Monday, 21 May 2018

What Authors Need to Know About GDPR

By Iola Goulton @iolagoulton



What is GDPR, and why do authors need to know about it?


First, the PSA. I'm not a lawyer, so none of the information in this blog post is legal advice. It's my best guess as a layperson who has studied the subject. If you want legal advice, you ask a lawyer who is qualified to practice in this area. In this case, that means a lawyer based in the EU with a background in privacy, data protection, or similar. You don't get legal advice off the internet.

There are two excellent YouTube videos from British lawyers, and I'll link to those at the bottom of the post for those who want or need to know more.

What is GDPR?


The GDPR is the General Data Protection Regulation, and comes into force on 25 May 2018. It harmonizes data privacy laws across the European Union (EU), so it affects any organization holding personal data from EU residents. Note that the EU still includes the United Kingdom, so GDPR still applies. The British government have indicated they will implement GDPR-like legislation following Brexit (if it goes ahead).

Why do authors need to know about GDPR?


GDPR affects all organisations based in the EU, or supplying goods or services in the EU, that collect and process the data of EU residents, regardless of where they are based. 


As Australasian writers and bloggers, we're not based in the EU (Australia might compete in the Eurovision Song Contest, but that doesn't make Australia part of the EU).

But many of us are supplying goods or services in the EU:
  • If we have a book listed on Amazon.co.uk or BookDepository.com, we're indirectly supplying goods.
  • If we have a website that's viewable in the EU, we're suppling services in the form of information. Free services, but still services
  • If we have an email list that includes EU residents or may include EU residents in the future, we're supplying services, and we may also be marketing to EU residents.
If you have a self-hosted website, then your site is collecting a lot of information on your behalf, and you are responsible for ensuring only the necessary data is collected, that collected data is kept private, and that it is deleted on request or within a reasonable timeframe.

For example, if you comment on www.iolagoulton.com, I ask for your name, email address, and website (although that’s optional). But the website also collects and stores your IP address, and may store cookies (e.g. so the site remembers you have commented before and that I approved your comment, so subsequent comments aren’t held for moderation. Another cookie knows not to show you the email signup pop-up more often than once every 90 days).

Yes, you need to know about GDPR.


But GDPR isn’t the big bogeyman some commentators are making it out to be. Sure, it toughens up on the way we collect and use personal data, but the main principles are around people who hold personal data using that data in a way that is fair, transparent, and lawful.

What does this mean?


We tell people what data we are collecting, why we are collecting it, what we are going to use it for, and we only use it for that purpose. And that purpose must be lawful.

We only collect the data we need, with the permission of the owner of that data. We do not pass data on without permission, and we make sure anyone we pass data to is also collecting and using that data lawfully.

That’s not so hard, is it?


First, the Possible Exception.


Yes, there is an exception, and that's when your website or blog is managed through a free provider such as Blogger (like Australasian Christian Writers) or WordPress.com (but not self-hosted WordPress.org).

As best as I can tell, Google owns Blogger. Blogger/Google collects personal information every time we upload a post to Blogger, or comment on an existing post. The writer owns the copyright, but Google owns the platform.

I suspect this makes Blogger the data controller, not me (or us, in the case of ACW), and that means it is up to Google to ensure Blogger sites are GDPR compliant. Click here to read Google's Privacy Policy.

I think the same is true for WordPress.com (i.e. not self-hosted WordPress). It’s hosted by WordPress, which means they own it.  Click here to read the WordPress.com Privacy Policy. Note that WordPress do say:

We also process information about visitors to our users’ websites, on behalf of our users and in accordance with our user agreements. Please note that our processing of that information on behalf of our users for their websites isn’t covered by this Privacy Policy. We encourage our users to post a privacy policy that accurately describes their practices on data collection, use, and sharing of personal information.


If this isn’t right, please let us know in the comments (with the appropriate link), and I'll update the post.


What do you need to do to prepare for GDPR?


If you have a self-hosted blog or website, or an email list, then there are some tasks you need to complete to prepare for GDPR. Based on the research I've done, here's my approach:

1. SSL Certificate


SSL certification adds a layer of security to your website. If you don't already have SSL certification, now is a good time to consider it. You may be able to get a free SSL certificate from your web host.

