How will the GDPR affect editors and authors? (Part 1)

1/5/2018

By Bernadette Kearns

Introduction by Mary
The GDPR comes into effect in just under four weeks. It will affect editors whose clients and blog subscribers live in the EU. If you are an author who publishes a blog or newsletter for your readers and if its subscribers live in the EU, then you too have responsibilities under this legislation. So if you haven’t yet taken action on the GDPR or don’t know what your obligations are, this article is for you.

I’m delighted to welcome my colleague Bernadette Kearns to the Letters from an Irish Editor blog. Before moving full time into editing Bernadette worked for many years as a legal executive in general practice law firms and financial institutions. She has kindly agreed to explain how the GDPR will affect editors and authors. In this Part 1 Bernadette gives an overview of the GDPR and offers a broad compliance checklist for editors and authors. In Part 2 Bernadette goes into more detail on compliance, including client and author mailing lists, privacy transparency on your website and advice on privacy policies. So, over to Bernadette!

What is the GDPR?

The General Data Protection Regulation (GDPR) is the new set of EU rules which govern the collection, storage and use of personal data of all living persons (data subjects) in the EU or those whose personal data is processed within the EU. It comes into effect on 25 May 2018 and will affect editors and authors worldwide who offer goods or services to clients or subscribers based in the EU and, who, as a result hold or process personal data relating to EU data subjects.

The GDPR strengthens and expands the current data protection regulations in that it places more rigorous requirements and responsibilities on data controllers (those who collect, store and use personal data) and data processors (those who store and use personal data on behalf of a data controller).

The aim of the regulation is to afford greater security and privacy to EU data subjects by granting them increased rights to control the way in which their personal data is collected and used, and by placing firmer obligations on data controllers in three key areas:

security
consent
transparency

What is personal data? Do editors and authors collect it?

Personal data is any data or information which can be used to identify a living person. It includes:

names
email addresses
postal addresses
geographic locater information
phone numbers
IP addresses
job titles
bank and credit card details

There is a special category of sensitive personal data, which includes information such as:

age
race
gender
sexual orientation
medical conditions
financial information
criminal records

While the GDPR will have a greater impact on businesses and organisations which process large volumes of personal data on a regular basis, it also applies to smaller data controllers such as freelancer editors and authors.

Essentially, if on your computer or laptop you have a list of clients’ or subscribers’ names, email addresses, phone numbers and any other information allowing them to be identified, then you are a data controller and the GDPR applies to you. Also, personal information isn’t just email addresses or phone numbers – it can be any item of specific personal information (location, appearance, gender, religion), which when put together will allow a living person to be identified by other people (for example, details about a third party in a client’s memoir notes).

What are the GDPR requirements for editors and authors?

To be fully compliant with the GDPR, editors and authors must:

Be transparent

Identify who you are and why you are collecting clients’ and subscribers’ personal data
Tell clients and subscribers what you do with their data, how long you will store it for, and who receives it or who you give it to

Obtain clear consent

Get clients’ and subscribers’ clear consent to process their data for a specific and explicit purpose
Keep and use their data only for that specific and explicit purpose
Do not disclose their personal data to any other person or organisation without the explicit and prior consent of the client or subscriber unless legally obliged to do so
Allow clients and subscribers to access their data and to give it to another company if they wish
Give clients and subscribers the right to be forgotten and erase their data if they ask
Give clients and subscribers the right to opt out of direct marketing using their personal data

Keep the personal data secure

Keep all personal data collected (hard or soft copy) safe and secure
Make sure it is accurate and up-to-date at all times
Make legal arrangements if you are transferring personal data outside the European Economic Area (EEA) area
Inform clients or subscribers immediately of any security breaches if they are at risk

How do editors and authors become GDPR compliant?

There is no one-size-fits-all answer to this question and each editor and author should do their own GDPR audit on their individual business model.

The best way to start, is to ask yourself the questions in this compliancy checklist:

What personal data do I hold for clients or subscribers?

Security

Where do I hold it and how secure is it?
What steps can I take to increase security and protection of all my devices – computers, phones, external hard drives, USBs – and to reduce the risk of loss or theft?
Is my anti-virus/malware software adequate and up-to-date?
Do I have strong passwords and encryption on all my devices, applications and websites? Do I use different strong passwords for each device or application?
Is my website secure and are all platforms, themes and plug-ins up-to-date?
Is my website SSL (Secure Sockets Layer) certified? An SSL certificate will add extra security for your website subscribers as it establishes an encrypted link between a web server and a browser which ensures that all data passing between the two stays private.
Do I lock away hard copy files and shred anything that might contain or have personal data belonging to a client or subscriber written on it?
Do I back up all my documents regularly and store them safely? Do I encrypt the back-ups for extra security?
Do I encrypt emails and documents which may contain personal or sensitive data about clients, subscribers or third parties as necessary?
Have I made sure that all personal data is irretrievably wiped from all old devices before I dispose of them?

