What Is GDPR?
How Does GDPR Affect Authors?
Due to the globalized nature of business and the internet, anyone who has an online presence is affected. The EU’s broad definition of personal data means that basically any information one holds on EU citizens—such as email addresses, IP addresses, and posts on social networking sites—falls under the new regulation.
While the GDPR imposes a number of requirements that are new to individuals and entities outside the EU, here are the ones likely to apply to authors:
- The EU citizen whose personal information is at issue must consent “by a clear affirmative action” to the use of their data, and must have the right to withdraw their consent at any time.
- Where the information of a child under the age of 16 is involved, a parent or guardian must give the necessary consent.
- The personal data collected must be for explicit (and of course, legitimate) purposes, and must be accurate and kept up to date.
- The individual must be able to access their personal data (and to restrict how it is used).
- In the event of a data breach, the company (or individual) holding the data must notify the “supervisory authority” (of the EU state whose inhabitants are effected) within 72 hours.
- Such data must be erased at the request of the individual (this relates to the European “Right to be Forgotten”).
Many authors who have websites already possess some information about their readers or site visitors. Even if just some of that information relates to EU citizens, you will need to comply with the regulation. Going forward, you should collect only data that you absolutely need and should not share the data with others without prior approval from the individuals in question. It should be noted, however, that the GDPR does require EU member states to reconcile these provisions with “the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.”
In order to comply with the law, anyone with email lists, for example, should start auditing those lists and should reach out to any recipients based in the EU to obtain their explicit consent to use their data; and, if consent is not obtained for any contact, that contact should be deleted. Authors with websites should also make sure that they’ve updated their privacy notice and terms of service pages prior to May 25 to clearly state how you will use any collected data. You can find a privacy notice checklist here.
If you build your email list by hosting contests, raffles, and giveaways, or you use email marketing as part of your book promotion, you should be sure your subjects are actively opting in to give their consent to be added to your mailing list. Such express consent can be obtained by having users click “Accept” on a privacy notice or other terms of service that clearly spell out how personal data is collected and might be used, or by having the user email you to express their consent; pre-ticked boxes or consent language buried in the terms and conditions will no longer do the trick. And remember, you need to go back to any Europeans already on your email list to have them actively opt in to being on your email list for you to continue emailing them, in case you are asked to provide substantiation of their consent in the future.
The compliance burden most likely will fall largely on the data processors and online platforms who run the online services used by authors, but authors should make sure they are prepared to cooperate with their data processors and that they understand the limitations and requirements placed on themselves by the regulation.
We suggest that authors consult with any data processing platforms that they use for more information. Providers like Mailchimp and Emma have many resources and forms available to help with compliance.
Learn More About GDPR:
TechCrunch: WTF is GDPR
Superoffice: GDPR for Marketing: The Definitive Guide for 2018
ASAE: Countdown to GDPR