On May 25, 2018 there are some major changes coming through the pipelines under a new law called the General Data Protection Regulation (GDPR). It’s being implemented to protect your constituents (aka readers, fans, i.e. bookish friends you have any type of data on) in the European Union (EU). Now before you mentally go shutting down and closing your browser thinking this doesn’t pertain to you because you don’t live in Europe or because you’re not a “marquee author” or “big blogger” … there is a damn good chance it does. So grab your coffee and listen up!
We live in a digital world where data privacy is of the utmost importance, so I predict this will be the first in a long line of countries creating new, protective laws for their citizens. So adapt early to cover yourself!
Let’s dive in and start at the very beginning, shall we?
What is GDPR?
The General Data Protection Regulation, otherwise referred to as GDPR, is a new legislature that take effect on May 25, 2018. Simply stated, the GDPR is the most significant ruling in the digital world for the past two decades and focuses on the data keepers to be transparent with everyone. And let’s be honest … the online world of 20 years ago hinged on AOL, that horrible dial-up sound, tragically awesome Geocities websites, and endless strings of pop-up banner ads that you couldn’t close fast enough. Things have changed and as a result the rules need a spit shine.
But don’t be annoyed that things are changes. Because what’s about to go down is a VERY GOOD THING.
The GDPR strives to put the control back in the hands of European Citizens when it comes to their personal information. Essentially it means that at any point in time, an individual can retrieve details on what personal information is being held, who is using it, how they’re using it, how it’s being store, they can request copies of this data, and even more, they can request to be completely deleted from their system (which goes beyond the simple “Unsubscribe” button). For some industries this has major implications (think higher education where you can essentially erase an individual’s academic record with this request or even banking, where you’d risk losing a digital record financial and credit statements).
Fortunately for our industry, the implications aren’t exactly life and death. But they’re still extremely important to understand and comply with, nonetheless.
Why is it important to me as an Author or Blogger?
I know what you’re thinking. This is some high-flying law that only major corporations need to worry about. Well, you’re wrong.
Anyone who has data or personal information kept about their EU readers or uses their information in marketing efforts will need to get their poop in a group.
Take some time and think about it …
- Do you have a newsletter list with at least one person in the EU?
- What about Facebook ads, do you do any targeting where someone in the EU could come across and engage with your ad?
- Are you loading your mailing list into social media for re-targeting campaigns?
- ChatBots where you’re messaging someone in Europe?
- Paypal? Square? Any type of eCommerce platform where you’re accepting credit card information from one of your readers?
All of this (and dozens more scenarios) mean you need to educate yourself and prepare for the coming changes in data protection.
If one of your readers comes to you and elects to exercise their rights, you need to know how to fulfill the request. Which for many of us will mean relying on our third party partners. But there will be some instances where you are the gatekeeper of said data and need to handle the request.
What can I do to comply?
Fortunately for you, if you use a third party data processor (i.e. a company that hosts the information you’ve collected like your newsletter platform or online payment system or general CRM program), most of them have been busy making enhancements to their platforms to be compliant, which in turn makes you compliant … kind of. But it’s still up to you to understand what data they store on your readers, how they store this info, and how they’re using this data.
Furthermore, there’s a really good chance you’ve got other lists of reader data floating around your inbox or Google drive in spreadsheets or unprotected documents. If you’re nodding your head remembering all of those names, emails, and phone numbers you collected from signings on little slips of paper, this is something you need to address and get loaded into your database with a documented trail of how and when the individuals opted-in for your communications.
I suggest you begin by taking the time to look at your list of partners who make your author and blogging life easier. Off the top of my head, some of the popular ones are going to be Facebook, MailChimp, MailerLite, Author Reach, Bookfunnel, InstaFreebie, Square, and PayPal. Obviously there are lots more than are mentioned here, but it’s late at night right now and I’m not going into some deep rabbit hole of all vendors in Bookville.
I do want to call out that MailChimp has done a bang up job communicating their GDPR strategy to help its users navigate this new territory. So even if you’re not actively using the MailChimp platform, I would suggest reading what they’ve put out on the web. On May 14th, MailChimp released information on new GDPR tools and changes to their contact management system for compliance.
