By Bernadette Kearns
Introduction by Mary
As we learned in last week's guest blog post How will the GDPR affect editors and authors? Part 1 by my colleague Bernadette Kearns, the GDPR comes into effect this 25 May. It will affect editors and authors whose clients and subscribers live in the EU. So if you haven’t yet taken action on the GDPR or don’t know what your obligations are, these two articles are for you. In Part 1, Bernadette gave an overview of the GDPR and offered a broad compliance checklist for editors and authors. I’m delighted to welcome Bernadette back to the Letters from an Irish Editor blog this week for Part 2.
As we learned in last week's guest blog post How will the GDPR affect editors and authors? Part 1 by my colleague Bernadette Kearns, the GDPR comes into effect this 25 May. It will affect editors and authors whose clients and subscribers live in the EU. So if you haven’t yet taken action on the GDPR or don’t know what your obligations are, these two articles are for you. In Part 1, Bernadette gave an overview of the GDPR and offered a broad compliance checklist for editors and authors. I’m delighted to welcome Bernadette back to the Letters from an Irish Editor blog this week for Part 2.
Specific GDPR issues for editors and authors
We’ve seen in Part 1 how GDPR awareness is essential for editors and authors, whether they are providing freelance editorial services or independently publishing and marketing books as freelance sole traders or via a small limited company. In this Part 2 post we'll look at the specific issues of:
- consent in relation to client and author mailing lists
- transparency in relation to your website
- how a privacy policy can help you become GDPR compliant
- GDPR best practices
1. GDPR and consent
It is probably worth taking a closer look at the issue of consent in relation to online marketing and mailing lists as authors, in particular, need to check that their direct mailing practices will be GDPR compliant from 25 May 2018 onwards.
Specific purpose – mailing lists
To be compliant under the GDPR, you can only use personal data, such as an email address, for the specific and explicit purpose for which it was collected. You cannot use it or share it with a third party without the subscriber’s specific consent to do so.
For example, if a subscriber submits their email for the specific purpose of downloading a free copy of your book, you can’t simply add their email to your mailing list and use it to market your newsletter or another book to that subscriber. If you want to add their email to your mailing list, you must obtain specific and explicit consent from the subscriber to do so at the point of collecting their data.
In effect, you need to ask the subscriber at the time of signing up for the free download of your book if they would also like to be added to your mailing list. You also need to give them the option to say no. They may want the book, but not the mailing list, and they should have a clear option to say no if they wish.
To be compliant under the GDPR, you can only use personal data, such as an email address, for the specific and explicit purpose for which it was collected. You cannot use it or share it with a third party without the subscriber’s specific consent to do so.
For example, if a subscriber submits their email for the specific purpose of downloading a free copy of your book, you can’t simply add their email to your mailing list and use it to market your newsletter or another book to that subscriber. If you want to add their email to your mailing list, you must obtain specific and explicit consent from the subscriber to do so at the point of collecting their data.
In effect, you need to ask the subscriber at the time of signing up for the free download of your book if they would also like to be added to your mailing list. You also need to give them the option to say no. They may want the book, but not the mailing list, and they should have a clear option to say no if they wish.
Compliant opt-ins – mailing lists
The other important element of the GDPR is the issue of how consent is obtained and recorded. Under the GDPR, subscriber consent must be ‘freely given, specific, informed and unambiguous’. It is also essential that you keep a record of this ‘freely given’ consent. So, in the above free book example, you would need to have an opt-in process which requires the subscriber to manually tick a box consenting to you adding their data to your mailing list, in addition to their downloading the free book. It is essential to note that a pre-ticked consent box (consent by default) is not GDPR compliant because it removes the choice from the subscriber.
Ideally, your opt-in process would be a two-tiered, double opt-in process – the initial manual box-ticking, followed by an email asking the subscriber to click on a link to confirm that they really do want to be on your mailing list, and adding them to the list only after they’ve clicked on the link to confirm their consent.
And even if you don’t have a large subscriber list or the need for double opt-in procedures, from 25 May 2018 you need to tell clients and subscribers that you are adding them to your mailing list and that you might use their details to contact them about offers and services at a later date and give them the option to opt out if they wish.
The other important element of the GDPR is the issue of how consent is obtained and recorded. Under the GDPR, subscriber consent must be ‘freely given, specific, informed and unambiguous’. It is also essential that you keep a record of this ‘freely given’ consent. So, in the above free book example, you would need to have an opt-in process which requires the subscriber to manually tick a box consenting to you adding their data to your mailing list, in addition to their downloading the free book. It is essential to note that a pre-ticked consent box (consent by default) is not GDPR compliant because it removes the choice from the subscriber.
