By Iola Goulton @iolagoulton
What is GDPR?
The GDPR is the General Data Protection Regulation, and comes into force on 25 May 2018. It harmonizes data privacy laws across the European Union (EU), so it affects any organization holding personal data from EU residents. Note that the EU still includes the United Kingdom, so GDPR still applies. The British government have indicated they will implement GDPR-like legislation following Brexit (if it goes ahead).
Why do authors need to know about GDPR?
GDPR affects all organisations based in the EU, or supplying goods or services in the EU, that collect and process the data of EU residents, regardless of where they are based.
Some contributors to (and readers of) International Christian Fiction Writers are based in the EU, so are directly affected by GDPR. The rest of us are likely to be affected as well, because we are supplying goods or services in the EU:
- If we have a book listed on Amazon.co.uk or BookDepository.com, we're indirectly supplying goods.
- If we have a website that's viewable in the EU, we're suppling services in the form of information. Free services, but still services
- If we have an email list that includes EU residents or may include EU residents in the future, we're supplying services, and we may also be marketing to EU residents.
For example, if you comment on www.iolagoulton.com, I ask for your name, email address, and website (although that’s optional). But the website also collects and stores your IP address, and may store cookies (e.g. so the site remembers you have commented before and that I approved your comment, so subsequent comments aren’t held for moderation. Another cookie knows not to show you the email signup pop-up more often than once every 90 days).
Yes, you need to know about GDPR.
But GDPR isn’t the big bogeyman some commentators are making it out to be. Sure, it toughens up on the way we collect and use personal data, but the main principles are around people who hold personal data using that data in a way that is fair, transparent, and lawful.
Please note: I'm not a lawyer, so none of the information in this blog post is legal advice. It's my best guess as a layperson who has studied the subject. If you want legal advice, you ask a lawyer who is qualified to practice in this area. In this case, that means a lawyer based in the EU with a background in privacy, data protection, or similar. You don't get legal advice off the internet.
There are two excellent YouTube videos from British lawyers, and I'll link to those at the bottom of the post for those who want or need to know more.
What does this mean?
We tell people what data we are collecting, why we are collecting it, what we are going to use it for, and we only use it for that purpose. And that purpose must be lawful.
We only collect the data we need, with the permission of the owner of that data. We do not pass data on without permission, and we make sure anyone we pass data to is also collecting and using that data lawfully.
That’s not so hard, is it?
First, the Possible Exception.
Yes, there is an exception, and that's when your website or blog is managed through a free provider such as Blogger (like Australasian Christian Writers) or WordPress.com (but not self-hosted WordPress.org).
As best as I can tell, Google owns Blogger. Blogger/Google collects personal information every time we upload a post to Blogger, or comment on an existing post. The writer owns the copyright, but Google owns the platform.
If this isn’t right, please let us know in the comments (with the appropriate link), and I'll update the post.
What do you need to do to prepare for GDPR?
If you have a self-hosted blog or website, or an email list, then there are some tasks you need to complete to prepare for GDPR. Based on the research I've done, here's my approach:
1. SSL Certificate
SSL certification adds a layer of security to your website. If you don't already have SSL certification, now is a good time to consider it. You may be able to get a free SSL certificate from your web host.
Neil Patel at Kissmetrics has just published a detailed post on the subject.
If you use WordPress, check out the GDPR Cookie Compliance plugin. It's easy to install and customise (you can check it out at www.iolagoulton.com. Note that I haven't customised it at all.)
5. Contact FormMost websites have a contact form allowing visitors to email the website owner. It seems pretty obvious to me that completing a contact form means the website owner is getting your personal information, but some people are recommending adding a tickbox to make this explicit.
6. Comments FormMost blogs have a comments section, which collects personal information. Do we need to add a tickbox for specific consent? I've seen blog posts from non-experts that suggest we do, but my WordPress site doesn't have any way of adding a tickbox to comments.
However, the WP GDPR Compliance plugin also handles comments, so I've added the tickbox using this plugin. It took another three minutes.
There has been discussion over whether you can still offer a free gift to new subscribers. My understanding is that you can, but it has to be:
Sign up for my email list to receive regular newsletters and occasional marketing emails. In return, I'll send you a free gift!
Want a free gift? Sign up here!
Even better, have a tickbox as part of the signup form, so your website visitors know exactly what they are getting. I use Bloom from Elegant Themes* for my website signups, and that doesn't have the tickbox option. Yet. MailChimp* does have GDPR compliant forms, but they are not as pretty as my Bloom forms.
* These are affiliate links, which means I get a small commission if you purchase something using these links. The amount you pay does not change. If you don't want to use affiliate links, then use your favourite search engine to find the sites.
8. Email List
Do you need to contact everyone on your list before 25 May to reconfirm they want to be on your email list?
This is the really hard part, and it's something even the experts can't agree on. Some experts and mailing list providers say yes. They say you need to email everyone on your list and ask them to reconfirm their consent, then delete the people who unsubscribe or don't respond. The issue with this approach is you will lose a large number of subscribers (although it is argued you're only losing the unengaged subscribers, so cutting them will improve the performance of your list).
Some email list providers (e.g. AWeber, ConvertKit) seem to be able to segment out EU subscribers by their IP address, which makes the consent process easier. If your email provider has this option, it's worth exploring.
Other experts advise against asking your email list to reconfirm their consent, because sending the email implies you don't have a record of their consent and you shouldn't be emailing someone without their consent.
The approach you take will depend on how you built your email list, and who your email list provider is. MailChimp (my email list provider) seems to be taking a softly-softly approach. Others (e.g. MailerLite) seem to be more aggressive in requiring list owners send reconfirmation emails.
What I don't recommend is what I've seen two US-based authors do over the last few days: email their list with a suggestion/request people opt out if they no longer want to be on the mailing list, and that not opting out will be taken as consent for GDPR. I don't like this approach for two reasons:
- There should already be an unsubscribe option on every email you send.
- This is passive consent—do nothing, and you're on the list. The principle of GDPR is that subscribers must actively consent to being on your mailing list. That is, they have to check the box that says "Sign me up!" to be on your list, not uncheck it to stay off your list.
Listen to the Experts
As I said at the beginning, I'm no lawyer. But I've read a lot of blog posts, and listened to podcasts and watched videos from GDPR legal experts. Here are the two best sources of information I've found:
Mark Dawson's Self-Publishing Formula podcast interviewed British lawyer Gemma Gibbs:
Nick Stephenson's First 10,000 Readers interviewed British lawyer Suzanne Dibble. Suzanne also has a Facebook group with loads of free information. Click here to find Suzanne's Facebok group. She also has a GDPR Compliance Kit for sale, for GDP 197. Here's Suzanne on GDPR:
What do you need to do to prepare for GDPR?
About Iola GoultonIola Goulton is a New Zealand book reviewer, freelance editor, and author, writing contemporary Christian romance with a Kiwi twist. She is a member of the Sisterhood of Unpronounceable Names (Iola is pronounced yo-la, not eye-ola and definitely not Lola).
Iola holds a degree in marketing, has a background in human resource consulting, and currently works as a freelance editor. When she’s not working, Iola is usually reading or writing her next book review. Iola lives in the beautiful Bay of Plenty in New Zealand (not far from Hobbiton) with her husband, two teenagers and one cat.