Neil Patel at Kissmetrics has just published a detailed post on the subject.

2. Privacy Policy

You need a Privacy Policy, outlining the personal data you collect and how that is used. I spent a whole day researching privacy policies online (and wrote a blog post about it), then discovered this: WordPress Privacy Policy

Automattic, the owners of WordPress and WooCommerce, have made their Privacy Policy available under a Creative Commons Sharelike licence. You will need to adapt it for your own needs and brand voice, but it's a great start.

Another good option is Zegal.com, which offers free privacy policies tailored for New Zealand or Australia. Mine was clear, easy to read, and easy to understand, but it's not GDPR-compliant. I contacted Zegal, and they say they will be releasing a GDPR-compliant Privacy Policy before 25 May, but it will only be available to paying customers.

3. Terms and Conditions

If you are selling directly from your website, you should consider a terms and conditions policy. I'm currently using the extreme legalese of Auto Terms of Service and Privacy Policy, but I will look at this again.

4. Cookie Policy

Most websites use cookies, and EU law requires website owners to advise visitors of this fact, and obtain their consent to using cookies. WordPress plugins such as the EU Cookie Law Widget help site owners comply.

Click here to learn more about cookies. Cookies can be addressed as part of your Privacy Policy, or in a separate Cookie Policy.

If you use WordPress, check out the GDPR Cookie Compliance plugin. It's easy to install and customise (you can check it out at www.iolagoulton.com. Note that I haven't customised it at all.)

5. Contact Form

Most websites have a contact form allowing visitors to email the website owner. It seems pretty obvious to me that completing a contact form means the website owner is getting your personal information, but some people are recommending adding a tickbox to make this explicit.

Regardless, your Privacy Policy will need to include what information you collect on your contact form, and what it is used for. The WP GDPR Compliance plugin for WordPress will add a tickbox to your Contact Form 7 or Gravity Forms contact form. It takes about two minutes to install and activate, which means WordPress users have no excuse.

6. Comments Form

Most blogs have a comments section, which collects personal information. Do we need to add a tickbox for specific consent? I've seen blog posts from non-experts that suggest we do, but my WordPress site doesn't have any way of adding a tickbox to comments.

However, the WP GDPR Compliance plugin also handles comments, so I've added the tickbox using this plugin. It took another three minutes.

7. Email Signup Forms

Your email signup forms need to include a reference or link to your new or updated Privacy Policy. You must also make it clear that visitors are signing up for a newsletter that will include sales and marketing emails, and that they have the option to unsubscribe at any time (which they will have if you're using a competent external email service provider. You are, right?)

There has been discussion over whether you can still offer a free gift to new subscribers. My understanding is that you can, but it has to be:

Sign up for my email list to receive regular newsletters and occasional marketing emails. In return, I'll send you a free gift!


Not:

Want a free gift? Sign up here!


Even better, have a tickbox as part of the signup form, so your website visitors know exactly what they are getting. I use Bloom from Elegant Themes* for my website signups, and that doesn't have the tickbox option. Yet. MailChimp* does have GDPR compliant forms, but they are not as pretty as my Bloom forms.

* These are affiliate links, which means I get a small commission if you purchase something using these links. The amount you pay does not change. If you don't want to use affiliate links, then use your favourite search engine to find the sites.

8. Email List


Do you need to contact everyone on your list before 25 May to reconfirm they want to be on your email list?


This is the really hard part, and it's something even the experts can't agree on. Some experts and mailing list providers say yes. They say you need to email everyone on your list and ask them to reconfirm their consent, then delete the people who unsubscribe or don't respond. The issue with this approach is you will lose a large number of subscribers (although it is argued you're only losing the unengaged subscribers, so cutting them will improve the performance of your list).

Some email list providers (e.g. AWeber, ConvertKit) seem to be able to segment out EU subscribers by their IP address, which makes the consent process easier. If your email provider has this option, it's worth exploring.

Other experts advise against asking your email list to reconfirm their consent, because sending the email implies you don't have a record of their consent and you shouldn't be emailing someone without their consent.

The approach you take will depend on how you built your email list, and who your email list provider is. MailChimp (my email list provider) seems to be taking a softly-softly approach. Others (e.g. MailerLite) seem to be more aggressive in requiring list owners send reconfirmation emails.

