This post is part of the monthly Author ToolBox Blog Hop, organised by Raimey Gallant. We now have over 40 blogs participating. To find more Blog Hop posts:
- Click here to visit the main Blog Hop page
- Click here to find our posts on Twitter
- Click here to find our Pinterest board
I have two posts in the Blog Hop this month—this post on GDPR, and I’m also guest posting on Publishing at Ronel the Mythmaker’s blog, as part of her April A-Z Challenge.
But here I’m talking about the General Data Protection Regulation: what it is, and why authors need to know about it.
First, the PSA. I’m not a lawyer, so none of the information in this blog post is legal advice. It’s my best guess as a layperson who has studied the subject. If you want legal advice, you ask a lawyer who is qualified to practice in this area. In this case, that means a lawyer based in the EU with a background in privacy, data protection, or similar. You don’t get legal advice off the internet. Now, on with the blog post.
What is GDPR?
The GDPR is the General Data Protection Regulation, and comes into force on 25 May 2018. It harmonizes data privacy laws across the European Union (EU), so it affects any organization holding personal data from EU citizens. Note that the EU still includes the United Kingdom, so GDPR still applies. The British government have indicated they will implement GDPR-like legislation following Brexit (if it goes ahead).
Why do authors need to know about GDPR?
GDPR affects all organisations based in the EU, or supplying goods or services in the EU. If you have a website or an email list, this includes you.
If you have an email list, you’re supplying services. Your subscribers may not pay you, but you are supplying a service. If your email list includes EU residents, or is likely to include EU residents in the future, the GDPR applies to you whether you live in the EU or not.
[The GDPR] applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
If you have a website, you’re collecting information on your visitors. If you have visitors who are EU residents, the GDPR applies to you whether you live in the EU or not.
‘Personal data’ includes data such as a name or email address. It also includes IP addresses (such as those collected by your website when someone comments), and posts on social networking sites.
‘Companies’ includes your email list provider (e.g. MailChimp or MailerLite), and includes clouds. If you use an email list provider and follow their recommended best practice (e.g. double opt-in), then you are probably operating within the law. Probably. As I’ve said before, I’m not a lawyer and this is not legal advice.
GDPR requires that you collect the minimum data necessary.
This has always been best practice: if you are collecting email addresses, the only piece of data you actually need is the email address.
Asking for their first name might help you build a relationship with the subscriber (if they type their name correctly!), but it’s not necessary. Many sites also ask for a surname, and few people are going to object to that. But giving my business name, address, telephone number, number of employees … that’s over the top when all I want to do is download a short pdf file.
You have the option of making fields compulsory or optional. If the field is anything but 100% necessary, make it optional (most people will still complete it).
Note: this also applies to the contact form on your website, because that’s another way of collecting personal information.
GDPR requires active and explicit consent
The regulations say:
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
People must be actively consenting to join your email list.
- Joining the email list can’t be automatic by filling out a form (as happened to me today!).
- If you have a reader magnet or other free gift, then you can’t send the gift and tell people they are now on your email list. You have to give them the option to download the gift without joining your list, or invite them to join your list and send the gift as a thank you.
- If there is a “Join my list” checkbox, it has to be unchecked. This means the would-be subscriber has to actively check the box.
- Joining can’t be one item in a long and unreadable list of legalese.
I suspect people also can’t explicitly consent to joining twenty email lists at once. We used to see this in online giveaways. Now, giveaways must give entrants the option to opt in or not opt in to each participant’s list (which some giveaways always did).
It must also be easy to withdraw consent. All the major email providers make this easy, by offering instant unsubscribe options (a far cry from when I used to unsubscribe to a spam email list and be told it might take up to a month!). Subscribers also have the right to have all their information deleted upon request, and the good email list providers do their best to make that easy as well.
How email providers are reacting
The major email providers do have lawyers on staff. I’m sure they’ve all been busy reading and arguing the finer points of the legislation, and considering what they need to change in order to ensure their customers (you and me) remain compliant.
Here’s what some of the main email providers have to say about GDPR:
Aweber is self-certified with both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, and intend to be fully compliant with GDPR. They say Aweber customers need to ensure they comply with Aweber terms of service to help ensure they are GDPR-compliant.
ConvertKit are building new features to enable users to identify their EU subscribers and provide explicit consent, including providing a specific opt-in checkbox for EU subscribers.
ConvertKit recommend users:
- Use double opt-in wherever possible.
- Perform regular list backups.
- Make your intentions clear on email signup forms and landing pages (e.g. what will they get by signing up to this list? Will they also be signed up to another list?).
This is good advice for everyone.
MailChimp have introduced a specific opt-in box on MailChimp-hosted forms, and recommend users clearly explain to subscribers how their data will be used. MailChimp is certified with both the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield.
MailerLite have developed a GDPR template to help users reconfirm their email list to be sure everyone has actively and explicitly consented.
What should I do?
If you’re not 100% sure all your subscribers have opted in to receiving your emails (e.g. you haven’t always used a double opt-in), then you should check out what templates or services your email list provider offers, and use them to clean your list.
Have you cleaned your email list lately? Have you deleted the people who never open your messages? Sure, it will mean fewer people on your list. There are advantages to cutting the dead weight from your list. It will increase your open rates, cost you less, and mean your emails are less likely to end up in spam. Isn’t that a good thing?
What do you need to do to prepare for GDPR?
Subscribe to my monthly newsletter and receive an exclusive guide to publishers specializing in Christian fiction.