Security breaches

What would I do if my computer or website was hacked or my laptop, phone or other device was stolen?
What’s my plan for informing clients or subscribers at risk of this security breach?

Consent and transparency

Is it clear to clients or subscribers upfront who I am and who they are dealing with?
What personal data do I collect regularly? Am I collecting the bare minimum needed to do the job or am I asking for personal information that I really don’t need?
How do I use the personal data and do I have proper consent for the way I use it? For example, have I created a mailing list from existing clients or subscribers who have emailed me generally, but who have not specifically said they want to be on a ‘mailing list’ as such?
If I am direct marketing or using mailing lists to sell my books or services, have I got proper GDPR-compliant consent for every client or subscriber on that list?
Do I share this information with third parties (colleagues, other authors or service providers – for example, on professional online networking forums) and if I do, have I explicit consent from the client or subscriber to do this?
Is the information I hold up-to-date? Is there any danger I will send out personal information to an invalid or incorrect email or postal address, or a text to the wrong phone number?
How long do I store the information for, and are clients and subscribers aware of this? What is my ‘legal basis’ for storing data? For example, am I holding client details for six years for tax purposes? If so, do I need to contact them to update their consent to remain on the list once the legal basis time is up?
How do I go about complying with an access request from a client or subscriber to show them all the personal data I hold for them?
Do my clients or subscribers have direct access to their own records to amend or delete them entirely (‘right to be forgotten’)? If not, how do they go about contacting me to ask me to amend or delete their records? Where can they find this information telling them how to implement their rights if they so wish?
If I work for another company or organisation, do they provide me with personal data? For example, a publishing company asking an editor to contact an author directly or an editor working on research documents or reports from client organisations who handle sensitive personal data. If so, I am likely to be a data processor for that company. Has the other company made their GDPR policy clear to me and are they adhering to it?

This checklist is not exhaustive and if you feel any aspect of your editorial or author business has not been covered, you should carry out a full GDPR audit using the information available on the Data Protection Commissioner’s website. But the checklist does give you an idea of the type of issues you need to consider in order to be GDPR aware and to work toward compliance. More importantly, it will help you plan how you and your business would deal with a GDPR issue should it arise.

Where to find out more

The above is intended as a guide only. Full GDPR audit information is available on the Data Protection Commissioner’s website (Ireland).

Further information
Data Commissioner's GDPR And You website (Ireland)
European Commission's Data Protection website
Information Commissioner's Office website (UK)

See also: How will the GDPR affect editors and authors? (Part 2)

About Bernadette Kearns
Bernadette Kearns is a freelance editor and writer providing a full range of editorial services to authors and businesses through Book Nanny Writing and Editing Services. Bernadette specialises in developmental, structural and copy-editing for fiction and creative non-fiction authors. Her favourite fiction genres are crime, thrillers, historical, literary, fantasy, magical realism and children’s fiction. Non-fiction areas of specialist knowledge and interest are law, film, literature, drama, acting and theatre.

Bernadette is currently the vice-chair of AFEPI Ireland. You can contact Bernadette by emailing booknannyeditor@gmail.com, or through Facebook or Twitter.

Tamyka

17/5/2018 01:42:44 am

Thanks for this helpful article. I noticed a passing reference to "details about a third party in a client’s memoir notes" and I'm concerned about the implications of GDPR in this case. Do you know how we are meant to handle a "request to be forgotten" from a person who is noted in our client's memoir? Or how we should respond to a request from a person for all the information we have on file for them, when we are working under an NDA on a client's file that includes information about that person? Up until this point I hadn't been too concerned, but now I am worried!

Mary link

17/5/2018 12:01:32 pm

Hi Tamyka,

Thanks for taking the time to comment.

Your specific questions are beyond our expertise, I’m afraid. I recommend that you contact the Data Protection Commission (or the equivalent in the country you live in) with your questions. If there is a conflict between the GDPR and NDAs, then that may require legal advice so you should also consider contacting a specialist solicitor.

The reference to third-party personal data was to alert memoir authors and editors to the fact that they need to be aware of where third-party personal data may be given away inadvertently, e.g. 'I visited my aunt who lives with her Jack Russell terrier above the chemist's shop in X town' sort of thing where there is only one chemist's shop in X town, and the author’s aunt still lives there. So effectively they would be giving everyone their aunt's address. If the author goes on to describe their aunt’s physical or mental health issues or any other sensitive personal data, then there's an even bigger problem.

Perhaps from now on the GDPR will need to be viewed in the same way as defamation and copyright – editors will have to flag such instances of possible disclosure and to alert authors to the fact that they need to be aware of their responsibilities under GDPR.

All the best,
Mary

Tamyka

17/5/2018 07:48:46 pm

Thanks for your help, Mary.

Comments are closed.