The General Data Protection Regulation (GDPR) came into play in 2016 as a protective barrier that ensures an individual's personal data is being safely handled accordingly. You might be wondering, 'why do I need to know this?' and that's a great question because you do need to know this, especially if you're self-publishing your book. I'm going to talk about why and give you a mini GDPR course to ensure that you're following all the rules when handling data.
Important terms you should know
Before you read the rest of this article, here are some important terms you should know, alongside what they mean.
Personal data — Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.
Data processing — Any action performed on data, whether automated or manual. The examples cited in the text include collecting, recording, organizing, structuring, storing, using, erasing.
Data subject — The person whose data is processed. These are your customers, site visitors and those you are interacting with.
Data controller — The person who decides why and how personal data will be processed. In most cases, unless you have a team or publisher managing the data on your behalf, this is you.
Data processor — A third party that processes personal data on behalf of a data controller. The GDPR has special rules for these individuals and organizations.
What is GDPR and why is it so important?
The General Data Protection Regulation is a regulation in EU law that protects an individual's personal data. For reference, personal data refers to an individuals name, email, address, phone number, IP address, social security number, passport number, driver's license and anything else that can be used to identify someone.
The official gdpr.eu website describes the history of GDPR as follows;
The right to privacy is part of the 1950 European Convention on Human Rights, which states, “Everyone has the right to respect for his private and family life, his home and his correspondence.” From this basis, the European Union has sought to ensure the protection of this right through legislation. As technology progressed and the Internet was invented, the EU recognized the need for modern protections. So in 1995 it passed the European Data Protection Directive, establishing minimum data privacy and security standards, upon which each member state based its own implementing law. But already the Internet was morphing into the data Hoover it is today. In 1994, the first banner ad appeared online. In 2000, a majority of financial institutions offered online banking. In 2006, Facebook opened to the public. In 2011, a Google user sued the company for scanning her emails. Two months after that, Europe’s data protection authority declared the EU needed “a comprehensive approach on personal data protection” and work began to update the 1995 directive.
The GDPR entered into force in 2016 after passing European Parliament, and as of May 25, 2018, all organizations were required to be compliant.
Why do writers need to know about GDPR?
As mentioned above, GDPR ensures that a person's personal data is handled correctly and there are a set of rules in place that you must follow when handling this data. Writers, especially self-publishing writers need to know about this as we tend to do our own marketing, meaning we have to ensure we're following all the rules a marketing team in a company would. Some basics are as follows;
Lawfulness, fairness and transparency — Processing must be lawful, fair, and transparent to the data subject.
Purpose limitation — You must process data for the legitimate purposes specified explicitly to the data subject when you collected it.
Data minimization — You should collect and process only as much data as absolutely necessary for the purposes specified.
Accuracy — You must keep personal data accurate and up to date.
Storage limitation — You may only store personally identifying data for as long as necessary for the specified purpose.
Integrity and confidentiality — Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
Accountability — The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.
Some common examples where writers might find themselves having to think about GDPR are;
When building your website - If you're planning on collecting email addresses for a newsletter or email sign up, you need to make sure you've got a checkbox where users will have to opt-in to receive marketing emails from you, in order to sign up. Take a look at what this looks like on my website.
When running a preorder gifting campaign - If you're running a preorder gifting campaign, which I highly suggest you should to market your book release, then you're probably collecting personal data such as names and addresses, in order to send the gifts to. You may store this information in an excel sheet for example, but only for as long as the preorder gifting campaign lasts. Once you've sent all the gifts and the preorder campaign has closed, you're not able to store their information unless specified so remember to permanently delete your file with personal data on it.
When running competitions - If you're sending an item to someone's address, or an eBook to an email address, you cannot store this information and must delete it from all systems or wherever it has been stored unless they have stated otherwise.
If you think you can use the personal data given - You cannot. If you've run a preorder gifting campaign or competition in which a name, email address, physical address or any other form of personal data has been given to you for a specific purpose, this being the campaign or competition, you cannot then use it for something else, such as your email subscriber list. You cannot also then use it to send items to in the future, for example, a thank you note, promo letter, or anything similar as you cannot store this information.
To note: If you would like to store personal data to use again in the future, for example, to send marketing emails to, or promotions to via address, etc, you can do this but you MUST let the person know that you are doing this and you MUST receive written communication from that person confirming that they agree to do this.
For example, if you're running a social media giveaway in which you're sending someone an eBook via email, you could put in the terms and conditions that all participants agree to receive marketing emails from you. That way, all those who enter the giveaway would have agreed to this.
When are you allowed to process personal data?
There are some cases where you're allowed to store personal data, a few of which I have previously mentioned above. These are;
The data subject gave you specific, unambiguous consent to process the data. (e.g. They’ve opted into your marketing email list.)
Processing is necessary to execute or to prepare to enter into a contract to which the data subject is a party. (e.g. You need to do a background check before leasing property to a prospective tenant.)
You need to process it to comply with a legal obligation of yours. (e.g. You receive an order from the court in your jurisdiction.)
You need to process the data to save somebody’s life.
Processing is necessary to perform a task in the public interest or to carry out some official function. (e.g. You’re a private garbage collection company.)
You have a legitimate interest to process someone’s personal data. This is the most flexible lawful basis, though the “fundamental rights and freedoms of the data subject” always override your interests, especially if it’s a child’s data.
Things you need to know about consent
As previously mentioned, you need to receive some form of consent from the data subject to process their information. However, there are some rules that apply, especially when the data subject is a child under the age of 13 which might apply if you're a children's or middle-grade author.
Consent must be “freely given, specific, informed and unambiguous.”
Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
Data subjects can withdraw previously given consent whenever they want, and you have to honour their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
Children under 13 can only give consent with permission from their parent.
You need to keep documentary evidence of consent.
What I HIGHLY suggest you do is take a GDPR course to ensure that you're GDPR compliant. You can find many courses online, such as this one. Above is a summary of what you need to know however you might find it useful to read the full General Data Protection Regulation which is 88 pages and you can do so here.