Tuesday, May 22, 2018

GDPR: What Authors Need to Know

By Iola Goulton @iolagoulton


What is GDPR?


The GDPR is the General Data Protection Regulation, and comes into force on 25 May 2018. It harmonizes data privacy laws across the European Union (EU), so it affects any organization holding personal data from EU residents. Note that the EU still includes the United Kingdom, so GDPR still applies. The British government have indicated they will implement GDPR-like legislation following Brexit (if it goes ahead).

Why do authors need to know about GDPR?


GDPR affects all organisations based in the EU, or supplying goods or services in the EU, that collect and process the data of EU residents, regardless of where they are based. 


Some contributors to (and readers of) International Christian Fiction Writers are based in the EU, so are directly affected by GDPR. The rest of us are likely to be affected as well, because we are supplying goods or services in the EU:
  • If we have a book listed on Amazon.co.uk or BookDepository.com, we're indirectly supplying goods.
  • If we have a website that's viewable in the EU, we're suppling services in the form of information. Free services, but still services
  • If we have an email list that includes EU residents or may include EU residents in the future, we're supplying services, and we may also be marketing to EU residents.
If you have a self-hosted website, then your site is collecting a lot of information on your behalf, and you are responsible for ensuring only the necessary data is collected, that collected data is kept private, and that it is deleted on request or within a reasonable timeframe.

For example, if you comment on www.iolagoulton.com, I ask for your name, email address, and website (although that’s optional). But the website also collects and stores your IP address, and may store cookies (e.g. so the site remembers you have commented before and that I approved your comment, so subsequent comments aren’t held for moderation. Another cookie knows not to show you the email signup pop-up more often than once every 90 days).


Yes, you need to know about GDPR.


But GDPR isn’t the big bogeyman some commentators are making it out to be. Sure, it toughens up on the way we collect and use personal data, but the main principles are around people who hold personal data using that data in a way that is fair, transparent, and lawful.

Please note: I'm not a lawyer, so none of the information in this blog post is legal advice. It's my best guess as a layperson who has studied the subject. If you want legal advice, you ask a lawyer who is qualified to practice in this area. In this case, that means a lawyer based in the EU with a background in privacy, data protection, or similar. You don't get legal advice off the internet.


There are two excellent YouTube videos from British lawyers, and I'll link to those at the bottom of the post for those who want or need to know more.

What does this mean?


We tell people what data we are collecting, why we are collecting it, what we are going to use it for, and we only use it for that purpose. And that purpose must be lawful.

We only collect the data we need, with the permission of the owner of that data. We do not pass data on without permission, and we make sure anyone we pass data to is also collecting and using that data lawfully.

That’s not so hard, is it?


First, the Possible Exception.


Yes, there is an exception, and that's when your website or blog is managed through a free provider such as Blogger (like Australasian Christian Writers) or WordPress.com (but not self-hosted WordPress.org).

As best as I can tell, Google owns Blogger. Blogger/Google collects personal information every time we upload a post to Blogger, or comment on an existing post. The writer owns the copyright, but Google owns the platform.

I suspect this makes Blogger the data controller, not me (or us, in the case of ACW), and that means it is up to Google to ensure Blogger sites are GDPR compliant. Click here to read Google's Privacy Policy.

I think the same is true for WordPress.com (i.e. not self-hosted WordPress). It’s hosted by WordPress, which means they own it.  Click here to read the WordPress.com Privacy Policy. Note that WordPress do say:

We also process information about visitors to our users’ websites, on behalf of our users and in accordance with our user agreements. Please note that our processing of that information on behalf of our users for their websites isn’t covered by this Privacy Policy. We encourage our users to post a privacy policy that accurately describes their practices on data collection, use, and sharing of personal information.


If this isn’t right, please let us know in the comments (with the appropriate link), and I'll update the post.


What do you need to do to prepare for GDPR?


If you have a self-hosted blog or website, or an email list, then there are some tasks you need to complete to prepare for GDPR. Based on the research I've done, here's my approach:

1. SSL Certificate


SSL certification adds a layer of security to your website. If you don't already have SSL certification, now is a good time to consider it. You may be able to get a free SSL certificate from your web host.

