The GDPR comes into effect in just under four weeks. It will affect editors whose clients and blog subscribers live in the EU. If you are an author who publishes a blog or newsletter for your readers and if its subscribers live in the EU, then you too have responsibilities under this legislation. So if you haven’t yet taken action on the GDPR or don’t know what your obligations are, this article is for you.
I’m delighted to welcome my colleague Bernadette Kearns to the Letters from an Irish Editor blog. Before moving full time into editing Bernadette worked for many years as a legal executive in general practice law firms and financial institutions. She has kindly agreed to explain how the GDPR will affect editors and authors. In this Part 1 Bernadette gives an overview of the GDPR and offers a broad compliance checklist for editors and authors. In Part 2 Bernadette goes into more detail on compliance, including client and author mailing lists, privacy transparency on your website and advice on privacy policies. So, over to Bernadette!
What is the GDPR?
The GDPR strengthens and expands the current data protection regulations in that it places more rigorous requirements and responsibilities on data controllers (those who collect, store and use personal data) and data processors (those who store and use personal data on behalf of a data controller).
The aim of the regulation is to afford greater security and privacy to EU data subjects by granting them increased rights to control the way in which their personal data is collected and used, and by placing firmer obligations on data controllers in three key areas:
What is personal data? Do editors and authors collect it?
- email addresses
- postal addresses
- geographic locater information
- phone numbers
- IP addresses
- job titles
- bank and credit card details
There is a special category of sensitive personal data, which includes information such as:
- sexual orientation
- medical conditions
- financial information
- criminal records
While the GDPR will have a greater impact on businesses and organisations which process large volumes of personal data on a regular basis, it also applies to smaller data controllers such as freelancer editors and authors.
Essentially, if on your computer or laptop you have a list of clients’ or subscribers’ names, email addresses, phone numbers and any other information allowing them to be identified, then you are a data controller and the GDPR applies to you. Also, personal information isn’t just email addresses or phone numbers – it can be any item of specific personal information (location, appearance, gender, religion), which when put together will allow a living person to be identified by other people (for example, details about a third party in a client’s memoir notes).
What are the GDPR requirements for editors and authors?
- Identify who you are and why you are collecting clients’ and subscribers’ personal data
- Tell clients and subscribers what you do with their data, how long you will store it for, and who receives it or who you give it to
Obtain clear consent
- Get clients’ and subscribers’ clear consent to process their data for a specific and explicit purpose
- Keep and use their data only for that specific and explicit purpose
- Do not disclose their personal data to any other person or organisation without the explicit and prior consent of the client or subscriber unless legally obliged to do so
- Allow clients and subscribers to access their data and to give it to another company if they wish
- Give clients and subscribers the right to be forgotten and erase their data if they ask
- Give clients and subscribers the right to opt out of direct marketing using their personal data
Keep the personal data secure
- Keep all personal data collected (hard or soft copy) safe and secure
- Make sure it is accurate and up-to-date at all times
- Make legal arrangements if you are transferring personal data outside the European Economic Area (EEA) area
- Inform clients or subscribers immediately of any security breaches if they are at risk
How do editors and authors become GDPR compliant?
The best way to start, is to ask yourself the questions in this compliancy checklist:
- What personal data do I hold for clients or subscribers?
- Where do I hold it and how secure is it?
- What steps can I take to increase security and protection of all my devices – computers, phones, external hard drives, USBs – and to reduce the risk of loss or theft?
- Is my anti-virus/malware software adequate and up-to-date?
- Do I have strong passwords and encryption on all my devices, applications and websites? Do I use different strong passwords for each device or application?
- Is my website secure and are all platforms, themes and plug-ins up-to-date?
- Is my website SSL (Secure Sockets Layer) certified? An SSL certificate will add extra security for your website subscribers as it establishes an encrypted link between a web server and a browser which ensures that all data passing between the two stays private.
- Do I lock away hard copy files and shred anything that might contain or have personal data belonging to a client or subscriber written on it?
- Do I back up all my documents regularly and store them safely? Do I encrypt the back-ups for extra security?
- Do I encrypt emails and documents which may contain personal or sensitive data about clients, subscribers or third parties as necessary?
- Have I made sure that all personal data is irretrievably wiped from all old devices before I dispose of them?
- What would I do if my computer or website was hacked or my laptop, phone or other device was stolen?
- What’s my plan for informing clients or subscribers at risk of this security breach?
Consent and transparency
- Is it clear to clients or subscribers upfront who I am and who they are dealing with?
- What personal data do I collect regularly? Am I collecting the bare minimum needed to do the job or am I asking for personal information that I really don’t need?
- How do I use the personal data and do I have proper consent for the way I use it? For example, have I created a mailing list from existing clients or subscribers who have emailed me generally, but who have not specifically said they want to be on a ‘mailing list’ as such?
- If I am direct marketing or using mailing lists to sell my books or services, have I got proper GDPR-compliant consent for every client or subscriber on that list?
- Do I share this information with third parties (colleagues, other authors or service providers – for example, on professional online networking forums) and if I do, have I explicit consent from the client or subscriber to do this?
- Is the information I hold up-to-date? Is there any danger I will send out personal information to an invalid or incorrect email or postal address, or a text to the wrong phone number?
- How long do I store the information for, and are clients and subscribers aware of this? What is my ‘legal basis’ for storing data? For example, am I holding client details for six years for tax purposes? If so, do I need to contact them to update their consent to remain on the list once the legal basis time is up?
- How do I go about complying with an access request from a client or subscriber to show them all the personal data I hold for them?
- Do my clients or subscribers have direct access to their own records to amend or delete them entirely (‘right to be forgotten’)? If not, how do they go about contacting me to ask me to amend or delete their records? Where can they find this information telling them how to implement their rights if they so wish?
- If I work for another company or organisation, do they provide me with personal data? For example, a publishing company asking an editor to contact an author directly or an editor working on research documents or reports from client organisations who handle sensitive personal data. If so, I am likely to be a data processor for that company. Has the other company made their GDPR policy clear to me and are they adhering to it?
This checklist is not exhaustive and if you feel any aspect of your editorial or author business has not been covered, you should carry out a full GDPR audit using the information available on the Data Protection Commissioner’s website. But the checklist does give you an idea of the type of issues you need to consider in order to be GDPR aware and to work toward compliance. More importantly, it will help you plan how you and your business would deal with a GDPR issue should it arise.
Where to find out more
Data Commissioner's GDPR And You website (Ireland)
European Commission's Data Protection website
Information Commissioner's Office website (UK)
See also: How will the GDPR affect editors and authors? (Part 2)
Bernadette Kearns is a freelance editor and writer providing a full range of editorial services to authors and businesses through Book Nanny Writing and Editing Services. Bernadette specialises in developmental, structural and copy-editing for fiction and creative non-fiction authors. Her favourite fiction genres are crime, thrillers, historical, literary, fantasy, magical realism and children’s fiction. Non-fiction areas of specialist knowledge and interest are law, film, literature, drama, acting and theatre.
Bernadette is currently the vice-chair of AFEPI Ireland. You can contact Bernadette by emailing email@example.com, or through Facebook or Twitter.