Ideally, your opt-in process would be a two-tiered, double opt-in process – the initial manual box-ticking, followed by an email asking the subscriber to click on a link to confirm that they really do want to be on your mailing list, and adding them to the list only after they’ve clicked on the link to confirm their consent.
And even if you don’t have a large subscriber list or the need for double opt-in procedures, from 25 May 2018 you need to tell clients and subscribers that you are adding them to your mailing list and that you might use their details to contact them about offers and services at a later date and give them the option to opt out if they wish.
How does the GDPR apply to existing clients and mailing list subscribers?
Many authors, and some editors, will have large mailing lists with a high volume of existing subscribers and email addresses, not all of which were collected in a GDPR-compliant way.
In this regard, it is important to note that the GDPR has been in force since 2016, but the EU granted a two-year transition period to allow individuals and organisations to get their compliance processes in order. Therefore, the GDPR will not be applied retrospectively, in the sense that you won’t be penalised for not being GDPR compliant before 25 May 2018. However, you do risk penalties if you are not GDPR compliant for both new and existing clients and subscribers from that date onward.
Authors
If you have clear GDPR-compliant consents from all your existing mailing list subscribers, then you are ahead of the pack. However, your process is not GDPR compliant if you:
In relation to managing existing mailing list subscribers:
Editors
If you are an editor with a small client database or list of client emails and have regular contact with your clients, then you probably don’t need to seek their specific consent at this time. However, you should contact clients for consent to remain on your list where there has been little or no contact between you for a long period of time.
If, however, you have a website blog with a subscriber list, then all of the above advice to authors is also relevant to you, and you should make the necessary changes outlined.
Many authors, and some editors, will have large mailing lists with a high volume of existing subscribers and email addresses, not all of which were collected in a GDPR-compliant way.
In this regard, it is important to note that the GDPR has been in force since 2016, but the EU granted a two-year transition period to allow individuals and organisations to get their compliance processes in order. Therefore, the GDPR will not be applied retrospectively, in the sense that you won’t be penalised for not being GDPR compliant before 25 May 2018. However, you do risk penalties if you are not GDPR compliant for both new and existing clients and subscribers from that date onward.
Authors
If you have clear GDPR-compliant consents from all your existing mailing list subscribers, then you are ahead of the pack. However, your process is not GDPR compliant if you:
- have received your mailing list's email addresses from a third party
- are not sure of the source of those email addresses
- have in the past automatically added people to a mailing list when they subscribed to your blog, website, or downloaded a free book without letting them know you were doing this
In relation to managing existing mailing list subscribers:
- Be aware that your opt-in email should oblige the subscriber to actively opt in by replying to your email or ticking an opt-in box – emails telling subscribers that you will add them if you don’t hear from them are not GDPR compliant. You need to give the option to actively opt in or opt out/unsubscribe.
- Be aware that, in some circumstances, your opt-in email may fall foul of other existing direct marketing legislation. In particular, make sure you don’t send out opt-in emails to subscribers who have previously unsubscribed from your mailing list. So, go through your existing lists carefully and delete anyone who has already asked to be deleted before you start emailing subscribers.
- If existing subscribers haven’t actively opted in to your mailing list by 25 May 2018, then delete their details from your records. They can always re-subscribe through your new GDPR-compliant process at a later date if they so wish.
Editors
If you are an editor with a small client database or list of client emails and have regular contact with your clients, then you probably don’t need to seek their specific consent at this time. However, you should contact clients for consent to remain on your list where there has been little or no contact between you for a long period of time.
If, however, you have a website blog with a subscriber list, then all of the above advice to authors is also relevant to you, and you should make the necessary changes outlined.
2. GDPR and website transparency
If you have a blog or a website, you will use a range of website hosting services and platforms, e-commerce themes and plug-ins and online payment services. Not all the companies who provide these services and applications will be based in the EU – although under GDPR, if they process data from individuals in the EU, then the GDPR will apply to them. Each of these companies should have a GDPR or privacy policy of their own, so it might be useful to let your clients and subscribers know which e-commerce themes and plug-ins or payment sites your website uses, so they can look at those companies’ GDPR or privacy policies if they wish.
You also need to inform users of your site that your website uses analytic plug-ins or tracking cookies, how that affects them, and how to disable them, if possible.
You also need to inform users of your site that your website uses analytic plug-ins or tracking cookies, how that affects them, and how to disable them, if possible.
3. How a privacy policy can help you become GDPR compliant
The most practical way for an editor or author to deal with their GDPR obligations is to create a privacy policy. The privacy policy should set out all the important information discussed above for clients and subscribers, and it will show that you are GDPR aware.
