What is GDPR and whom does it apply to?
But what are the regulations?
The most important change concerning indie authors is that your subscribers now have to give explicit consent before you can sign them up to your newsletter.
- sign up everyone who has ever sent you an email or contacted you through a webform.
- swap list of email addresses with another writer (unless explicitly consented).
- sign up the people to your newsletter in exchange for free ebooks. The two actions (receiving the book and signing up) should be separated. For example, you cannot use Instafreebies with mandatory newsletter opt-in to grow your mailing list. Read Instafreebie’s GDPR update here.
- collect email addresses through a Facebook campaign and sign them up to your newsletter.
- create a ‘sign me up’ button in your emails or under to your webform.
- offer people a consent form on your free ebook download page where they explicitly agree that you’ll sign them up. A good example of a consent form is to be found here.
The right to be forgotten
Another important change is that consent isn’t forever. I attended a yoga class 8 years ago in Budapest and I’m still receiving emails from the organiser, even though I no longer live in the country. There are no strict rules regarding this question, but you have to make your own, reasonable regulations, and stick to them.
The right to be forgotten also includes that anyone has the right to message their data controllers and can ask their data to be erased.
- keep every email address or other personal data forever. You have to delete it after a reasonable timeframe. Use an email marketing service to track customer engagement for you (to check who has opened and clicked your emails), and remove people who have lost interest in you or in your service.
- ask people to confirm that they’re still interested in receiving emails from you. You can email your signuppers after a period of inactivity and ask them to opt in or opt out. A great example of a re-permission panel can be found here.
- keep data that you have to keep for other legal obligations. For example, if you’re filing your own tax return, you have to keep invoices for a certain number of years. You can’t delete an invoice from somebody just because they have asked their data to be deleted. You have to make sure, however, that you delete everything that is not necessary for fulfilling your legal obligations, and that you delete the data once you no longer need it legally.
The right for transparency
Probably the most widely welcome regulation concerning the GDPR is the right to know what happens to your data. No more shady business, no more using my data to swing the election. Companies have to create detailed privacy policies (written in plain English), list all software they use as data processors and explain what data they are collecting and how they are using it.
Your followers or subscribers also have the right to request information from you: they can ask you what data you have on them. We have recently seen big companies like Google and Facebook offering to show everything they know about us, but it will now become compulsory for everyone who works with data.
- use the data for purposes you didn’t tell your data subjects (your subscribers).
- come clean and tell your followers what you’re using their data for.
As a data controller, it is your responsibility to keep personal data of your subscribers safe. Unfortunately, no system is perfect; accidents happen. In case of a breach, you’ll have to notify your data subjects that their data had been leaked, and – in some cases – notify data protection authorities (ICO in the UK).
Your GDPR action plan
Okay, so how to become compliant? It is actually very simple, just follow this action plan!
- Create an email list using an email marketing service, eg. MailChimp or SendGrid. They’ll take care of managing your email addresses for you.
- Go through your existing email lists (MailChimp or Excel sheets, Outlook contacts, etc.) and check if you have proof of consent from everyone. If you have ever received email addresses ‘the shady way’ (eg. through a newsletter email swap), this is your last chance to come clean and keep these addresses: ask for a reconfirmation! We, for example, have decided to start with a clean slate and delete all addresses in our newsletter database. Below is a snippet from the email we have sent, just to get some inspiration. Of course, you don’t have to delete anyone as long as you have an explicit confirmation at hand.
- Create strong passwords! This might seem obvious, but let’s just say it: you can’t use the same password for your bank account, email account and MailChimp account. As a data controller, it is your responsibility to do everything you can to keep data safe. Use strong passwords, change them frequently – and hope for the best.
Check out The Society of Authors website for further help on GDPR compliance.
A great collection of articles is available on the Writer’s Fun Zone.
The Authors Guild also has a checklist of to dos before May 25.