What Authors Need to Know About GDPR

By Iola Goulton @iolagoulton

What is GDPR, and why do authors need to know about it?

First, the PSA. I'm not a lawyer, so none of the information in this blog post is legal advice. It's my best guess as a layperson who has studied the subject. If you want legal advice, you ask a lawyer who is qualified to practice in this area. In this case, that means a lawyer based in the EU with a background in privacy, data protection, or similar. You don't get legal advice off the internet.

There are two excellent YouTube videos from British lawyers, and I'll link to those at the bottom of the post for those who want or need to know more.

What is GDPR?

The GDPR is the General Data Protection Regulation, and comes into force on 25 May 2018. It harmonizes data privacy laws across the European Union (EU), so it affects any organization holding personal data from EU residents. Note that the EU still includes the United Kingdom, so GDPR still applies. The British government have indicated they will implement GDPR-like legislation following Brexit (if it goes ahead).

Why do authors need to know about GDPR?

GDPR affects all organisations based in the EU, or supplying goods or services in the EU, that collect and process the data of EU residents, regardless of where they are based. 

As Australasian writers and bloggers, we're not based in the EU (Australia might compete in the Eurovision Song Contest, but that doesn't make Australia part of the EU).

But many of us are supplying goods or services in the EU:

• If we have a book listed on Amazon.co.uk or BookDepository.com, we're indirectly supplying goods.
• If we have a website that's viewable in the EU, we're suppling services in the form of information. Free services, but still services
• If we have an email list that includes EU residents or may include EU residents in the future, we're supplying services, and we may also be marketing to EU residents.

If you have a self-hosted website, then your site is collecting a lot of information on your behalf, and you are responsible for ensuring only the necessary data is collected, that collected data is kept private, and that it is deleted on request or within a reasonable timeframe.

For example, if you comment on www.iolagoulton.com, I ask for your name, email address, and website (although that’s optional). But the website also collects and stores your IP address, and may store cookies (e.g. so the site remembers you have commented before and that I approved your comment, so subsequent comments aren’t held for moderation. Another cookie knows not to show you the email signup pop-up more often than once every 90 days).

Yes, you need to know about GDPR.

But GDPR isn’t the big bogeyman some commentators are making it out to be. Sure, it toughens up on the way we collect and use personal data, but the main principles are around people who hold personal data using that data in a way that is fair, transparent, and lawful.

What does this mean?

We tell people what data we are collecting, why we are collecting it, what we are going to use it for, and we only use it for that purpose. And that purpose must be lawful.

We only collect the data we need, with the permission of the owner of that data. We do not pass data on without permission, and we make sure anyone we pass data to is also collecting and using that data lawfully.

That’s not so hard, is it?

First, the Possible Exception.

Yes, there is an exception, and that's when your website or blog is managed through a free provider such as Blogger (like Australasian Christian Writers) or WordPress.com (but not self-hosted WordPress.org).

As best as I can tell, Google owns Blogger. Blogger/Google collects personal information every time we upload a post to Blogger, or comment on an existing post. The writer owns the copyright, but Google owns the platform.

I suspect this makes Blogger the data controller, not me (or us, in the case of ACW), and that means it is up to Google to ensure Blogger sites are GDPR compliant. Click here to read Google's Privacy Policy.

I think the same is true for WordPress.com (i.e. not self-hosted WordPress). It’s hosted by WordPress, which means they own it.  Click here to read the WordPress.com Privacy Policy. Note that WordPress do say:

We also process information about visitors to our users’ websites, on behalf of our users and in accordance with our user agreements. Please note that our processing of that information on behalf of our users for their websites isn’t covered by this Privacy Policy. We encourage our users to post a privacy policy that accurately describes their practices on data collection, use, and sharing of personal information.

If this isn’t right, please let us know in the comments (with the appropriate link), and I'll update the post.

What do you need to do to prepare for GDPR?

If you have a self-hosted blog or website, or an email list, then there are some tasks you need to complete to prepare for GDPR. Based on the research I've done, here's my approach:

1. SSL Certificate

SSL certification adds a layer of security to your website. If you don't already have SSL certification, now is a good time to consider it. You may be able to get a free SSL certificate from your web host.

Neil Patel at Kissmetrics has just published a detailed post on the subject.

2. Privacy Policy

You need a Privacy Policy, outlining the personal data you collect and how that is used. I spent a whole day researching privacy policies online (and wrote a blog post about it), then discovered this: WordPress Privacy Policy

Automattic, the owners of WordPress and WooCommerce, have made their Privacy Policy available under a Creative Commons Sharelike licence. You will need to adapt it for your own needs and brand voice, but it's a great start.

Another good option is Zegal.com, which offers free privacy policies tailored for New Zealand or Australia. Mine was clear, easy to read, and easy to understand, but it's not GDPR-compliant. I contacted Zegal, and they say they will be releasing a GDPR-compliant Privacy Policy before 25 May, but it will only be available to paying customers.

3. Terms and Conditions

If you are selling directly from your website, you should consider a terms and conditions policy. I'm currently using the extreme legalese of Auto Terms of Service and Privacy Policy, but I will look at this again.

