Home » What Authors Need to Know About GDPR | An #AuthorToolBoxBlogHop Post

What Authors Need to Know about GDPR (General Data Protection Regulation)

What Authors Need to Know About GDPR | An #AuthorToolBoxBlogHop Post

This post is part of the monthly Author ToolBox Blog Hop, organised by Raimey Gallant. We now have over 40 blogs participating. To find more Blog Hop posts:

I have two posts in the Blog Hop this month—this post on GDPR, and I’m also guest posting on Publishing at Ronel the Mythmaker’s blog, as part of her April A-Z Challenge.

But here I’m talking about the General Data Protection Regulation: what it is, and why authors need to know about it.

First, the PSA. I’m not a lawyer, so none of the information in this blog post is legal advice. It’s my best guess as a layperson who has studied the subject. If you want legal advice, you ask a lawyer who is qualified to practice in this area. In this case, that means a lawyer based in the EU with a background in privacy, data protection, or similar. You don’t get legal advice off the internet. Now, on with the blog post.

What is GDPR?

The GDPR is the General Data Protection Regulation, and comes into force on 25 May 2018. It harmonizes data privacy laws across the European Union (EU), so it affects any organization holding personal data from EU citizens. Note that the EU still includes the United Kingdom, so GDPR still applies. The British government have indicated they will implement GDPR-like legislation following Brexit (if it goes ahead).

Why do authors need to know about GDPR?

GDPR affects all organisations based in the EU, or supplying goods or services in the EU. If you have a website or an email list, this includes you.

If you have an email list, you’re supplying services. Your subscribers may not pay you, but you are supplying a service. If your email list includes EU residents, or is likely to include EU residents in the future, the GDPR applies to you whether you live in the EU or not.

[The GDPR] applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

If you have a website, you’re collecting information on your visitors. If you have visitors who are EU residents, the GDPR applies to you whether you live in the EU or not.

‘Personal data’ includes data such as a name or email address. It also includes IP addresses (such as those collected by your website when someone comments), and posts on social networking sites.

‘Companies’ includes your email list provider (e.g. MailChimp or MailerLite), and includes clouds. If you use an email list provider and follow their recommended best practice (e.g. double opt-in), then you are probably operating within the law. Probably. As I’ve said before, I’m not a lawyer and this is not legal advice.

GDPR requires that you collect the minimum data necessary.

This has always been best practice: if you are collecting email addresses, the only piece of data you actually need is the email address.

Asking for their first name might help you build a relationship with the subscriber (if they type their name correctly!), but it’s not necessary. Many sites also ask for a surname, and few people are going to object to that. But giving my business name, address, telephone number, number of employees … that’s over the top when all I want to do is download a short pdf file.

You have the option of making fields compulsory or optional. If the field is anything but 100% necessary, make it optional (most people will still complete it).

Note: this also applies to the contact form on your website, because that’s another way of collecting personal information.

GDPR requires active and explicit consent

The regulations say:

Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​

People must be actively consenting to join your email list.

  • Joining the email list can’t be automatic by filling out a form (as happened to me today!).
  • If you have a reader magnet or other free gift, then you can’t send the gift and tell people they are now on your email list. You have to give them the option to download the gift without joining your list, or invite them to join your list and send the gift as a thank you.
  • If there is a “Join my list” checkbox, it has to be unchecked. This means the would-be subscriber has to actively check the box.
  • Joining can’t be one item in a long and unreadable list of legalese.

I suspect people also can’t explicitly consent to joining twenty email lists at once. We used to see this in online giveaways. Now, giveaways must give entrants the option to opt in or not opt in to each participant’s list (which some giveaways always did).

It must also be easy to withdraw consent. All the major email providers make this easy, by offering instant unsubscribe options (a far cry from when I used to unsubscribe to a spam email list and be told it might take up to a month!). Subscribers also have the right to have all their information deleted upon request, and the good email list providers do their best to make that easy as well.

How email providers are reacting

The major email providers do have lawyers on staff. I’m sure they’ve all been busy reading and arguing the finer points of the legislation, and considering what they need to change in order to ensure their customers (you and me) remain compliant.

Here’s what some of the main email providers have to say about GDPR:


Aweber is self-certified with both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, and intend to be fully compliant with GDPR. They say Aweber customers need to ensure they comply with Aweber terms of service to help ensure they are GDPR-compliant.


ConvertKit are building new features to enable users to identify their EU subscribers and provide explicit consent, including providing a specific opt-in checkbox for EU subscribers.

ConvertKit recommend users:

  • Use double opt-in wherever possible.
  • Perform regular list backups.
  • Make your intentions clear on email signup forms and landing pages (e.g. what will they get by signing up to this list? Will they also be signed up to another list?).

This is good advice for everyone.


MailChimp have introduced a specific opt-in box on MailChimp-hosted forms, and recommend users clearly explain to subscribers how their data will be used. MailChimp is certified with both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield.


MailerLite have developed a GDPR template to help users reconfirm their email list to be sure everyone has actively and explicitly consented.

What should I do?

