Indie Authors: Are You Ready for GDPR?
If you, like me, live in the EU, you've probably heard about the new EU General Data Protection Regulation (GDPR) by now. Even if you don't, you've probably noticed the onslaught of emails from various companies and websites where you're either a customer or subscriber to a newsletter. Why are companies and website owners sending out these emails? And do you need to send out some emails yourself if you have a newsletter to promote your blog and/or books? Keep reading to find out.
Disclaimer: I am not a lawyer, and the information provided in this post should not in any way be construed as legal advice. The purpose of this post and future posts like it is to spotlight potential legal issue you may encounter in the course of indiepublishing.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new regulation that replaces the previous Data Protection Directive. The purpose is to regulate the entire European Union and ensure equal privacy protection for all EU citizens. These regulations don't just apply to companies within the EU. As of May 25 this year, they apply to all companies processing personal data of data subjects (aka real-life people) living in the EU, regardless of the company’s location.
I don't live in the EU, why should I care?
If you don't have a website, and you don't have a mailing list for marketing purposes, it's possible you won't have to worry a bit about GDPR. Most likely, the only way it will impact you is that you will get a lot of emails asking for your permission to send you emails in the future, and that websites you visit will ask you to confirm you really, truly want to subscribe to their newsletter.
Now, if you do have a website, there are a few steps you need to take to ensure you're in compliance with the new legislation - even if you don't live in the EU! Why is this so important?
The penalties are insane
If you are found to be in breach of GDPR, you can be fined up to 4% of your company's annual global turnover or €20 Million (whichever is greater). Safe to say, this would bankrupt any small business.
Of course, this is the maximum fine and it applies to the most serious infringements. What is considered a serious infringement? The European Union's website dedicated to explaining GDPR gives the example "not having sufficient customer consent to process data or violating the core of Privacy by Design concepts". Meaning, you definitely need to get consent from your subscribers to send them emails.
What is consent?
What rights do GDPR grant to users?
As I mentioned earlier, the new regulation is meant to protect EU citizens and their rights to privacy. So what type of rights does this new regulation provide and what do they mean for companies and website owners?
This means that if your system gets hacked or infected by a virus, you need to let the people whose information you have collected know about it within 72 hours.
Right to Access
Anyone who submits information (such as an email adress in a subscribe-field), has the right to ask the company/website owner how their information is used, and receive a copy of that information.
Right to be Forgotten
The person submitting information about him- or herself (the "Data Subject") has the right to tell the company/website owner collecting information ("the Data Controller") to delete any information processed about him or her.
Data portability is the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine readable format' and have the right to transmit that data to another controller.
How do I comply with GDPR?
Ask yourself these questions:
Do I make clear to potential subscribers that I will use their email address to send them newsletter/updates/marketing emails?
Do I make clear to people using my contact form that I will contact them via the email address they've provided?
Do I make it easy for subscribers to unsubcribe?
Over the past couple of weeks, I've learned a lot about the type of information that needs to be available on a website, and realized that I know very little at all about websites... eek! When your website is hosted somewhere, they are putting cookies on your site and gathering information about the website's visitors. It's your job as website owner to make sure your visitors know information is being collected about them, even if you're not the one actively keeping the record.
Post Author: The Swede
Source for the information provided in this post: https://www.eugdpr.org/