We’ve seen in Part 1 how GDPR awareness is essential for editors and authors, whether they are providing freelance editorial services or independently publishing and marketing books as freelance sole traders or via a small limited company. In this Part 2 post we'll look at the specific issues of:

1. consent in relation to client and author mailing lists
2. transparency in relation to your website
3. how a privacy policy can help you become GDPR compliant
4. GDPR best practices

It is probably worth taking a closer look at the issue of consent in relation to online marketing and mailing lists as authors, in particular, need to check that their direct mailing practices will be GDPR compliant from 25 May 2018 onwards. 

Specific purpose – mailing lists
To be compliant under the GDPR, you can only use personal data, such as an email address, for the specific and explicit purpose for which it was collected. You cannot use it or share it with a third party without the subscriber’s specific consent to do so.

For example, if a subscriber submits their email for the specific purpose of downloading a free copy of your book, you can’t simply add their email to your mailing list and use it to market your newsletter or another book to that subscriber. If you want to add their email to your mailing list, you must obtain specific and explicit consent from the subscriber to do so at the point of collecting their data.

In effect, you need to ask the subscriber at the time of signing up for the free download of your book if they would also like to be added to your mailing list. You also need to give them the option to say no. They may want the book, but not the mailing list, and they should have a clear option to say no if they wish.

Compliant opt-ins – mailing lists 
​The other important element of the GDPR is the issue of how consent is obtained and recorded. Under the GDPR, subscriber consent must be ‘freely given, specific, informed and unambiguous’. It is also essential that you keep a record of this ‘freely given’ consent. So, in the above free book example, you would need to have an opt-in process which requires the subscriber to manually tick a box consenting to you adding their data to your mailing list, in addition to their downloading the free book. It is essential to note that a pre-ticked consent box (consent by default) is not GDPR compliant because it removes the choice from the subscriber.

Ideally, your opt-in process would be a two-tiered, double opt-in process – the initial manual box-ticking, followed by an email asking the subscriber to click on a link to confirm that they really do want to be on your mailing list, and adding them to the list only after they’ve clicked on the link to confirm their consent.

And even if you don’t have a large subscriber list or the need for double opt-in procedures, from 25 May 2018 you need to tell clients and subscribers that you are adding them to your mailing list and that you might use their details to contact them about offers and services at a later date and give them the option to opt out if they wish. 

How does the GDPR apply to existing clients and mailing list subscribers?
​Many authors, and some editors, will have large mailing lists with a high volume of existing subscribers and email addresses, not all of which were collected in a GDPR-compliant way.
 
In this regard, it is important to note that the GDPR has been in force since 2016, but the EU granted a two-year transition period to allow individuals and organisations to get their compliance processes in order. Therefore, the GDPR will not be applied retrospectively, in the sense that you won’t be penalised for not being GDPR compliant before 25 May 2018. However, you do risk penalties if you are not GDPR compliant for both new and existing clients and subscribers from that date onward.

Authors
If you have clear GDPR-compliant consents from all your existing mailing list subscribers, then you are ahead of the pack. However, your process is not GDPR compliant if you:

• have received your mailing list's email addresses from a third party
• are not sure of the source of those email addresses
• have in the past automatically added people to a mailing list when they subscribed to your blog, website, or downloaded a free book without letting them know you were doing this

In these cases, you will need to get GDPR-compliant consent from all your existing subscribers. If you don't, you will be in breach of the GDPR.

In relation to managing existing mailing list subscribers: 

• Be aware that your opt-in email should oblige the subscriber to actively opt in by replying to your email or ticking an opt-in box – emails telling subscribers that you will add them if you don’t hear from them are not GDPR compliant. You need to give the option to actively opt in or opt out/unsubscribe. 

 

• Be aware that, in some circumstances, your opt-in email may fall foul of other existing direct marketing legislation. In particular, make sure you don’t send out opt-in emails to subscribers who have previously unsubscribed from your mailing list. So, go through your existing lists carefully and delete anyone who has already asked to be deleted before you start emailing subscribers. 

​

• If existing subscribers haven’t actively opted in to your mailing list by 25 May 2018, then delete their details from your records. They can always re-subscribe through your new GDPR-compliant process at a later date if they so wish. 

Editors
If you are an editor with a small client database or list of client emails and have regular contact with your clients, then you probably don’t need to seek their specific consent at this time. However, you should contact clients for consent to remain on your list where there has been little or no contact between you for a long period of time. 

