The General Data Protection Regulation or GDPR is now being enforced on all of us who sell books to European readers. So what does that mean for indie authors?

A change is coming. It’s a change that impacts all indie authors who have readers that reside in the European Union. It’s called the General Data Protection Regulation, or GDPR, and on face value it may seem complicated and even a little frightening. Now it’s true that the GDPR is going to ask you to make some changes to your website, and possibly your books, too. But it’s nothing to get overwhelmed about.

Protecting your reader’s data is no doubt something you already care passionately about. You’re an indie author after all: you’re here for the love of it. You’re here for your readers. So in this article we’re going to take you through what the GDPR is, why it is being implemented, and how you can tweak your website and books to comply.

Note: Below is our interpretation of the new GDPR laws, but we’re not lawyers. If you want to be 100% sure of your opt-in mechanic for newsletters and the way that you handle the data of your readers, then seek professional advice.

What is the GDPR?

The General Data Protection Regulation, or GDPR, has been in development for four years. It was triggered by two key issues:

1. A belief that the existing data protection guidelines weren’t doing enough to demand that a reader was clearly consenting to having their data used in a certain way.
2. That organisations weren’t capturing data in a way that complied with the Privacy by Design act. This act effectively stipulates that you should build your data capture methods – such as a form on a website – to be secure from the outset.

As such, the GDP looks to unify, modernise and officialise the way companies, organisations and, yes, indie authors, explain what they’re going to do with data they collect from consumers. That data could be an email address, a postal address, or possibly even social media accounts and phone numbers. The information you may receive if someone signs up to your indie author newsletter. Or if they order a copy of your work.

“[The GDPR] was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” – the GDPR website.

The GDPR comes into effect on May 25, 2018, and you’re expected to be compliant from that date. It will be instantly applicable across the entire EU because regulations – as opposed to directives – don’t need to be legalised by each country’s government. Instead a regulation simply becomes the new standard accepted by all the region’s members.

Now if you reside in another region, like the USA, Canada or Australia, you may be wondering what this has to do with you. Well as far as the GDPR is concerned, if you choose to sell your product or operate in the EU, then you are subject to its requirements.

As an indie author, you’re unlikely to want to limit your potential audience. Certainly all our books and the ones we publish for other indie authors appear in stores like iTunes and Amazon that have a global presence. As a result we have people on our Facebook, Twitter and Instagram feeds whose location is hard to determine. Certainly, we have people on the newsletters that are from the EU. So regardless of whether you are actively trying to sell your books into the EU or not, it doesn’t mean they won’t join your network.

GDPR Summary for Indie Authors

There’s reams of text regarding the GDPR for those who want to dive in, which is kind of ironic. For a regulation that exists to enforce clarity, there sure is a lot of fine print. So here’s a quick summary for you.

• The previous regulation, called the Data Protection Directive, was introduced way back in 1995.
• GDPR was first talked about in 2012, and actually introduced in May 2016. However, there was a two-year grace period, which is now up.
• The new regulation’s reach has been extended. “The GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.”
• It’s currently unclear as to whether the UK will fully adopt the GDPR or not.
• The main focus point of the GDPR is consent. “Companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​”
• Anyone under the age of 16 cannot give consent without parental permission.
• Privacy by design, a concept that had been implied but not enforced, becomes official with the GDPR. “At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.”
• The GDPR explains personal data as “any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
• The maximum fine for those who breach the GDPR is “up to 4% of annual global turnover or €20 Million (whichever is greater).”

Note: Following Brexit, the UK is no longer a member.

How to check if your indie author website is GDPR compliant?

As an indie author trying to market their book and grow their audience, you’re no doubt collecting user data. The most likely way you are doing this is by asking people to sign up to your newsletter. This may be as a call-to-action at the end of your book. Or it could be as a piece of content on your website. So a reader is going to fill out a form or email across their details to you.

What the GDPR is most concerned about governing is the following:

1. Is the reader aware that they are signing up for your newsletter?
2. If you are intending to use their data for anything else – for example, to share with another indie author reader, or to add them to a social media feed - is that made clear?
3. Can readers opt out and be supplied the details of your data about them on request?
4. Is that acquired data safe and protected from third-parties? This could include hackers, or others with access to your computer.

