The recent Cambridge Analatica and Facebook controversy has highlighted the importance of knowing exactly to whom we’re giving our precious data, and then what they can do with it.
Next month, new European legislation, known as GDPR, comes into force, designed to give individuals more power over what companies can and can’t do with our data. However, these new regulations don’t apply just to large multi-national companies like facebook. They also apply to us – the self-employed or budding writer.
For the purposes of GDPR, personal data is any data that identifies people from that information.
What is GDPR?
The General Data Protection Regulation (GDPR) is a European law, which comes into force on 25th May 2018, and builds upon the UK’s existing Data Protection Act of 1998. It’s designed to add transparency and accountability to the data collection process, and give back control to people about how their data is used.
What this means is that our personal data needs be:
- processed lawfully, fairly and in a transparent manner.
- collected for a specific purpose.
- adequate, relevant and limited to what is necessary for the purposes it is to be used for.
- accurate and kept up to date.
- kept for no longer than is necessary for the purposes for which it is needed.
- kept securely.
What does this mean in practise for writers?
This means that businesses have to show that they are being compliant with the legislation, often through a statement of compliance detailing how they use, store and process data. Many writers are adding such a statement to their website.
I’m still in the process of writing my statement, but I’ve come across a couple of examples that you might find useful:
If nothing else, these are great examples of the sort of things we need to think about.
Collected For A Specific Reason
Once harvested, it cannot be used for any other reasons other than that for which consent has been given. So if you ask readers to give you their email address so you can send them an occasional newsletter about what you’re getting up to with your writing you can’t then use that email address to send them information about the widgets you also produce that makes Ford Escorts sound like Lamborghini’s.
Adequate, Relevant and Limited
You should only collect the data you really need. If readers want to sign up to your email newsletter, then a name and an email address are relevant pieces of data. You can argue that you at least an email address to offer them this service. You do not need their inside leg measurement!
However, you might decide that having their country of residence would be useful information, because that would enable you to target some of your newsletters better. After all, there’s no point inviting your Australia-based readers to your author talk at Skelmesdale library next Tuesday. But sending a newsletter to UK-based readers only may be more appropriate … if you have that data.
So think about what data you really need. (Because you’re going to need to justify why you need it on your compliance statement.)
Accurate and Up to Date
Yes, any information you hold needs to be accurate and up to date. This does mean there’s a need to check periodically that the information we hold is still correct.
Kept No Longer Than Necessary
If a reader unsubscribes from an email newsletter, there’s no reason to retain their data. It should be deleted.
Any data held on your computers needs to be password protected and, ideally, encrypted. All anti-virus software should be up-to-date. You are responsible for the security of the information you hold on your computer.
There’s also a requirement for data holders to know exactly where they keep people’s data, and with whom they share it. This is because, if someone gets in touch and asks you to delete their data, you need to know where you keep it so that you can go and delete the data in question.
Similarly, if someone gets in touch and says their name is incorrectly spelt, not only do you need to correct the data on your records, but it is also your responsibility to notify anyone else you’ve shared this incorrect date with.
After reviewing my own data practises so far, I’m not aware of sharing any data that I collect with anyone, but it’s something to keep in mind.
Email Mailing Lists
For many of us, the most common reason for having other people’s personal data is to send them a regular email newsletter, to share details of our current activities, such as book launches, talks, and workshops.
Most of us use an email marketing service like Mailchimp (www.mailchimp.com), YMLP (Your Mailing List Provider: https://www.ymlp.com) Aweber (https://www.aweber.com/) or ConvertKit (https://convertkit.com).
If you are using these services then a lot of this work will be done for you by the service, who have been working hard to ensure they meet the GDPR requirements.
One of the biggest requirements of GDPR is that people actively consent to give their data. Do you remember how companies used to pre-tick the box to data sharing, so that if you didn’t want to share your data you had to untick it (if you spotted it, or read the small print)? Those days are gone under GDPR. Now, you must actively agree to share your data.
All of the email marketing services have systems in place to check that email recipients have actively opted in to receive your newsletter. This includes sending an email immediately after someone has signed up to confirm they were the ones who entered their email address. This is known as double opt-in.
Another benefit of using these services is that none of the personal data is stored on your computer, but that of the email marketing services’ servers, who obviously take security seriously. This makes it theirresponsibility to ensure they’re not the subject of a data breach and that data is backed up.
Right of Access
All individuals have a right to access the personal data that you hold about them. Therefore, in order to do that, they need to have a contact address they can use.
All the email marketing services insist that a full postal address is included in every email newsletter you send out. Some writers feel uncomfortable having their home address on all newsletters, but it’s a requirement under US law (many of the service providers are US-based). It’s also a requirement under GDPR (and the 1998 Data Protection Act) that you identify yourself. If a subscriber has an issue with the mailing list service then this gives them the necessary information they need to get in touch with you directly.
However, this does not have to be your home address. It could be a PO Box address, or perhaps the address of your publisher or agent if you have one and they’re happy for you to use it. Whatever address you use, it has to be a valid method of getting in touch with you directly.
What About Your Writers’ Group?
When I began looking into this, I suddenly realised that the writers’ groups I go to collect data. One of the groups runs a short story competition, which receives entries from all over the world.
I’ve got names and address of entrants going back to before 2005 … not for any purposes other than as the Competition Secretary the data was needed to operate the competition, so we could inform writers if they’d won, or been placed and send them some prize money and a certificate.
But I’ve now deleted that data, because under GDPR I have no need for it, and we don’t have consent to continue holding it.
Although GDPR may seem a little unnerving, it’s actually a great opportunity to review the data you collect, and what you already hold. Can you get rid of any? It’s a great way to free up space on your hard drive!
For more information about GDPR, check out the EUGDPR website: https://www.eugdpr.org