Friday, 1 June 2018

GDPR for Authors and Publishers - the Greatly Disproportionate Paranoid Reaction

So, it's 1st June 2018 and the sky hasn't fallen down. On 25th May 2018 the EU's General Data Protection Regulation (GDPR) came into force. If you haven't heard about it then lucky you. But you're probably in the same boat as I am. A subscriber to just about everything, my mailbox has been chock full of messages from all kinds of organisations requiring me to take action because of GDPR. Some require me to update my details on their list and give consent to continue receiving communications from them. Others just advise me that they have updated their privacy policy and given me a link to it or even included the long, long privacy policy in their message. Squirrel that I am, I file away all these missives under "GDPR". But not just for posterity. The content of these messages, combined with a large number of articles and podcasts on the subject, has been my reference library for how the real world has handled GDPR and allowed me to form my own opinion and strategy on the subject.

A quick word on all those GDPR mails that I received from publishers, authors, vendors, associations etc. I didn't get enough of them. I should have received something like 400 mails. Because that's how many unique logins and passwords I have saved in my browser privacy & security section. So 350+ individuals / organisations have failed to comply with GDPR, because I'm a European Union citizen and they hold my data. But I won't hold it against them. Let them sweat. I'm cool about it.

Now, the disclaimer. I'm not a GDPR expert and I'm not a lawyer, so what you decide to do for yourself is entirely up to you, no liability accepted by Ruby. But I have nearly half an idea what I'm talking about. As Compliance Manager (up until recently) for a national data operation, I've had the great pleasure of meeting with data protection officials and trudging through a data protection policy for the organisation. It's dry stuff and we drank a lot of tea. I knew GDPR was coming and I suppose it was and wasn't a surprise how things turned out. Some people panicked. Some people saw a chance to make money. But there are a lot of very useful resources online which will help those who need help. A real lot of resources. Free resources, you don't need to spend hundreds of notes on a "GDPR pack". So, do you need help? Should you have done something? Have you got your head in the sand?

If you are an independent author or a small publisher (there are of course other interested parties but those two categories are the ones I'm talking about here), then you probably handle customer data. I'm talking specifically about mail lists. If any of those customers reside in the European Union then you are affected by GDPR. If you / your publishing outfit is located in the European Union then you are affected by GDPR. If you have a non-EU location and you have no EU customers then you can stop reading and go pick up a free copy of Zombies v. Ninjas: Origin. (Read that and you will understand how we in the EU are feeling about GDPR.)

At the risk of repetition, let's make this simple:
  • if you're an independent author or a small publisher with a mail list which includes EU citizens, then you need to observe the GDPR; 
  • if you're an independent author or a small publisher based in the EU, then you need to observe the GDPR.
Continuing with the simple theme, you need to be able to demonstrate where you obtained the contact data from and what consent that individual gave for use of their data. You need to look at your mail list(s) and decide if you can demonstrate the provenance of the contacts and their data in that list. Should the GDPR police descend upon your darkened room (unlikely event but who knows. The Handmaid's Tale and all that...), will you be able to explain through the splutter of tear gas to the intruders just why you think you have the right to retain and use the data of individual humans?
  • If your contact has bought your product and joined your list then happy days. They have demonstrated their interest in your product by flashing their wallet and signed up to receive your newsletter etc. You should inform them of your privacy policy (you do have a privacy policy, right?) and the option to unsubscribe in all future communications.
  • If your contact hasn't (or you can be sure if they have) bought your product, but has joined your list ("enter your email here to join our list and receive..." etc) then also happy days. They have given consent to be mailed your newsletter etc. Again, you should inform them of your privacy policy (you do have a privacy policy, right?) and the option to unsubscribe in all future communications.
  • If you don't really know where you sourced the contact information, if you can't demonstrate that your sign-up form made it clear that they were giving consent to future communication, then you need to ask them to reconfirm their consent to future communication.
  • If you know that the contact information was manually uploaded by yourself or your organisation, and there is no real record of their consent to future communication, then you need to ask them toreconfirm their consent to future communication.
In my own case, I run four mail lists and can clearly demonstrate consent for three of them. The fourth was obtained as part of a joint initiative with other authors wherein readers expressed their interest and agreed to be added to the mail list of the author whose book they liked. But I can't say that the small print was adequate for GDPR. The open and click rate for that list is very low. So I've had to reconfirm consent with the readers on that list and yes, I've lost a fair chunk of it. But a good number have confirmed.

Now finally, to mention again your privacy policy. You do have a privacy policy, don't you? And it's clearly displayed on your blog / website? If GDPR affects you then you need a privacy policy. It doesn't have to be twenty pages long but it does need to be relevant. You can't just copy paste someone else's privacy policy, but you can use them to inform your own. Take a look at author and publisher websites and track down their privacy policies. Study the privacy policies in GDPR emails sent to you by organisations similar to yours. Then formulate your own and get it out there as soon as.

The GDPR police are probably not going to storm your building. They have bigger fish to fry. But better safe than sorry.