You can include this document in your contract documentation when negotiating projects with potential clients or you can link it to your email signature or website contact form. A website contact form is an excellent way of obtaining a record of consent that you can keep on file, as you can connect it to a required opt-in box to be ticked manually by clients or subscribers confirming that they have read and consent to all or certain terms of the policy.
The privacy policy should cover all the basic GDPR information:
You can include this document in your contract documentation when negotiating projects with potential clients or you can link it to your email signature or website contact form. A website contact form is an excellent way of obtaining a record of consent that you can keep on file, as you can connect it to a required opt-in box to be ticked manually by clients or subscribers confirming that they have read and consent to all or certain terms of the policy.
The privacy policy should cover all the basic GDPR information:
- Who you are
- Why you are collecting the data
- Where that data is stored and how you use it (including additions to client mailing lists)
- How long the data is stored for and the ‘legal basis’ for storing it for that length of time
- Identify web hosting services and platforms, themes and plug-ins, and any analytics which use IP identifiers or tracking cookies (as applicable)
- Inform subscribers of their right to access, amend or delete their information and tell them how they can go about doing this – who to contact and how
- Contact details for subscriber access requests
- What happens and how you will contact subscribers at risk in the event of a security breach
4. GDPR best practices
From 25 May 2018, if you process personal data from individuals in the EU, you will need to be able to show that you are GDPR compliant even if the volume of personal data you collect or process is small. In addition, companies and organisations who are themselves required to be GDPR compliant will look for GDPR compliance from their freelancers, contractors and business partners, especially if projects involve access to documents which may contain people’s sensitive personal data, e.g. work for semi-state or government bodies, research studies, or professional legal or medical organisations.
Therefore, it makes sense to review your existing business practices in relation to the GDPR before the legislation comes into effect. A little time spent now on setting up GDPR-compliant processes and procedures will save you time and stress in the long-term.
Therefore, it makes sense to review your existing business practices in relation to the GDPR before the legislation comes into effect. A little time spent now on setting up GDPR-compliant processes and procedures will save you time and stress in the long-term.
Summary of the practical steps to help you become GDPR compliant
- Be aware of the GDPR – don’t assume it doesn’t affect you, no matter how small the volume of personal data you collect
- Look at what personal data you collect, how you collect it and how long you keep it for
- Look at existing mailing or client lists and decide if you need to update consents to hold that data
- Have a plan for dealing with access requests and requests for deleting or amending personal data
- Do a security audit on your website and devices
- If you subcontract or hire in services yourself, consider whether your contractors or service providers are also GDPR compliant
- Have a plan for dealing with reporting a security breach to clients or subscribers if your computer or website is hacked or your devices are stolen
- Create a privacy policy for your business which explains everything you do with your clients’ or subscribers’ data
- Ensure all new and existing clients, as necessary, are aware of your privacy policy
Where to find out more
The above is intended as a guide only. Full GDPR audit information is available on the Data Protection Commissioner’s website (Ireland).
Further information
Data Commissioner's GDPR And You website (Ireland)
European Commission's Data Protection website
Information Commissioner's Office website (UK)
See also: How will the GDPR affect editors and authors? (Part 1)
Further information
Data Commissioner's GDPR And You website (Ireland)
European Commission's Data Protection website
Information Commissioner's Office website (UK)
See also: How will the GDPR affect editors and authors? (Part 1)
About Bernadette Kearns
Bernadette Kearns is a freelance editor and writer providing a full range of editorial services to authors and businesses through Book Nanny Writing and Editing Services. Bernadette specialises in developmental, structural and copy-editing for fiction and creative non-fiction authors. Her favourite fiction genres are crime, thrillers, historical, literary, fantasy, magical realism and children’s fiction. Non-fiction areas of specialist knowledge and interest are law, film, literature, drama, acting and theatre.
Bernadette is currently the vice-chair of AFEPI Ireland. You can contact Bernadette by emailing booknannyeditor@gmail.com, or through Facebook or Twitter.
Bernadette Kearns is a freelance editor and writer providing a full range of editorial services to authors and businesses through Book Nanny Writing and Editing Services. Bernadette specialises in developmental, structural and copy-editing for fiction and creative non-fiction authors. Her favourite fiction genres are crime, thrillers, historical, literary, fantasy, magical realism and children’s fiction. Non-fiction areas of specialist knowledge and interest are law, film, literature, drama, acting and theatre.
Bernadette is currently the vice-chair of AFEPI Ireland. You can contact Bernadette by emailing booknannyeditor@gmail.com, or through Facebook or Twitter.