​If, however, you have a website blog with a subscriber list, then all of the above advice to authors​ is also relevant to you, and you should make the necessary changes outlined.

If you have a blog or a website, you will use a range of website hosting services and platforms, e-commerce themes and plug-ins and online payment services. Not all the companies who provide these services and applications will be based in the EU – although under GDPR, if they process data from individuals in the EU, then the GDPR will apply to them. Each of these companies should have a GDPR or privacy policy of their own, so it might be useful to let your clients and subscribers know which e-commerce themes and plug-ins or payment sites your website uses, so they can look at those companies’ GDPR or privacy policies if they wish.
 
You also need to inform users of your site that your website uses analytic plug-ins or tracking cookies, how that affects them, and how to disable them, if possible. 

The most practical way for an editor or author to deal with their GDPR obligations is to create a privacy policy. The privacy policy should set out all the important information discussed above for clients and subscribers, and it will show that you are GDPR aware.
 
You can include this document in your contract documentation when negotiating projects with potential clients or you can link it to your email signature or website contact form. A website contact form is an excellent way of obtaining a record of consent that you can keep on file, as you can connect it to a required opt-in box to be ticked manually by clients or subscribers confirming that they have read and consent to all or certain terms of the policy.
 
The privacy policy should cover all the basic GDPR information:

• Who you are
• Why you are collecting the data
• Where that data is stored and how you use it (including additions to client mailing lists)
• How long the data is stored for and the ‘legal basis’ for storing it for that length of time
• Identify web hosting services and platforms, themes and plug-ins, and any analytics which use IP identifiers or tracking cookies (as applicable)
• Inform subscribers of their right to access, amend or delete their information and tell them how they can go about doing this – who to contact and how
• Contact details for subscriber access requests
• What happens and how you will contact subscribers at risk in the event of a security breach

​From 25 May 2018, if you process personal data from individuals in the EU, you will need to be able to show that you are GDPR compliant even if the volume of personal data you collect or process is small. In addition, companies and organisations who are themselves required to be GDPR compliant will look for GDPR compliance from their freelancers, contractors and business partners, especially if projects involve access to documents which may contain people’s sensitive personal data, e.g. work for semi-state or government bodies, research studies, or professional legal or medical organisations.
 
Therefore, it makes sense to review your existing business practices in relation to the GDPR before the legislation comes into effect. A little time spent now on setting up GDPR-compliant processes and procedures will save you time and stress in the long-term. 

The General Data Protection Regulation (GDPR) is the new set of EU rules which govern the collection, storage and use of personal data of all living persons (data subjects) in the EU or those whose personal data is processed within the EU. It comes into effect on 25 May 2018 and will affect editors and authors worldwide who offer goods or services to clients or subscribers based in the EU and, who, as a result hold or process personal data relating to EU data subjects.

​The GDPR strengthens and expands the current data protection regulations in that it places more rigorous requirements and responsibilities on data controllers (those who collect, store and use personal data) and data processors (those who store and use personal data on behalf of a data controller).
 
The aim of the regulation is to afford greater security and privacy to EU data subjects by granting them increased rights to control the way in which their personal data is collected and used, and by placing firmer obligations on data controllers in three key areas:

• security
• consent
• transparency 

Personal data is any data or information which can be used to identify a living person. It includes:

• names
• email addresses
• postal addresses
• geographic locater information
• phone numbers
• IP addresses
• job titles
• bank and credit card details

There is a special category of sensitive personal data, which includes information such as:

• age
• race
• gender
• sexual orientation
• medical conditions
• financial information
• criminal records

While the GDPR will have a greater impact on businesses and organisations which process large volumes of personal data on a regular basis, it also applies to smaller data controllers such as freelancer editors and authors. 

​Essentially, if on your computer or laptop you have a list of clients’ or subscribers’ names, email addresses, phone numbers and any other information allowing them to be identified, then you are a data controller and the GDPR applies to you. Also, personal information isn’t just email addresses or phone numbers – it can be any item of specific personal information (location, appearance, gender, religion), which when put together will allow a living person to be identified by other people (for example, details about a third party in a client’s memoir notes).

