HACKER Q&A
📣 eminent101

How do small personal website/blog owners comply with GDPR?


I think some of the crowd here run their own servers with a small and personal website or blog hosted on it. So I think this is the right audience to ask this. How do you ensure that your server and website complies with GDPR?

Do you stop keeping web server access logs? Do you disable comment forms? If you do keep web server logs or comment forms what do you do to make it comply with GDPR?

The comment form aspect is especially a tricky one. Many comment forms require only a name and comment. What if a commenter later asks you to delete all their data (that is to say, all their comments) from your website? How would you satisfy such a request when you can't even validate that the person who is requesting the deletion is really the person who authored the comments?

I am planning to create my own website on a small Digital Ocean server but these GDPR concerns are giving me headache. Hoping to get some wisdom from this thread?

Edit: If it helps, I am based in EU and UK. I live in both places at different times based on work availability. But for the good of the community, answers for other locations and regulations are welcome!

  👤 akerl_ Accepted Answer ✓
I just didn’t worry about it. I’ve got default nginx logging turned on for dynamic things, and S3 bucket logs / CloudFront logs for static sites. I use Google Analytics for some sites and GoatCounter for others.

If that turns out to be horrible, I guess I’ll end up strung up by my thumbs in a European jail? But given all the other things to spend my time on, I’ve just accepted that risk.

I think I’ve also been convinced over time that comment fields on blogs aren’t worth it generally. If there’s meaningful conversations to be had, they’ll happen on platforms where readers link to your content.

👤 beauHD
You can collect stats behind the scenes, without using JS-powered analytics or embedded statistics pixels with GoAccess[0].

This isn't a violation of privacy since you have the right to inspect the logs of your own server(s). Analytics like Google Analytics, etc are not privacy champions and use that data to feed into their AD business.

There is also AWStats which is pre-bundled with cPanel. The only caveat is that 30% of the traffic monitored is likely bots, scrapers, or otherwise malicious actors.

[0] https://goaccess.io/

👤 juriansluiman
My personal website [0] is -afaik- GDPR compliant. I have access logs disabled, as I don't care about them. It's a static site (Hugo) deployed as container with an nginx server behind Traefik.

I don't use comment forms, as they are a headache to maintain over the years. I used to have comments but removed them and discussions move to other media (HN, Twitter, Reddit). For analytics I use Plausible [1], self-hosted, and that's fully GDPR compliant.

I live in the EU (NL) and the server is located in AMS3 for DO. This setup runs perfectly fine for me for several years now.

  [0] https://jurian.slui.mn/
  [1] https://plausible.io/
👤 ilamont
Where are you based?