must be recorded in a directory
• Declarations of consent (online and offline) are renewed, as mentioned above in the video on the subject of cookies
• Data protection declarations on websites must be expanded
• There are also new guidelines for order data processing
• A higher level of protection also applies to employee data
• As a special case, personal data of children must also be treated more sensitively
• There are new regulations / a new position for data protection officers in the company
• Data breaches (data theft, improper use, leaks, etc.) must be reported from May 25, 2018
• There are new regulations on liability and tougher fines for data offenders

What are "data portability" and "right to be forgotten"?

There are two points in addition to the above list that may require a brief explanation. On the one hand, this would be “data portability” and, on the other hand, the “right to be forgotten”. I have summarized what it is all about in brief explanations:

• Data portability: it must be possible for the data owner to query all personal data. They must be transmitted by the company / person who collects or uses the data in a common, up-to-date and readable format.
• Right to be forgotten: Just as data, articles and information about people or companies can be removed from a search engine on request, personal data records must also be removed at the request of the persons concerned.

Conclusion on the EU General Data Protection Regulation (GDPR)

The new EU General Data Protection Regulation (GDPR) comes into force on May 25, 2018. There will be no further transition period and no new law has to be made out of it in Germany. The new collection of rules and guidelines is adopted directly as a regulation. So if you have to do with personal data from customers, readers, users, clients, employees and other people, then you should read it up. If in doubt, it can be helpful to call in an appropriately specialized lawyer to be on the safe side. Because as already mentioned at the beginning: This blog entry is not legal advice, but just a well-intentioned reference as a result of my research on the topic;)

Jen Kleinholz( Founder & Sir Apfelot )

Jens has been running the blog since 2012. He acts as Sir Apfelot for his readers and helps them with technical problems. In his spare time he rides electric unicycles, takes photos (preferably with the iPhone, of course), climbs around in the Hessian mountains or hikes with the family. His articles deal with Apple products, news from the world of drones or solutions to current bugs.