Additionally, on March 14th, Mailer Lite came out with its official update, which can be read here. They followed it up with additional features supporting GDPR, which can be found here on their website.
In April, Instafreebie published their pending changes to the platform to become compliant with GDPR. Their most significant change is going to be supporting the mandatory opt-in on giveaways that they promote, effective May 25th.
On April 27th, Booksweeps released their position on GDPR and how it intends to comply.
Also on April 27th, Google communicated changes to their Data Processing Terms via email for users relying on Google Analytics for their websites.
Facebook has constantly be updating their GDPR positioning here.
So do your homework and learn what your trusted partners are doing on your behalf for GDPR, so if and when the need arises, you know how to respond to the data request in a timely fashion.
One key thing to remember is that individuals in the EU must explicitly opt-in to communications from you.
This is worth repeating.
ONCE GDPR IS IN FULL EFFECT, ANY EUROPEAN CITIZEN MUST EXPLICITLY ASK TO RECEIVE YOUR FABULOUS NEWSLETTER.
No, you cannot just add them to your email list based on some unsanctioned sweepstakes that you are running on your own via excel spreadsheets.
Having them complete a Google Form and then copy and pasting their deets into your mailing list? Not so much.
With GDPR, you must be able to provide a proof trail of how and when they opted-in, should you ever be asked to provide substantiation. That means you’ll want to be leveraging landing pages and third party sign-up forms that funnel directly into their respective database.
For those of you who use MailChimp or Mailer Lite, I highly recommend you download and start using their subscribe apps (linked here) at your upcoming events. iCapture is another excellent program where they can digitally provide you with their data in a safe and transparent way. Readers can sign up on a mobile device or tablet and drop right into your constituent database — no wifi needed!
The biggest implication I can think of will be for those doing unsanctioned giveaways and newsletter email swaps. If you’re doing this, we need to have a serious come to Jesus because this is simply not okay from a best practices and privacy standpoint. I cringe anytime I hear of authors sharing emails of their readers because if my email were on that list, I would be livid to learn my personal information was being passed around like a cheap hooker.
And we wonder why identity theft is so prevalent these days?!
So basically, any kind of giveaway or promotion where someone collects personal information and then distributes it to a group of participating authors or bloggers via email, excel, csv, etc. should be avoided. First of all, it’s shady. Second of all, it’ll be illegal under the GDPR.
However, if the data is being legally collected via a third party vendor, and the participants clearly understand they are signing up to receive communications from all participating authors after the fact, and that vendor then safely disseminates said information to all of the participating authors directly into their database/CRM program of record, then you’re covered.
Penalties for non-compliance
This is bad and should the hammer fall upon you, you need to know exactly what to expect … fines for noncompliance are to the tune of $20 million Euros.
They’re going to go out guns blazing to enforce this, and it doesn’t matter if you’re a Fortune 500 company or an indie author. You don’t want to be the one who gets stuck in the crossfire simply because you didn’t educate and prepare yourself.
Take a Listen to these Helpful Podcasts to Learn More
Check out this fabulous podcast from Mark Dawson covering GDPR and Privacy Policies. Also, Stephen Campbell of The Author Biz interviewed me for his podcast to shed additional light on GDPR, the individual rights and privacy policies.
All of this information is super top line and obviously doesn’t dive into the complexities of the new law. And this information shared is for general purposes only and is not intended as legal advice. I am simply sharing what I know for the betterment of the indie world and to help create awareness before things kick into gear this May.
If you have questions about the General Data Protection Regulation, you should consult your local RWA chapter, writer’s guild, or legal counsel for additional information.
Think what you see is helpful? Subscribe to my blog to stay on top of the Authors Helping Authors series. I’ve got more SEO posts scheduled and have some helpful AMS content in the works, too! And, of course, be sure to follow me over on Facebook and Twitter.
Last Updated May 16th to include The Author Biz GDPR Podcast, Mark Dawson’s Podcast on GDPR and Privacy Policies, new MailerLite features, and MailChimp tools.
Last Updated May 1, 2018 to include Google Analytics, Facebook and BookSweeps GDPR statements.
Last Updated April 6, 2018 to include Instafreebie support information.
Last Updated March 14, 2018 to provide Mailer Lite support information.