4. Cookie Policy

Most websites use cookies, and EU law requires website owners to advise visitors of this fact, and obtain their consent to using cookies. WordPress plugins such as the EU Cookie Law Widget help site owners comply.

Click here to learn more about cookies. Cookies can be addressed as part of your Privacy Policy, or in a separate Cookie Policy.

If you use WordPress, check out the GDPR Cookie Compliance plugin. It's easy to install and customise (you can check it out at www.iolagoulton.com. Note that I haven't customised it at all.)

5. Contact Form

Most websites have a contact form allowing visitors to email the website owner. It seems pretty obvious to me that completing a contact form means the website owner is getting your personal information, but some people are recommending adding a tickbox to make this explicit.

Regardless, your Privacy Policy will need to include what information you collect on your contact form, and what it is used for. The WP GDPR Compliance plugin for WordPress will add a tickbox to your Contact Form 7 or Gravity Forms contact form. It takes about two minutes to install and activate, which means WordPress users have no excuse.

6. Comments Form

Most blogs have a comments section, which collects personal information. Do we need to add a tickbox for specific consent? I've seen blog posts from non-experts that suggest we do, but my WordPress site doesn't have any way of adding a tickbox to comments.

However, the WP GDPR Compliance plugin also handles comments, so I've added the tickbox using this plugin. It took another three minutes.

7. Email Signup Forms

Your email signup forms need to include a reference or link to your new or updated Privacy Policy. You must also make it clear that visitors are signing up for a newsletter that will include sales and marketing emails, and that they have the option to unsubscribe at any time (which they will have if you're using a competent external email service provider. You are, right?)

There has been discussion over whether you can still offer a free gift to new subscribers. My understanding is that you can, but it has to be:

Sign up for my email list to receive regular newsletters and occasional marketing emails. In return, I'll send you a free gift!

Not:

Want a free gift? Sign up here!

Even better, have a tickbox as part of the signup form, so your website visitors know exactly what they are getting. I use Bloom from Elegant Themes* for my website signups, and that doesn't have the tickbox option. Yet. MailChimp* does have GDPR compliant forms, but they are not as pretty as my Bloom forms.

* These are affiliate links, which means I get a small commission if you purchase something using these links. The amount you pay does not change. If you don't want to use affiliate links, then use your favourite search engine to find the sites.

8. Email List

Do you need to contact everyone on your list before 25 May to reconfirm they want to be on your email list?

This is the really hard part, and it's something even the experts can't agree on. Some experts and mailing list providers say yes. They say you need to email everyone on your list and ask them to reconfirm their consent, then delete the people who unsubscribe or don't respond. The issue with this approach is you will lose a large number of subscribers (although it is argued you're only losing the unengaged subscribers, so cutting them will improve the performance of your list).

Some email list providers (e.g. AWeber, ConvertKit) seem to be able to segment out EU subscribers by their IP address, which makes the consent process easier. If your email provider has this option, it's worth exploring.

Other experts advise against asking your email list to reconfirm their consent, because sending the email implies you don't have a record of their consent and you shouldn't be emailing someone without their consent.

The approach you take will depend on how you built your email list, and who your email list provider is. MailChimp (my email list provider) seems to be taking a softly-softly approach. Others (e.g. MailerLite) seem to be more aggressive in requiring list owners send reconfirmation emails.

What I don't recommend is what I've seen two US-based authors do over the last few days: email their list with a suggestion/request people opt out if they no longer want to be on the mailing list, and that not opting out will be taken as consent for GDPR. I don't like this approach for two reasons:

1. There should already be an unsubscribe option on every email you send.
2. This is passive consent—do nothing, and you're on the list. The principle of GDPR is that subscribers must actively consent to being on your mailing list. That is, they have to check the box that says "Sign me up!" to be on your list, not uncheck it to stay off your list. 

There is one thing the experts agree on: this is a good opportunity to either try and reengage your email list, and to delete those who haven't opened recent emails (say, any email for the last three or six months, or your last three or six emails). This is the approach I have taken.

Listen to the Experts

As I said at the beginning, I'm no lawyer. But I've read a lot of blog posts, and listened to podcasts and watched videos from GDPR legal experts. Here are the two best sources of information I've found:

Mark Dawson's Self-Publishing Formula podcast interviewed British lawyer Gemma Gibbs:

Nick Stephenson's First 10,000 Readers interviewed British lawyer Suzanne Dibble. Suzanne also has a Facebook group with loads of free information. Click here to find Suzanne's Facebok group. She also has a GDPR Compliance Kit for sale, for GDP 197. Here's Suzanne on GDPR:

One Final Note

I will be updating the Kick-Start Your Author Platform Marketing Challenge to take these changes into account. If you're already enrolled in the Challenge, I'll email you once I've completed the updates. If you're not in the Challenge, why not sign up?

What do you need to do to prepare for GDPR?

About Iola Goulton

Iola Goulton is a New Zealand book reviewer, freelance editor, and author, writing contemporary Christian romance with a Kiwi twist. She is a member of the Sisterhood of Unpronounceable Names (Iola is pronounced yo-la, not eye-ola and definitely not Lola).

