If you do anything on the internet you’ve probably noticed that everyone seems to be updating their privacy policies at the moment. The reason for this is a handful of letters that have been causing major stress for businesses all across Europe: GDPR.
So what is it and, as an author, do you need to worry about GDPR? The answer to the second question is maybe.
GDPR, or General Data Protection Regulation, is a new set of legislation about how personal data can be stored and used for people in Europe. It doesn’t matter if you’re somewhere else in the world, if you store data about European citizens, GDPR applies to you. So if you have a mailing list containing names and email addresses and at least one of the people on your list is in Europe, you’re storing personally identifiable data for European citizens and therefore you need to comply with GDPR.
A lot of authors maintain mailing lists so you need to make sure that yours follows the new rules. Some of them you are probably following already, but some you might not be, so here are some of the key ones that are applicable in this situation.
You can’t have an opt out approach to storing and using someone’s data. They have to specifically say that they are OK with you using their information. So if you have a form like the one below, where people have to enter their information and choose to sign up, that’s opt in. If you get their email address for another purpose and add them to their mailing list, that’s not.
For example, a little while ago I exchanged some emails with another author about doing an interview with him on this blog. A couple of weeks later, I started receiving his monthly newsletter. I never said or did anything to sign up to that newsletter but I was put on it anyway. I could easily unsubscribe from it, but unsubscribing is a whole different issue.
If you’re going to sign people up for a mailing list, you have to make sure that they have specifically and deliberately chosen to be signed up, whether by entering their email in a form or ticking a box to choose it if they’re giving you their email for some other purpose (and that box can’t be pre-ticked).
If you’re going to be storing and using someone’s personal data, it has to be done in an informed way. You have to tell people what you’re going to use the data for and then only use it for that purpose. So if someone signs up specifically to receive news about new book releases written by you, you can’t also send that person information about your friend’s book.
You may have noticed that my sign-up form has two distinct tick boxes. One is for my publication news, the other is about updates to the queer reading list. There have been plenty of people who have signed up to receive the (at most) weekly emails informing them about new book recommendations being added to the reading list, but they don’t sign up to receive my publication news. So if I get a short story accepted in a magazine, that means I can send that news only to people who have chosen to receive those updates, even though I have the list of email addresses for the other people.
Be specific. Say what you’re going to use their information for and then only use it for that thing.
I mentioned above that unsubscribing was another issue. You have to make it really easy for people to choose to stop receiving your updates and stop you storing their data.
If you use a solution like Mail Chimp, this is actually done for you, but if you manage your own list without these tools, you need to ensure that there is a clear and easy way for people to take themselves off your mailing list.
Only storing necessary data
You should only store information that you need for the purpose you collected it. So for a mailing list, you need to store people’s email addresses. Maybe you want to store their first names as well so you can address the emails to people personally, but you probably don’t need to know their physical address, date of birth, eye colour, or anything like that. Store the minimal data you need to do the job.
And you should only store the data for as long as you need it. So if someone unsubscribes from your mailing list, you should remove their information from your list. You shouldn’t keep a list of old email addresses from people who no longer what to receive your updates.
This is where it gets tricky, because unless you’re a technology expert, you’re probably not highly involved in the technical security behind where your list is stored, so it’s hard to know how safe it is. The rules under GDPR are that you have to keep the data safe for unauthorised access, and you have to inform people if there’s a breach and their data gets stolen. There are a lot more specifics on the GDPR website, but this is where using a solution like Mail Chimp is really helpful because GDPR also applies to them. They have to hold their data securely – and their data includes your mailing list. They have to inform people about data breaches – which means they would have to tell you and the people on your mailing list, as well as the appropriate authorities.
So while you are ultimately responsible for the data and have to follow these rules, working with a major company to manage your mailing list lets you breathe a little easier because that responsibility is at least partially shared. You don’t have to worry about the technical security side all by yourself.
It is possible that your list may already be compliant. If you’ve always made sure that people opt-in to the mailing list and you’re clear about what you’re using the data for and only storing the necessary data and there’s a nice unsubscribe button, you’re already meeting the most relevant criteria.
But it’s still a good idea to check your list. Clear out old data if you’re not sure how those people signed up and whether they were properly informed. Send an email asking people to confirm that they still want to receive your updates. Take this time to do a bit of spring cleaning of your mailing list.