Ask HN: How do small personal website/blog owners comply with GDPR?

4 points by eminent101 ↗ HN
I think some of the crowd here run their own servers with a small and personal website or blog hosted on it. So I think this is the right audience to ask this. How do you ensure that your server and website complies with GDPR?

Do you stop keeping web server access logs? Do you disable comment forms? If you do keep web server logs or comment forms what do you do to make it comply with GDPR?

The comment form aspect is especially a tricky one. Many comment forms require only a name and comment. What if a commenter later asks you to delete all their data (that is to say, all their comments) from your website? How would you satisfy such a request when you can't even validate that the person who is requesting the deletion is really the person who authored the comments?

I am planning to create my own website on a small Digital Ocean server but these GDPR concerns are giving me headache. Hoping to get some wisdom from this thread?

Edit: If it helps, I am based in EU and UK. I live in both places at different times based on work availability. But for the good of the community, answers for other locations and regulations are welcome!

8 comments

[ 5.8 ms ] story [ 30.4 ms ] thread
Where are you based?
Added an edit to my post. I am based in EU and UK. But answers for other locations and regulations welcome too because those answers can help other people.
You can collect stats behind the scenes, without using JS-powered analytics or embedded statistics pixels with GoAccess[0].

This isn't a violation of privacy since you have the right to inspect the logs of your own server(s). Analytics like Google Analytics, etc are not privacy champions and use that data to feed into their AD business.

There is also AWStats which is pre-bundled with cPanel. The only caveat is that 30% of the traffic monitored is likely bots, scrapers, or otherwise malicious actors.

[0] https://goaccess.io/

From some reading I have done online I gather that just the act of logging IP addresses to my server's disk requires some legal safety nets such as a privacy statement that says what will be done with that data. Sounds like too much work for running a simple personal website.
Yes but you have the right to inspect the logs on your own server. The distinction here is using a privacy-invading thing like Google Analytics that /profits/ off data is different than a visual log of server traffic. Whether you decide to abuse the fact that you're logging requests or not is on you. State it in your privacy policy that you're not abusing such collection and make that clear.
Thanks! This clarification helps! Are there any standard privacy policies one can import into their website? I am looking for something along the lines of standard open source licenses. Thanks to a wide range of open source licenses available, we don't have to invent our own while publishing open source code. Anything like that for privacy policy?
I just didn’t worry about it. I’ve got default nginx logging turned on for dynamic things, and S3 bucket logs / CloudFront logs for static sites. I use Google Analytics for some sites and GoatCounter for others.

If that turns out to be horrible, I guess I’ll end up strung up by my thumbs in a European jail? But given all the other things to spend my time on, I’ve just accepted that risk.

I think I’ve also been convinced over time that comment fields on blogs aren’t worth it generally. If there’s meaningful conversations to be had, they’ll happen on platforms where readers link to your content.

My personal website [0] is -afaik- GDPR compliant. I have access logs disabled, as I don't care about them. It's a static site (Hugo) deployed as container with an nginx server behind Traefik.

I don't use comment forms, as they are a headache to maintain over the years. I used to have comments but removed them and discussions move to other media (HN, Twitter, Reddit). For analytics I use Plausible [1], self-hosted, and that's fully GDPR compliant.

I live in the EU (NL) and the server is located in AMS3 for DO. This setup runs perfectly fine for me for several years now.

  [0] https://jurian.slui.mn/
  [1] https://plausible.io/