Iola holds a degree in marketing, has a background in human resource consulting, and currently works as a freelance editor. When she’s not working, Iola is usually reading or writing her next book review. Iola lives in the beautiful Bay of Plenty in New Zealand (not far from Hobbiton) with her husband, two teenagers and one cat.

Website | Facebook | Instagram | Pinterest | Twitter

Five Ways to Build Your Author Email List (and One Way Not To)

By Iola Goulton

Over the last year, Australasian Christian Writers has had several posts on author platform and marketing. We’ve had posts on the importance of building your author brand and platform. We’ve had high-level how-to lists on building your author brand and website, or building your author platform.

And we’ve posted on the importance of having a website (a must-have), a blog (a maybe), and an email list.

But is an email list a must-have or a maybe?

I think it’s a must-have, as I explained in Do Authors Need an Email List? And all the book marketing experts I follow agree. Chris Syme says:

And that leads to the subject of today’s post: How does an author build their list?

First, Don't Do This:

Don't add people you know to a list on Word or Excel or Gmail or Hotmail, then email them. 

I’ve received these emails. I even saw it recommended in a marketing book a few years ago, that authors “add people you know to your opt-in list”. Yes, this author was ahead of the times in actually having a newsletter list, but did she not understand the meaning of the words “opt in”?

Adding people to your list without their permission is against the law.

You can only email people who have given you permission to email them (which is where Seth Godin’s phrase ‘permission marketing’ comes from). And you must give people the option to unsubscribe.

As I’ve said before, the best way to ensure your email list complies with relevant laws is to use one of the major email list providers, such as Aweber Email Marketing, MadMimi, MailChimp or MailerLite.

Instead:

1. Email and Ask

Email friends you think would be interested in joining your newsletter list, and ask if they’ll sign up. You don’t have to rely on email. You could also send a text message or Facebook DM, Tweet them … even talk to them. The point is that you’re asking for permission.

And they can sign up though the link you provide (which you’ll get from your mailing list provider), or you can add them directly into your mailing list. But only with their permission.

2. Ask at Events

Ask for newsletter sign-ups if you’re speaking at an event, such as a writer’s conference or retreat, or a book launch. The less technical among us have a physical sign-up sheet, then add people to the list manually. A more technical person could have a QR code on a bookmark, or a PC/tablet so people can enter their own data.

3. Ask Online

Use a plugin such as Bloom or SumoMe to prompt website visitors to sign up for your email list. Pin a post on Twitter. Add a sign up button to your Facebook page. Include a link to your signup form in the bio you use for guest posts.

Friends, family and colleagues may well agree to sign up for your newsletter just because you asked them. But strangers are unlikely to give you their email address unless there’s something in it for them.

That ‘something’ is a giveaway of some kind—my subscriptions did increase when I started offering new subscribers a gift (I offer a list of Christian publishers for my Christian Editing Services list, and a list of my favourite Christian authors for my Author list).

4. Host a Giveaway

A lot of blogs host giveaways, but most are of the ‘leave a comment to be in the draw to win’ variety. That isn’t helpful for collecting email addresses—no one wants to leave their real email address in a blog comment. But authors can use tools such as Rafflecopter or KingSumo to run giveaways where they collect email addresses in exchange for an entry.

But I’ve found having a giveaway isn’t enough. It has to be promoted. And that’s where my final suggestion comes in:

5. Join a Cross-Promotion

A cross-promotion is where you join forces with other authors to host a giveaway. There is generally some cost involved in this, as setting up and hosting the giveaway takes time, effort, and technical know-how. But the advantages outweigh the disadvantages, as it means it’s not just you promoting your giveaway—all the other authors involved will be promoting it as well, which means you’ll get in front of a lot more people.

Today is the last day of my first-ever cross-promotion, joining 17 other authors in an Instafreebie promotion of non-fiction books for writers.

I’m thrilled with the results. 

I started the promotion with 142 people on my Christian Editing Services list, and I’d doubled that within the first two days of the promotion. And that’s with my hyper-niche title. A couple of authors, whose books had broader appeal, added over 1,000 people to their lists.

At the time of writing, 355 people had downloaded my free ebook, and I’d added 325 to my newsletter list. Some people downloaded the book and immediately unsubscribed. That’s okay—I’m on MailChimp’s paid plan, which means I pay more to have more subscribers. I don’t want to be paying for people who don’t want to hear from me.

Click here if you’d like to sign up to my newsletter list. Or click here to see the 18 books in the cross-promotion. But be quick: it finishes today (well, it actually finishes at midnight Sunday, But I’m not sure in what time zone).

I’ll be back next week to talk more about giveaways and cross promotions.

Meanwhile, do you have an email list? What mailing list provider do you use? What’s the most successful way you’ve found of building your email list?

About Iola Goulton

I am a freelance editor specialising in Christian fiction. Visit my website at www.christianediting.co.nz to download a comprehensive list of publishers of Christian fiction. 

I also write contemporary Christian romance with a Kiwi twist—find out more atwww.iolagoulton.com.

You can also find me on:
Facebook (Author)
Facebook (Editing)
Instagram
Pinterest
Twitter