If you’re not 100% sure all your subscribers have opted in to receiving your emails (e.g. you haven’t always used a double opt-in), then you should check out what templates or services your email list provider offers, and use them to clean your list.

If you have an email list, you need to use a recognised email list provider! No, you can’t send bulk emails through Gmail, Hotmail, or Outlook.

Have you cleaned your email list lately? Have you deleted the people who never open your messages? Sure, it will mean fewer people on your list. There are advantages to cutting the dead weight from your list. It will increase your open rates, cost you less, and mean your emails are less likely to end up in spam. Isn’t that a good thing?

What do you need to do to prepare for GDPR?

Need help with your novel? I'm available for manuscript assessment and editing services. Need help with your author platform? Check out my Kick-Start Your Author Platform Marketing Challenge. Looking for a publisher? Sign up to my newsletter below.

Subscribe to my monthly newsletter and receive an exclusive guide to publishers specializing in Christian fiction.


Sign up to my newsletter, and I'll send you monthly news and updates on writing, editing, publishing, and marketing, and relevant promotional material. I won't send spam, and you can unsubscribe at any time. Please read my Privacy Policy for details: www.christianediting.co.nz/privacy-policy

You're subscribed! Check your email for your exclusive guide to publishers specializing in Christian fiction. If you don't get it within ten minutes, email me at igoulton@christianediting.co.nz.


  1. Great information. Instead of being alarmist, you simply state the facts necessary for the authors. There is entirely too much alarmist attitude going on with the GDPR at the moment.

    I’ll be sharing this information!

    • Iola says:

      Thanks for sharing!

      If people have come by their email lists honestly (i.e. haven’t added people without their permission, haven’t bought lists) and use them professionally (no spam), then they should be fine (should!). Authors and bloggers aren’t the people legislation like this is trying to combat. But it’s important to know the principles of the law so we don’t accidentally do something stupid (like buy a mailing list).

  2. Louise says:

    Interesting post. I’ve never heard of GDPR, but it will be great information to consider when I get around to making my email mailing list 🙂

    • Iola says:

      There will be a follow-up post on GDPR next week, as I’ve now discovered it doesn’t only apply to mailing lists, but to anyone with a website!

    • Iola says:

      Thanks for that! New Zealand and Australia also have similar legislation. I think GDPR is a big deal because it covers so many countries and people, and because it goes further than the CAN-SPAM Act (which is all many people worry about in this US-centric world).

    • Iola says:

      Selling mailing lists (email or physical) has been illegal in New Zealand since 1991, so yes, it’s about time the rest of the world caught up …

      Of course, something being illegal doesn’t stop it happening. If only it did!

    • Iola says:

      But you have a website, which still means you’re collecting personal data (or your website provider is collecting it for you). I’ll cover that next week.

    • Iola says:

      GDPR has some of the finest legal minds on the planet discussing what it means. If I’ve made it even halfway intelligible, I’ve succeeded!

    • Iola says:

      It’s a principle called “the long arm of the law”. It’s the same principle that says I have to disclose on Amazon when I got a free book for review, even though I live in New Zealand.

  3. There are substantial fines if you’re not compliant. You know someone will test the waters. Don’t get caught with your @$$ in a wringer.
    I’m planning on blogging about this in May, sending info out via my newsletter, and trimming my email list. Nothing is worth the headaches this could bring.

    • Iola says:

      I agree!

      I’m also working through trimming my list, and considering the best way to ensure I have explicit consent from everyone. It’s actually timely, as I’m getting close to the free limit with my email service provider, so this is an incentive to make sure my list is active and engaged.

  4. It’s interesting where this law differs from the anti-online-spam legislation in place in other countries, or how it forces companies like MailChimp to conform all their practices to it in order for its clients to gain any subscribers throughout the EU. I may be misinterpreting. Great post!

    • Iola says:

      My understanding is that European data privacy laws are stricter than in the US, although I’m not sure about other countries. I suspect that GDPR is stricter than existing laws, partly because it’s the newest legislation so is able to address issues that hadn’t come up when some of the other laws were drafted and enacted.

      Under GDPR, MailChimp (and other email service providers) are Data Processors. We, as email list owners, are Data Controllers. Data Processors have responsibilities, but the onus is on Data Controllers (us) to use GDPR-compliant Data Processors. If a Data Processor isn’t compliant, I suspect they will face a mass exodus of clients, and who wants that?

  5. Adam says:

    It can be a real challenge to keep apprised of, and properly follow the various laws and regulations that govern our activity (whether we know it or not).
    Posts like this certainly offer a welcome “what does this really mean” version of the information. Granted, as you say, the finer points still necessitate researching the topic further, but this serves as a nice primer.
    Sadly many of us are not at a point where we have a lawyer we can consult regularly on such matters.
    This is a very insightful piece. Thank you for sharing.

    • Iola says:

      No, most of us can’t afford the lawyers (even if we knew one!), but we still need to stay abreast of the issues. Fortunately, the email providers (data processors) do seem to be on top of GDPR, so we can follow their best practice guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *