Bloggers: Do These 10 Things to Comply with GDPR


GDPR for bloggers

What do bloggers need to know about GDPR? 

Does GDPR even apply to digital influencers? 

What happens if I don’t comply with GDPR? 

Personally, I think there are two main approaches to GDPR in the influencer community right now. 

In the red corner, there are those of us who are simply sticking our heads in the sand and waiting for GDPR to go away. 

And in the blue corner, there are those of us who have Googled, “What do I need to know about GDPR?”, scared ourselves stupid and are now waiting for the whole thing to go away.

I have good news and bad news. The bad news is that GDPR isn’t going to go away. Even if we’re not in the EU, our government is very keen on implementing this bit of EU law so that UK businesses can trade more easily with Europe. 

But there’s also good news. 

For influencers, GDPR really doesn’t need to be scary, or complicated. Honest! 

Here at Flea Enterprises, we’ve taken expert advice on our GDPR compliance. If you run a business that’s built on data, I recommend you do the same. 

But for bloggers, GDPR isn’t necessarily a huge step up from what you’re probably already doing to comply with our existing (pretty strong) data protection laws. 

Today we’re going to share a really quick GDPR primer (enough to help you glide through those tricky dinner party convos) and 10 tips based on our understanding of GDPR. This will help ensure you’re in good shape for when GDPR comes into force. 

What is GDPR? 

GDPR is an EU law that strengthens our existing data protection laws. It comes into force on May 25.

The aim of GDPR is to ensure we treat people’s data with respect. You need to have a legal right to collect and process data. It needs to be stored in a secure, appropriate way. People need to be able to easily find out what data you hold on them. If they ask you to correct or delete it, you must do so promptly. 

Do Bloggers Need to Worry about GDPR? 

As an influencer, the type of personal data you hold is likely to be limited – but you almost certainly hold some personal data. 

If you’re a blogger, you may store email addresses from comments. Perhaps you store email addresses or shipping addresses relating to giveaway or mailing lists. If you employ a VA, you might store their address and payment details. 

Anything that could identify a living person is classed as personal data.

Sidenote: information about a media outlet or company isn’t considered personal data. 

How to Relax and Comply with GDPR 

GDPR for bloggers

Today we are sharing 10 snippets of advice that we hope will get you well on the way to relaxing about your GDPR compliance. 

  • It’s not a cooked cake. GDPR is a new piece of EU law, but it’s going to be monitored by local organisations – in our case the ICO. With GDPR on the horizon lots of businesses are rushing to register with the ICO as “data controllers” to show their commitment to data privacy. This isn’t necessary if you only process personal data for “core business purposes of staff administration, marketing, PR and administration”. If you’re unsure if this exemption applies to you – take this quiz
  • You don’t need to rebuild your whole mailing list. One of the most common myths around GDPR is that you need to “re-permission” everyone who receives your emails to get their consent to continue mailing them. Nope. If you got opt-in consent in the first place, and have a clear “unsubscribe” option in your mailings, then you’re good to go. 
  • You may have legitimate interest to process data. If your business has a core activity that relies on processing personal data then this is considered allowable under “legitimate interest“. This is the basis under which our company will be operating, when processing influencer data, for example. 
  • Legitimate interest doesn’t cover direct marketing. So you may show a legitimate interest in contacting a mailing list with your latest blog post, but if you’re selling something directly then then that’s not covered by legitimate interest. 
  • You’ll still get press releases and PR pitches: I’ve read that nobody will be able to send unsolicited messages after GDPR. Yes, PR agencies need to comply with GDPR. This means they’ll need to show they hold only appropriate data, and it’s up to date and can be deleted on request. But they’ll still be allowed to send you material providing they can demonstrate it’s potentially useful for you in creating online content (so it should be relevant and they may well request an update to your details) 
  • As a citizen you have more rights. As an individual GDPR protects your data, so it’s not all about what you have to do. Under GDPR you can ask any organisation what data they hold about you, request amendments, or ask for that data to be deleted. Companies will be required to comply with such requests swiftly.
  • Check in on your IT systems and processes. One of the key requirements of GDPR is ensuring that where you hold personal data, it’s collected, stored and processed securely. So make sure laptops are password protected, office doors (or filing cabinets) are securely locked, and computers have up-to-date security software installed. Consider moving your blog to HTTPS. 
  • Check out your suppliers. Think about all the third party sites where you might store personal data. Do you use third-party giveaway widgets? Have a hosting company? Use a cloud-based back-up service? Do a quick check on their sites for GDPR compliance.  And don’t forget that you still need to ensure your systems protect that personal data when you’re accessing and viewing it via a third-party site or tool. 
  • Update your Privacy Policy. A key part of GDPR is having a transparent data policy. We suggest updating your existing privacy policy for your blog. Make sure you mention what data you collect, what you use it for, who it’s shared with. Make it clear how people can request data held on them (known as a “subject access request”) or request that data is amended or deleted. 

