As we learned in last week's guest blog post How will the GDPR affect editors and authors? Part 1 by my colleague Bernadette Kearns, the GDPR comes into effect this 25 May. It will affect editors and authors whose clients and subscribers live in the EU. So if you haven’t yet taken action on the GDPR or don’t know what your obligations are, these two articles are for you. In Part 1, Bernadette gave an overview of the GDPR and offered a broad compliance checklist for editors and authors. I’m delighted to welcome Bernadette back to the Letters from an Irish Editor blog this week for Part 2.
Specific GDPR issues for editors and authors
- consent in relation to client and author mailing lists
- transparency in relation to your website
- GDPR best practices
1. GDPR and consent
To be compliant under the GDPR, you can only use personal data, such as an email address, for the specific and explicit purpose for which it was collected. You cannot use it or share it with a third party without the subscriber’s specific consent to do so.
For example, if a subscriber submits their email for the specific purpose of downloading a free copy of your book, you can’t simply add their email to your mailing list and use it to market your newsletter or another book to that subscriber. If you want to add their email to your mailing list, you must obtain specific and explicit consent from the subscriber to do so at the point of collecting their data.
In effect, you need to ask the subscriber at the time of signing up for the free download of your book if they would also like to be added to your mailing list. You also need to give them the option to say no. They may want the book, but not the mailing list, and they should have a clear option to say no if they wish.
The other important element of the GDPR is the issue of how consent is obtained and recorded. Under the GDPR, subscriber consent must be ‘freely given, specific, informed and unambiguous’. It is also essential that you keep a record of this ‘freely given’ consent. So, in the above free book example, you would need to have an opt-in process which requires the subscriber to manually tick a box consenting to you adding their data to your mailing list, in addition to their downloading the free book. It is essential to note that a pre-ticked consent box (consent by default) is not GDPR compliant because it removes the choice from the subscriber.
Ideally, your opt-in process would be a two-tiered, double opt-in process – the initial manual box-ticking, followed by an email asking the subscriber to click on a link to confirm that they really do want to be on your mailing list, and adding them to the list only after they’ve clicked on the link to confirm their consent.
And even if you don’t have a large subscriber list or the need for double opt-in procedures, from 25 May 2018 you need to tell clients and subscribers that you are adding them to your mailing list and that you might use their details to contact them about offers and services at a later date and give them the option to opt out if they wish.
Many authors, and some editors, will have large mailing lists with a high volume of existing subscribers and email addresses, not all of which were collected in a GDPR-compliant way.
In this regard, it is important to note that the GDPR has been in force since 2016, but the EU granted a two-year transition period to allow individuals and organisations to get their compliance processes in order. Therefore, the GDPR will not be applied retrospectively, in the sense that you won’t be penalised for not being GDPR compliant before 25 May 2018. However, you do risk penalties if you are not GDPR compliant for both new and existing clients and subscribers from that date onward.
If you have clear GDPR-compliant consents from all your existing mailing list subscribers, then you are ahead of the pack. However, your process is not GDPR compliant if you:
- have received your mailing list's email addresses from a third party
- are not sure of the source of those email addresses
- have in the past automatically added people to a mailing list when they subscribed to your blog, website, or downloaded a free book without letting them know you were doing this
In relation to managing existing mailing list subscribers:
- Be aware that your opt-in email should oblige the subscriber to actively opt in by replying to your email or ticking an opt-in box – emails telling subscribers that you will add them if you don’t hear from them are not GDPR compliant. You need to give the option to actively opt in or opt out/unsubscribe.
- Be aware that, in some circumstances, your opt-in email may fall foul of other existing direct marketing legislation. In particular, make sure you don’t send out opt-in emails to subscribers who have previously unsubscribed from your mailing list. So, go through your existing lists carefully and delete anyone who has already asked to be deleted before you start emailing subscribers.
- If existing subscribers haven’t actively opted in to your mailing list by 25 May 2018, then delete their details from your records. They can always re-subscribe through your new GDPR-compliant process at a later date if they so wish.
If you are an editor with a small client database or list of client emails and have regular contact with your clients, then you probably don’t need to seek their specific consent at this time. However, you should contact clients for consent to remain on your list where there has been little or no contact between you for a long period of time.
If, however, you have a website blog with a subscriber list, then all of the above advice to authors is also relevant to you, and you should make the necessary changes outlined.
2. GDPR and website transparency
You also need to inform users of your site that your website uses analytic plug-ins or tracking cookies, how that affects them, and how to disable them, if possible.
You can include this document in your contract documentation when negotiating projects with potential clients or you can link it to your email signature or website contact form. A website contact form is an excellent way of obtaining a record of consent that you can keep on file, as you can connect it to a required opt-in box to be ticked manually by clients or subscribers confirming that they have read and consent to all or certain terms of the policy.
- Who you are
- Why you are collecting the data
- Where that data is stored and how you use it (including additions to client mailing lists)
- How long the data is stored for and the ‘legal basis’ for storing it for that length of time
- Identify web hosting services and platforms, themes and plug-ins, and any analytics which use IP identifiers or tracking cookies (as applicable)
- Inform subscribers of their right to access, amend or delete their information and tell them how they can go about doing this – who to contact and how
- Contact details for subscriber access requests
- What happens and how you will contact subscribers at risk in the event of a security breach
4. GDPR best practices
Therefore, it makes sense to review your existing business practices in relation to the GDPR before the legislation comes into effect. A little time spent now on setting up GDPR-compliant processes and procedures will save you time and stress in the long-term.
Summary of the practical steps to help you become GDPR compliant
- Be aware of the GDPR – don’t assume it doesn’t affect you, no matter how small the volume of personal data you collect
- Look at what personal data you collect, how you collect it and how long you keep it for
- Look at existing mailing or client lists and decide if you need to update consents to hold that data
- Have a plan for dealing with access requests and requests for deleting or amending personal data
- Do a security audit on your website and devices
- If you subcontract or hire in services yourself, consider whether your contractors or service providers are also GDPR compliant
- Have a plan for dealing with reporting a security breach to clients or subscribers if your computer or website is hacked or your devices are stolen
Where to find out more
Data Commissioner's GDPR And You website (Ireland)
European Commission's Data Protection website
Information Commissioner's Office website (UK)
See also: How will the GDPR affect editors and authors? (Part 1)
Bernadette Kearns is a freelance editor and writer providing a full range of editorial services to authors and businesses through Book Nanny Writing and Editing Services. Bernadette specialises in developmental, structural and copy-editing for fiction and creative non-fiction authors. Her favourite fiction genres are crime, thrillers, historical, literary, fantasy, magical realism and children’s fiction. Non-fiction areas of specialist knowledge and interest are law, film, literature, drama, acting and theatre.
Bernadette is currently the vice-chair of AFEPI Ireland. You can contact Bernadette by emailing firstname.lastname@example.org, or through Facebook or Twitter.