This page contains my interpretation of how EU GDPR applies to a website like this one. It is not the interpretation. A lawyer I am definitely not. I reserve the right to be wrong, take no responsibility if I am and do not offer this as legal advice. Please talk to a professional who’ll take liability if you’re collecting data in a different way to that described here.

What data is collected by this site?

None. Nitto, nish, nada. Zero. Not a single byte and that’s the way it’s going to stay. No tracking, no analytics. Ever. No retention, no transfers to third parties, no processing at all.

I’m not even logging your IP:

Configuration screenshot from my hosting provider showing that logging is disabled

Mythic Beasts almost certainly are, so you should make sure you’re happy with their Privacy Policy. You should be safe. They know their stuff and are very nice indeed.

You can contact the Data Controller for this website at: tristanbAtProton.ME

If that’s all you came for, enjoy the rest of your day!

How does GDPR apply to personal websites?

A canned answer to this has been very hard to find. A casual search will tell you that you shouldn’t worry about it at all and, often on the same page, that you should worry about it a lot. If all you’ve read about GDPR is the Wikipedia article, you might be inclined to worry about it a lot. On balance, a healthy awareness is better than a worry.

If you’re in the UK, that awareness should be somewhat heightened.

UK GDPR is, more or less, a carbon copy of EU GDPR that was made as a result of Brexit. The UK have ability to make arbitrary changes to the this new legislation. Whilst they’ve not done so at the time of writing, it’s a near certainty that they will. Call me a cynic, but I think this will mean the weakening of privacy legislation in the UK. The intent should be to abide by, or exceed, the stricter legislation. My belief is that will be EU GDPR.

Can you still self-host and be GDPR compliant? Yes, you can! But you need to know where the regulations apply. To break it down a little, let’s assume you want to run a site like this on a server in your home. If you’re doing that, another fair assumption is that you’ll be logging IP addresses so you can gather some stats and block any bad actors.

First, let’s take a look at who the data protection laws apply to. That’s pretty straightforward. Someone’s IP address is their personal data. You’ll be an entity that processes that data and, unless you’re being very unfriendly, access to your site will be allowed from the EU. Some good news there too! You’re not a Small or Medium Enterprise (SME), and we can be confidently say that nobody will be put at risk because their IP addresses are in a private access log. Data Protection Officers, your services will not be required.

At this point, you’re a Data Controller. You are a Data Controller even if you collect no personal data from your users at all. That’s important!

Let’s pause for breath. So far, we know that:

  • The data protection legislation contained in EU GDPR applies to your website
  • You don’t need to employ anyone to be compliant with it
  • Because you control how personal data might be used, you are a Data Controller

But what does that mean? What do you need to do? Let’s dig some more!

We’re going to need a bigger shovel!

The definitions and scope are interesting reading, but there’s not much here that we couldn’t reasonably assume, infer or that we don’t already know.

Things get interesting in Chapter Two, Article 5; “Principles relating to processing of personal data”. Unless you were to do something pretty scandalous with your users’ IP addresses, there’s no need to worry here. If you’re being accurate, have legitimate reasons (more on this later) for collecting the data that you do and you’re being transparent, you’ve got this section covered.

So far, so good. But articles 6 and 7 are ones you really need to care about.

Article 7 explains how you might ask for your users’ consent to collect their personal data. In the context of a simple blog like this, you don’t need to. In fact, doing so would bring this Article 7 into scope and give you more things to comply with. It also means your users don’t have to suffer annoying pop-ups or tick any boxes. In short, your processing isn’t “based on consent”. Were you to put Cookies in browsers, use tracking/analytics or offer forum/social media style interactions that require an account, things would be different. Rightfully so. Especially if minors could access such a service (Article 8).

But why isn’t processing based on consent? To answer that, we need to look at Article 6; “Lawfulness of Processing”. Specifically Clause 1. It’s worth addressing this in detail in the context of a blog like this one.

Processing shall be lawful only if and to the extent that at least one of the following applies:

The data subject has given consent to the processing of his or her personal data for one or more specific purposes;

They haven’t because you’ve not asked for it. Let’s move on.

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

No contracts here!

Processing is necessary for compliance with a legal obligation to which the controller is subject;

An IP address would be handy if your systems were compromised or attacked and the police became involved. But really? Claiming legality here would be tenuous at best.

Processing is necessary in order to protect the vital interests of the data subject or of another natural person;

Doubtful

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

If your blog becomes a matter of public interest, go you! ‘Official authority’ is probably a bit out of scope here, though.

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Aha! This is the clause that makes collecting your users IP addresses legal. It’s legitimate because you want to monitor the usage of your website, its performance and to be able to block bad actors who may try to compromise or disrupt it. None of these interests are against any fundamental rights or freedoms. Even those of children.

Phew! I guess your self-hosted blog is legal after all! Let’s go ahead and get that Privacy Policy written and get people reading your….. Oh, hang on. Uh oh…. Article 13!

Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
the identity and the contact details of the controller and, where applicable, of the controller’s representative; …

This is where you need to make a decision. If you’re happy that the world can know your name, no problems here at all. But it’s a huge issue if you wish to remain anonymous and log data.

To Conclude

As long as there is no need to preserve anonymnity, EU/UK GDPR should not be a blocker to running your own Internet connected services using your own equipment. In fact, if you were to do so purely for use by yourself, your family and friends GDPR doesn’t even apply at all. Knock yourself out!

Everyone should read chapter 3 in that PDF! That’s the good shit!

Overall, none of this is a bad thing. If someone is holding your data, they should be responsible for how it’s used and held accountable if your privacy is breached. More of this!

It’s a shame that someone can’t self-host a website without telling the world who they are. My anonymnity on the Internet is important to me. It lets me separate my work life from my personal one, something that’s getting ever harder to do. It’s terrible for whistleblowers who might find their works censored as Big Tech continues it’s web takeover. It lets blogging platforms and social media set the tone of conversation, too. It leads to more walled gardens.

It’d be good to see an exception added to GDPR Article 13.1 for personal websites that are open to the world. There’s simply no safe way you could run one and not log IP addresses, but it would take someone with more spoons and clout than I to fight that battle. As things stand, picking a friendly web host and letting them handle the risks of Internet exposure seems like a good middle ground. Just pick a good one!

Thanks for reading.