What I don't recommend is what I've seen two US-based authors do over the last few days: email their list with a suggestion/request people opt out if they no longer want to be on the mailing list, and that not opting out will be taken as consent for GDPR. I don't like this approach for two reasons:
  1. There should already be an unsubscribe option on every email you send.
  2. This is passive consent—do nothing, and you're on the list. The principle of GDPR is that subscribers must actively consent to being on your mailing list. That is, they have to check the box that says "Sign me up!" to be on your list, not uncheck it to stay off your list. 
There is one thing the experts agree on: this is a good opportunity to either try and reengage your email list, and to delete those who haven't opened recent emails (say, any email for the last three or six months, or your last three or six emails). This is the approach I have taken.

Listen to the Experts


As I said at the beginning, I'm no lawyer. But I've read a lot of blog posts, and listened to podcasts and watched videos from GDPR legal experts. Here are the two best sources of information I've found:

Mark Dawson's Self-Publishing Formula podcast interviewed British lawyer Gemma Gibbs:



Nick Stephenson's First 10,000 Readers interviewed British lawyer Suzanne Dibble. Suzanne also has a Facebook group with loads of free information. Click here to find Suzanne's Facebok group. She also has a GDPR Compliance Kit for sale, for GDP 197. Here's Suzanne on GDPR:



One Final Note


I will be updating the Kick-Start Your Author Platform Marketing Challenge to take these changes into account. If you're already enrolled in the Challenge, I'll email you once I've completed the updates. If you're not in the Challenge, why not sign up?

What do you need to do to prepare for GDPR?



About Iola Goulton

Iola Goulton is a New Zealand book reviewer, freelance editor, and author, writing contemporary Christian romance with a Kiwi twist. She is a member of the Sisterhood of Unpronounceable Names (Iola is pronounced yo-la, not eye-ola and definitely not Lola).

Iola holds a degree in marketing, has a background in human resource consulting, and currently works as a freelance editor. When she’s not working, Iola is usually reading or writing her next book review. Iola lives in the beautiful Bay of Plenty in New Zealand (not far from Hobbiton) with her husband, two teenagers and one cat.

12 comments:

  1. Thanks, Iola. Useful as always. I don’t suppose you know how much a paid membership of zegal.com is? I’ll need to check it out.

    ReplyDelete
    Replies
    1. It's a monthly subscription, and it seems like it's designed for small business (as a lot of the templates are for things like employment contracts - vital, but not something I need).

      I don't know if they have a one-off option as well for those of us who only need the Privacy Policy and Terms & Conditions.

      Delete
  2. Thanks, Iola, for the detailed update on GDRP. I'd be surprised if the EU came after authors who have such little activity in comparison to major suppliers. But useful to keep abreast of it and to update such things as Privacy Policy and notifications and such like moving forward.

    ReplyDelete
    Replies
    1. Hi Ian

      No, I don't think the EU is going to come after single authors. My understanding is they will only be responding to complaints, rather than trying to police us all.

      But GDPR highlights what should be common courtesy and good business practice for us all, so we do need to know what's happening.

      Delete
  3. Thanks so much for organizing all this info for us!

    ReplyDelete
  4. This is great, Iola. Very helpful xx

    ReplyDelete
  5. Thanks, Iola. Very helpful to have it all together.

    ReplyDelete
  6. Iola, excellent post! Thank you for researching GDPR and sharing with us. I've found your self-hosted Wordpress information very helpful. I have the plug-ins installed and I'm working on my Privacy Policy. It's helpful that WP have created the Privacy Page template in their recent update.

    I've updated MailChimp and segmented my list according to method of sign-in. The WP form plug-in I use for MailChimp isn't updating the fields for GDPR marketing permissions. I'm hoping they'll have an update that adds in the fields. Fortunately I've always used double opt-in for newsletter signups and MailChimp tracks this data.

    It's complicated and it's the lawyers who'll make bank on this bureaucratic change.

    ReplyDelete
    Replies
    1. The lawyers currently can't agree on some of the major points, so they are certainly going to be the winners in this!

      The actual doing isn't that hard. The hard part has been wading through the information to try and get the best possible advice so I know what to do.

      Delete