What You Really, Really Need to Know about GDPR

If you don’t remember anything else about GDPR, remember this: don’t panic. 

GDPR shouldn’t be a chore for most bloggers and digital influencers. It’s really about three key things: 

  • Treat data with respect. Only collect what you need, and ensure it’s accurate, and that your data storage and processing is secure. 
  • Make sure your privacy policy tells people what data you hold about them, how you use it, and how they can ask you to share this with them. Make it easy for them to request that it’s amended or deleted.  
  • Review your IT arrangements so that you know all your computer systems are secure, including checking on any third-party services you use to store or process personal data 




Are you worried about the introduction of GDPR? Let us know in the comments if you have any tips about getting ready for GDPR for bloggers. 

Sally Whittle is founder of the Tots100, Foodies100, BlogSummit and the MAD Blog Awards. When she's not working, she can be found blogging at Who's the Mummy, or having fun with her 8 year old daughter, Flea.

Discussion7 Comments

  1. I thought you did need to re-permission people to sign up to emailing even if you had an unsubscribe option unless you happened to have your opt in wording spot on the first time round. The penalties are so high I’m certainly not risking it. Our holiday emailing about bookings is all fine without a re sign up as it is essential info, but my newsletters on the back of this are not, so I am re subscribing for all the non essential mail outs including for my blog. I may of course be wrong, I have read so many different articles it’s driving me nuts but that is my take out.

    • It really depends on how you had people sign up to begin with. If you harvested email addresses from bookings or competitions and added them to a mailing list with an unsubscribe box then YES, I would 100% re-permission.

      Similarly, if you had one of those “untick the box if you don’t want to be spammed” sign-ups, then I’d be looking to re-permission.

      If you invited people to tick a box clearly opting in to a monthly newsletter and you’ve given an opt-on our every mailing, then no, you shouldn’t need to re-permission.

      I would also not panic about huge fines, personally. There’s a staged process for companies not complying with GDPR and the first stage is a warning, so you’re certainly not going to be hit with a huge fine for a first, honest mistake.

  2. Hi Sally – thanks for a very clear and factually accurate article. Have you got any info on what the GDPR means in terms of the use of affiliate marketing on blogs? I’ve been searching on Google, but it appears a scarcely mentioned topic.

    • I’m finding this a problem too. There are also many companies cashing in on the GDPR and there’s a lot of differing advice.

    • It’s down to cookies and tracking pixels I believe. So their data will be transferred to a third party ( the affiliate company). I am having trouble figuring out what that data is. I think it’s IP address but not 100% sure.

  3. The question I have is about lead magnets for people to sign up for your email list including webinars, printables and other “freebies.” Some people are saying that to be GDPR compliant you need to offer your freebies with email opt-in being optional. But that seems practically impossible in some cases, especially with email marketing sales funnels that are directly tied to the free courses or classes.

    • I think you would need to say that they are giving you their email address to receive access to a free course or class and that you will send them a freebie to their inbox.

      I think the big no no is where you say give me your email address and I’ll send you this free checklist. Then you email the checklist and add them to your regular mailing list. Because they didn’t agree for their email to be used for that.

So You Know...

As you've likely heard and seen, there's an increasing focus on the authenticity of follower growth and engagement on social platforms across the Influencer Marketing community. The platforms themselves have taken measures to deter inauthentic activity and brands now more closely scrutinise the audiences of the influencers with whom they are partnering.

The Flea Network has implemented a system that will detect abnormal spikes in following and engagement, and flag these properties. Of course, such spikes can often be attributed to viral posts or high-profile brands that bring greater exposure to some content.

If one of your social accounts is flagged by our system without an obvious reason, we may reach out to you for assistance in understanding it. If we find any influencer has artificially inflated their audience size or engagement using paid acquisition or automated, third-party tools, we will remove them permanently from our influencer community.

Feel free to reach out to us at with any questions or comments.

Thank you!

The Flea Network Team

Got it!