Have you heard of GDPR (that’s General Data Protection Regulation to its friends)? Don’t worry if you haven’t, it’s an EU regulation about how companies handle personal information. But as an indie author, you might have to take some steps to comply with too. There are plenty of confusing guides out there about GDPR, so I thought it might be handy to compile the stuff that’s relevant to indie authors in one place. So, if you’re an indie author, here’s what you need to know about GDPR.
Disclaimer: I’m not a lawyer, so please don’t take this as legal advice. I’ve just done a bunch of reading so you don’t have to. Now, with that out of the way, let’s begin.
What is GDPR?
It’s the EU’s new data privacy law designed to make sure companies handle your personal data carefully, store it securely, and don’t abuse it (i.e. they don’t use it to send you mountains of spam or sell it on to other people). GDPR is a good thing. It just means we might have to make a few changes to how we do things.
When does GDPR come into force?
25th May 2018.
Why do I have to comply with GDPR?
Anyone who processes personal data needs to comply with this regulation.
Wait, doesn’t GDPR just apply to people in the EU?
It applies to anyone who holds data about people in the EU. If that’s not you, you can ignore GDPR but, if you’ve got readers in the EU, you’ll have to comply with the regulations.
How do I comply with GDPR?
It looks like there are a variety of ways to comply with the regulation, but it seems to me like the best bet is to get consent.
In the context of GDPR, consent means you presented the user with a clear option to agree to the use of their data.
It isn’t enough to assume consent in small print (you know the kind: “by clicking submit you agree to receiving my email newsletter, daily pictures of my dog, and also I’ll own your soul a little bit”). You need to be able to demonstrate that the user took a specific action to agree to the use of their data. You also have to record and be able to demonstrate how this consent was provided.
So what do I need to do differently?
First of all, I’m not a lawyer, so none of this is legal advice. I’m only writing about this because I have to deal with this in my day job, and I found out some stuff I think might help out indie authors, such as:
1. Forms on your website
Do you have any forms on your website? Whether it’s contact forms, comment forms, or something else, you’ll likely be collecting people’s names, email addresses, maybe even IP addresses. That’s right, WordPress not only collects commenter’s IP addresses, it stores them too. If that seems unnecessary to you (as it did to me), you can stop your WordPress site from storing them using this guide (as I did).
It sounds like you’ll need to change your comment form to include a checkbox and make sure the consent provided is recorded somewhere. This plugin appears to help with this; I’ve installed it myself and it seems to be working so far. If you use a spam filter, your checkbox text will have to inform users that you’ll pass their data onto the makers of that filter.
2. Your email newsletter
Naturally, you collect personal data when someone signs up to your email newsletter; if you didn’t, you wouldn’t be able to send them emails!
Your best bet is to send a confirmation email after a user has clicked the subscribe button. Until they click the link in the confirmation email, they aren’t subscribed to your newsletter. This is often referred to as “double opt-in”, and it not only helps you establish consent, but it also verifies that the form was filled in by the same person whose data you now hold (unless this third party has access to their email account too, of course).
3. Growing your list
If you use third party services to build your email list, you need to make sure that they’re obtaining consent and passing the record of it to you. After all, the data is being added to your list, so it’s your responsibility.
Bookfunnel have got GDPR down. I reached out to them and they told me that they plan to add a checkbox to their signup form. They’ll also timestamp that consent and pass it along to Mailchimp, giving you a record of the consent provided. Top marks.
Instafreebie, on the other hand, aren’t as impressive. When I reached out to them, they didn’t seem to know what GDPR was. And their site uses the dreaded small print, assumed consent (“By clicking a button, you agree to emails etc.”).
Right now, Instafreebie is not GDPR-compliant, meaning you won’t be able to use it after 25th May. I’m waiting for further news and I’ll update this post with any updates. Fingers crossed!
4. Selling ebooks on your site
This is something I’m afraid I have no experience with. However, if you’re selling ebooks directly from your website, you’ll need to be collecting personal data in order to send them their purchases. That means you’ll need a clear method to obtain and record your customers’ permission to collect their data and process it. So if you’re planning on adding them to your newsletter after they make a purchase, make sure you can prove they agreed to that!
If you don’t have one, get one. It doesn’t have to be fancy. It’s just a document explaining what data you request, what you use it for, and how users can ask you to stop using it. You can take inspiration from mine, if you like, or Slack has a rather good one (although it’s probably more in-depth than you’d need!)
As I said, I’m not a lawyer. I’ve just had to read a lot about GDPR as part of my day job (I have an exciting day job). Feel free to ask any questions in the comments, or to tell me if you think I’ve got something wrong!