The new European General Data Protection Regulation (GDPR) is coming to effect shortly (May 25), and has definitely created a lot of buzz. GDPR for Authors aims to demystify the new regulations and explain what GDPR means for authors, publishers and bloggers. If you have completely missed the news: it is still not too late to start preparing!
Disclaimer: The information in this article is for general guidance on GDPR and is not legal advice. We’ve tried to ensure that all information is accurate, but please contact an adviser or solicitor for more help.
What is GDPR and whom does it apply to?
The General Data Protection Regulation is a new law prepared by the European Parliament to strengthen and unify data protection laws all over Europe to protect data of European citizens. It not only harmonises local regulations, but also raises fines to ensure that data is responsibly handled.
GDPR is one of few regulations with an extraterritorial effect. This means that everyone is affected who has at least one customer (or subscriber or reader) from Europe. Regardless of whether you are a one-person company, a startup or a Google-sized organisation, it applies to you, as long as you have European subscribers or contacts. The new data protection laws will come into effect on May 25.
What is the purpose of GDPR?
The data protection regulation puts privacy first. It aims to ensure that all EU citizens have the right to know what happens to their personal data. This is not a big thing to ask, is it? While the fines sound scary, most people welcome GDPR for the clarity and transparency it brings to data management.
What counts as personal data?
A very good question! Your name, a personal email address containing your name (eg. firstname.lastname@example.org), your computer’s IP address, any photos or social media posts. It is basically anything that can be used to identify somebody. Some information only counts as personal data if it is grouped together. As the ICO points out, the name John Smith doesn’t count as personal data as it is not enough to identify somebody, but John Smith and an address or telephone number would. The email address email@example.com wouldn’t count as personal data, but grouped together with the name Ms Kitty Cat, it would.
To decide what is personal data, follow the flowchart on the ICO website.
GDPR for authors: why does it affect authors and publishers?
If you’re doing any kind of marketing, you are likely to be affected. Sending emails, setting up giveaways, but even collecting payments on your website qualify as working with data. If you have a website with a sign-up or a PayPal form, you are a data controller, scary as it might sound.
Good news though: the majority of these third party apps (data processors)have implemented new policies and mechanisms to keep you (and your data subjects) protected. For example, we’re using SendGrid for sending emails to multiple people at once, and SendGrid is doing a fabulous job of informing marketers about dos and don’ts. They also have policies in place to make sure that whatever you do complies with regulations.
But what are the regulations?
The most important change concerning indie authors is that your subscribers now have to give explicit consent before you can sign them up to your newsletter.
- sign up everyone who has ever sent you an email or contacted you through a webform.
- swap list of email addresses with another writer (unless explicitly consented).
- sign up the people to your newsletter in exchange for free ebooks. The two actions (receiving the book and signing up) should be separated. For example, you cannot use Instafreebies with mandatory newsletter opt-in to grow your mailing list. Read Instafreebie’s GDPR update here.
- collect email addresses through a Facebook campaign and sign them up to your newsletter.
- create a ‘sign me up’ button in your emails or under to your webform.
- offer people a consent form on your free ebook download page where they explicitly agree that you’ll sign them up. A good example of a consent form is to be found here.
The right to be forgotten
Another important change is that consent isn’t forever. I attended a yoga class 8 years ago in Budapest and I’m still receiving emails from the organiser, even though I no longer live in the country. There are no strict rules regarding this question, but you have to make your own, reasonable regulations, and stick to them.
The right to be forgotten also includes that anyone has the right to message their data controllers and can ask their data to be erased.
- keep every email address or other personal data forever. You have to delete it after a reasonable timeframe. Use an email marketing service to track customer engagement for you (to check who has opened and clicked your emails), and remove people who have lost interest in you or in your service.
- ask people to confirm that they’re still interested in receiving emails from you. You can email your signuppers after a period of inactivity and ask them to opt in or opt out. A great example of a re-permission panel can be found here.
- keep data that you have to keep for other legal obligations. For example, if you’re filing your own tax return, you have to keep invoices for a certain number of years. You can’t delete an invoice from somebody just because they have asked their data to be deleted. You have to make sure, however, that you delete everything that is not necessary for fulfilling your legal obligations, and that you delete the data once you no longer need it legally.
The right for transparency
Probably the most widely welcome regulation concerning the GDPR is the right to know what happens to your data. No more shady business, no more using my data to swing the election. Companies have to create detailed privacy policies (written in plain English), list all software they use as data processors and explain what data they are collecting and how they are using it.
Your followers or subscribers also have the right to request information from you: they can ask you what data you have on them. We have recently seen big companies like Google and Facebook offering to show everything they know about us, but it will now become compulsory for everyone who works with data.
- use the data for purposes you didn’t tell your data subjects (your subscribers).
- come clean and tell your followers what you’re using their data for.
As a data controller, it is your responsibility to keep personal data of your subscribers safe. Unfortunately, no system is perfect; accidents happen. In case of a breach, you’ll have to notify your data subjects that their data had been leaked, and – in some cases – notify data protection authorities (ICO in the UK).
Your GDPR action plan
Okay, so how to become compliant? It is actually very simple, just follow this action plan!
- Create an email list using an email marketing service, eg. MailChimp or SendGrid. They’ll take care of managing your email addresses for you.
- Go through your existing email lists (MailChimp or Excel sheets, Outlook contacts, etc.) and check if you have proof of consent from everyone. If you have ever received email addresses ‘the shady way’ (eg. through a newsletter email swap), this is your last chance to come clean and keep these addresses: ask for a reconfirmation! We, for example, have decided to start with a clean slate and delete all addresses in our newsletter database. Below is a snippet from the email we have sent, just to get some inspiration. Of course, you don’t have to delete anyone as long as you have an explicit confirmation at hand.
- Create strong passwords! This might seem obvious, but let’s just say it: you can’t use the same password for your bank account, email account and MailChimp account. As a data controller, it is your responsibility to do everything you can to keep data safe. Use strong passwords, change them frequently – and hope for the best.
Check out The Society of Authors website for further help on GDPR compliance.
A great collection of articles is available on the Writer’s Fun Zone.
The Authors Guild also has a checklist of to dos before May 25.