To be fully compliant with the GDPR, editors and authors must:
 
Be transparent

• Identify who you are and why you are collecting clients’ and subscribers’ personal data  
• Tell clients and subscribers what you do with their data, how long you will store it for, and who receives it or who you give it to

Obtain clear consent

• Get clients’ and subscribers’ clear consent to process their data for a specific and explicit purpose  
• Keep and use their data only for that specific and explicit purpose  
• Do not disclose their personal data to any other person or organisation without the explicit and prior consent of the client or subscriber unless legally obliged to do so  
• Allow clients and subscribers to access their data and to give it to another company if they wish  
• Give clients and subscribers the right to be forgotten and erase their data if they ask 
• Give clients and subscribers the right to opt out of direct marketing using their personal data

Keep the personal data secure

• Keep all personal data collected (hard or soft copy) safe and secure
• Make sure it is accurate and up-to-date at all times  
• Make legal arrangements if you are transferring personal data outside the European Economic Area (EEA) area ​
• Inform clients or subscribers immediately of any security breaches if they are at risk

There is no one-size-fits-all answer to this question and each editor and author should do their own GDPR audit on their individual business model.
 
The best way to start, is to ask yourself the questions in this compliancy checklist:
​

• What personal data do I hold for clients or subscribers?

Security

• Where do I hold it and how secure is it?  
• What steps can I take to increase security and protection of all my devices – computers, phones, external hard drives, USBs – and to reduce the risk of loss or theft?  
• Is my anti-virus/malware software adequate and up-to-date?  
• Do I have strong passwords and encryption on all my devices, applications and websites? Do I use different strong passwords for each device or application?  
• Is my website secure and are all platforms, themes and plug-ins up-to-date?  
• Is my website SSL (Secure Sockets Layer) certified? An SSL certificate will add extra security for your website subscribers as it establishes an encrypted link between a web server and a browser which ensures that all data passing between the two stays private.  
• Do I lock away hard copy files and shred anything that might contain or have personal data belonging to a client or subscriber written on it?  
• Do I back up all my documents regularly and store them safely? Do I encrypt the back-ups for extra security?  
• Do I encrypt emails and documents which may contain personal or sensitive data about clients, subscribers or third parties as necessary? ​
• Have I made sure that all personal data is irretrievably wiped from all old devices before I dispose of them?

Security breaches

• What would I do if my computer or website was hacked or my laptop, phone or other device was stolen?  
• What’s my plan for informing clients or subscribers at risk of this security breach?

Consent and transparency

• Is it clear to clients or  subscribers upfront who I am and who they are dealing with? 
• What personal data do I collect regularly? Am I collecting the bare minimum needed to do the job or am I asking for personal information that I really don’t need? ​
• How do I use the personal data and do I have proper consent for the way I use it? For example, have I created a mailing list from existing clients or subscribers who have emailed me generally, but who have not specifically said they want to be on a ‘mailing list’ as such?  
• If I am direct marketing or using mailing lists to sell my books or services, have I got proper GDPR-compliant consent for every client or subscriber on that list?  
• Do I share this information with third parties (colleagues, other authors or service providers – for example, on professional online networking forums) and if I do, have I explicit consent from the client or subscriber to do this?  
• Is the information I hold up-to-date? Is there any danger I will send out personal information to an invalid or incorrect email or postal address, or a text to the wrong phone number? ​
• How long do I store the information for, and are clients and subscribers aware of this? What is my ‘legal basis’ for storing data? For example, am I holding client details for six years for tax purposes? If so, do I need to contact them to update their consent to remain on the list once the legal basis time is up?  
• How do I go about complying with an access request from a client or subscriber to show them all the personal data I hold for them?  
• Do my clients or subscribers have direct access to their own records to amend or delete them entirely (‘right to be forgotten’)? If not, how do they go about contacting me to ask me to amend or delete their records? Where can they find this information telling them how to implement their rights if they so wish?
• If I work for another company or organisation, do they provide me with personal data? For example, a publishing company asking an editor to contact an author directly or an editor working on research documents or reports from client organisations who handle sensitive personal data. If so, I am likely to be a data processor for that company. Has the other company made their GDPR policy clear to me and are they adhering to it?

 
This checklist is not exhaustive and if you feel any aspect of your editorial or author business has not been covered, you should carry out a full GDPR audit using the information available on the Data Protection Commissioner’s website. But the checklist does give you an idea of the type of issues you need to consider in order to be GDPR aware and to work toward compliance. More importantly, it will help you plan how you and your business would deal with a GDPR issue should it arise. 

The above is intended as a guide only. Full GDPR audit information is available on the Data Protection Commissioner’s website (Ireland).
 
Further information
Data Commissioner's GDPR And You website (Ireland)
European Commission's Data Protection website
Information Commissioner's Office website (UK)

See also: How will the GDPR affect editors and authors? (Part 2)