Neil Patel at Kissmetrics has just published a detailed post on the subject.

2. Privacy Policy

You need a Privacy Policy, outlining the personal data you collect and how that is used. I spent a whole day researching privacy policies online (and wrote a blog post about it), then discovered this: WordPress Privacy Policy

Automattic, the owners of WordPress and WooCommerce, have made their Privacy Policy available under a Creative Commons Sharelike licence. You will need to adapt it for your own needs and brand voice, but it's a great start.

Another good option is Zegal.com, which offers free privacy policies tailored for New Zealand or Australia. Mine was clear, easy to read, and easy to understand, but it's not GDPR-compliant. I contacted Zegal, and they say they will be releasing a GDPR-compliant Privacy Policy before 25 May, but it will only be available to paying customers.

3. Terms and Conditions

If you are selling directly from your website, you should consider a terms and conditions policy. I'm currently using the extreme legalese of Auto Terms of Service and Privacy Policy, but I will look at this again.

4. Cookie Policy

Most websites use cookies, and EU law requires website owners to advise visitors of this fact, and obtain their consent to using cookies. WordPress plugins such as the EU Cookie Law Widget help site owners comply.

Click here to learn more about cookies. Cookies can be addressed as part of your Privacy Policy, or in a separate Cookie Policy.

If you use WordPress, check out the GDPR Cookie Compliance plugin. It's easy to install and customise (you can check it out at www.iolagoulton.com. Note that I haven't customised it at all.)

5. Contact Form

Most websites have a contact form allowing visitors to email the website owner. It seems pretty obvious to me that completing a contact form means the website owner is getting your personal information, but some people are recommending adding a tickbox to make this explicit.

Regardless, your Privacy Policy will need to include what information you collect on your contact form, and what it is used for. The WP GDPR Compliance plugin for WordPress will add a tickbox to your Contact Form 7 or Gravity Forms contact form. It takes about two minutes to install and activate, which means WordPress users have no excuse.

6. Comments Form

Most blogs have a comments section, which collects personal information. Do we need to add a tickbox for specific consent? I've seen blog posts from non-experts that suggest we do, but my WordPress site doesn't have any way of adding a tickbox to comments.

However, the WP GDPR Compliance plugin also handles comments, so I've added the tickbox using this plugin. It took another three minutes.

7. Email Signup Forms

Your email signup forms need to include a reference or link to your new or updated Privacy Policy. You must also make it clear that visitors are signing up for a newsletter that will include sales and marketing emails, and that they have the option to unsubscribe at any time (which they will have if you're using a competent external email service provider. You are, right?)

There has been discussion over whether you can still offer a free gift to new subscribers. My understanding is that you can, but it has to be:

Sign up for my email list to receive regular newsletters and occasional marketing emails. In return, I'll send you a free gift!


Not:

Want a free gift? Sign up here!


Even better, have a tickbox as part of the signup form, so your website visitors know exactly what they are getting. I use Bloom from Elegant Themes* for my website signups, and that doesn't have the tickbox option. Yet. MailChimp* does have GDPR compliant forms, but they are not as pretty as my Bloom forms.

* These are affiliate links, which means I get a small commission if you purchase something using these links. The amount you pay does not change. If you don't want to use affiliate links, then use your favourite search engine to find the sites.

8. Email List


Do you need to contact everyone on your list before 25 May to reconfirm they want to be on your email list?


This is the really hard part, and it's something even the experts can't agree on. Some experts and mailing list providers say yes. They say you need to email everyone on your list and ask them to reconfirm their consent, then delete the people who unsubscribe or don't respond. The issue with this approach is you will lose a large number of subscribers (although it is argued you're only losing the unengaged subscribers, so cutting them will improve the performance of your list).

Some email list providers (e.g. AWeber, ConvertKit) seem to be able to segment out EU subscribers by their IP address, which makes the consent process easier. If your email provider has this option, it's worth exploring.

Other experts advise against asking your email list to reconfirm their consent, because sending the email implies you don't have a record of their consent and you shouldn't be emailing someone without their consent.