Now lets’ start with a reality check. The GDPR is in place and enforced upon all people and organisations acquiring the data of EU citizens. So we’re talking about Amazon, Google, Facebook and operations of this magnitude, as well as small little indie authors. Implementing the guidelines set out the GDPR when you’ve got millions of customers and fans is far more challenging than it will be for us who may – if we’re lucky – have a few thousand.

It also means that you’re not likely a target for audit. But if you don’t comply, your chance of triggering an issue with a reader is increased. This could place you on the GDPR's radar. It's important to keep this in mind when thinking about whether or not to change your website or books. Although it's important to note that if you use a third-party to handle your newsletter - like MailChimp - then they are highly likely to be GDPR compliant anyway.

So let’s break it down...

Defining Consent

The first two points on that list relate to consent. And consent is defined by wording. Anything on your website or in your book that’s there so you can capture an email address for your newsletter must state as much. You must make it crystal clear what you intend to do with that email address. For example, “Enter your email address and we’ll send you a monthly newsletter about our books.”

What’s not okay, and a typical marketing strategy for indie authors, is to offer a freebie for an email address. For example; “Enter your email address and we’ll send you a free copy of our book.” This is okay, as long as you then never send another email to that address. If you intend to add that reader to your database that needs to be clear.

So you may want to put an opt-in at the bottom. Here people tick a box if they want to be added to your newsletter. Just note that as part of the GDPR, you cannot have that box pre-ticked – it has to be ticked by the reader. You also cannot hide your intentions in terms and conditions or in alternate areas of your site.

No doubt you’re starting to get the picture of what the GDPR expects of your data capture. If you have anything in your book, on your website or through your social channels that encourages a reader to send you details about themselves, then the intentions on how you want to use that data must be clear. Plus, there needs to be an action tied to the submission to confirm consent.

How to avoid triggering GDPR issues?

As for the third point, that’s quite straightforward. If someone asks for you to remove their data from your list, do it and do it quickly. Swiftly and politely. In fact, the most likely way that you are going to come onto the radar of GDPR isn’t because its enforcers gave your site and books an audit. It’s because a resident of the EU complained. Perhaps because they were added to your list and can’t opt out. So be diligent on that.

And remember that if a reader asks you what information you have about them, you are expected to supply the details in full. For example, you may have their postal address if you sent them a hard copy of your book. You might have their Twitter handle or Instagram account. If someone wants to opt out and you have more than just their email address, you should ask for clarification on what they want removed. Don’t assume it is just the email address.

Finally there is security of the data. Where are you saving your list of reader data? If it is on your PC or laptop, then it is expected that you'll password lock and secure that device. If they are written down on paper, how is that paper secured? Is it locked away in a draw or in a safe?

We find the safest, easiest and most user-friendly place to secure our user data is through Google Sheets. All you need is a Google gmail account and then you can access it. If you set up two-factor authentication (2FA) on this account, then you have a pretty secure storage location you can access from any device with ease.

Whatever your methodology, it’s wise to note this on your site somewhere; perhaps in the terms of service, privacy or about us pages. You could also link to it from the area of your site or book where you capture the data.

GDPR isn’t to be Feared

The concepts put forward by the GDPR aren’t anything to be concerned about, because they make sense. You’d want your data protected, wouldn’t you? You’d want to know exactly what you were signing up for when you pass over that data. And you want to be able to change your mind and have that data erased. This is all GDPR does; it extends those expectations to your readers.

It’s also highly likely that other regions, such as the USA and Australia, will follow the EU's  lead. As a result, it’s best to follow these “best practices.” Even if you believe you have no European-based readers who might sign up for your newsletter.

Where to Next?

Obviously we’d love you to sign up to our newsletter. Just send us an email with your consent and we will send you the occasional email about news and guides. You can opt out at any time. We do have a large number of free guides already live you can check out. Plus we have a library of books we’ve published. And if you need help getting your own book published, check out our services in the menu. We specialise in helping indie authors take their book from a great idea to a world class publication.