The approach you take will depend on how you built your email list, and who your email list provider is. MailChimp (my email list provider) seems to be taking a softly-softly approach. Others (e.g. MailerLite) seem to be more aggressive in requiring list owners send reconfirmation emails.

What I don't recommend is what I've seen two US-based authors do over the last few days: email their list with a suggestion/request people opt out if they no longer want to be on the mailing list, and that not opting out will be taken as consent for GDPR. I don't like this approach for two reasons:
  1. There should already be an unsubscribe option on every email you send.
  2. This is passive consent—do nothing, and you're on the list. The principle of GDPR is that subscribers must actively consent to being on your mailing list. That is, they have to check the box that says "Sign me up!" to be on your list, not uncheck it to stay off your list. 
There is one thing the experts agree on: this is a good opportunity to either try and reengage your email list, and to delete those who haven't opened recent emails (say, any email for the last three or six months, or your last three or six emails). This is the approach I have taken.

Listen to the Experts


As I said at the beginning, I'm no lawyer. But I've read a lot of blog posts, and listened to podcasts and watched videos from GDPR legal experts. Here are the two best sources of information I've found:

Mark Dawson's Self-Publishing Formula podcast interviewed British lawyer Gemma Gibbs:



Nick Stephenson's First 10,000 Readers interviewed British lawyer Suzanne Dibble. Suzanne also has a Facebook group with loads of free information. Click here to find Suzanne's Facebok group. She also has a GDPR Compliance Kit for sale, for GDP 197. Here's Suzanne on GDPR:




What do you need to do to prepare for GDPR?



About Iola Goulton

Iola Goulton is a New Zealand book reviewer, freelance editor, and author, writing contemporary Christian romance with a Kiwi twist. She is a member of the Sisterhood of Unpronounceable Names (Iola is pronounced yo-la, not eye-ola and definitely not Lola).

Iola holds a degree in marketing, has a background in human resource consulting, and currently works as a freelance editor. When she’s not working, Iola is usually reading or writing her next book review. Iola lives in the beautiful Bay of Plenty in New Zealand (not far from Hobbiton) with her husband, two teenagers and one cat.

7 comments:

  1. Thank you for this post!
    I use a free version website, and I'm pretty sure I get some visitors from EU... so I'm trying to get compliant, but the truth is I don't control any of the data that's being collected.

    ReplyDelete
    Replies
    1. It sounds like your main task will be to update your Privacy Policy.

      Delete
  2. This is so confusing... :o I use Bluehost/Mail Poet, and they have templates we can use, but I'm not sure how to make the template specific to me. I'm not sure what Bluehost and/or Mail Poet collect and for how long or how they keep it... I did receive a message form Mail Poet saying I don't need to email my whole list asking people to opt in again. They tell me a bunch of stuff I have to do, but swear that's not one of them... I've received some requests to re opt in from newsletters I subscribed to in the past, but none of the big names have sent me anything (Ann Voskapmp, Max Lucado, Paulo Coelho, Nicholas Sparks, AutismSpeaks, The Mighty...). Maybe they can see who's in the EU and who's not? Hmm... Thanks for sharing what you've learned so far. This will be a process.

    ReplyDelete
    Replies
    1. I think the reason the big names haven't sent anything is because either they are confident they have a record of your consent, or they are using one of the more expensive email service providers which are able to segment out where people live and only send the reconfirmation to people in the EU. I've heard AWeber and ConvertKit have this capability. If MailChimp has, I can't find it!

      My view is that if you're confident you have a record of consent, you don't need to send reconfirmation emails. But you will need to review and update your contact and comment forms, and possibly your email signup form.

      Delete
  3. Wow! Thank you, Ilona. I'm sure this affects all of us. I had heard of it, but really didn't have a clue what it was all about.

    ReplyDelete
    Replies
    1. Yes, it definitely affects us, even if we're not in the EU.

      Having said that, most of the rules are sensible. The interesting part is I hadn't realised how much information my website was collecting.

      Delete
  4. Iola, excellent post! Thanks for sharing your research with us. There seems to be a lot of misinformation flying around, which is causing confusion and making it harder to navigate the changes.

    ReplyDelete