Privacy is World-Wide: The Impact of GDPR

If I was say “GDPR is here,” would you know what I was talking about? Be honest. There’s nothing to be ashamed of if you don’t.

Now for the next question: if you have heard of the GDPR, have you bothered to take the steps necessary to protect yourself? Or are you one of those who believes that because you don’t live in the EU that it doesn’t concern you? Again, be honest. It’s perfectly okay to think that.

However, believe it or not, if you are a public figure of any kind (e.g., writer, podcaster, musician, artist), then the GDPR could have huge consequences if you don’t take the steps now to protect yourself. Because of the way the internet works, there is a whole level of complexity added to the privacy of information issue that most people don’t realize or understand.

It’s time to get the picture straight.

What is the GDPR?

The General Data Protection Regulation, affectionately abbreviated to GDPR, is a new legislation within the European Union (EU) that gives EU residents direct power over their personal information.

If you feel the uncontrollable need to read up about the details of the GDPR, you can go here to get all the ins and outs. However, below is the gutted-down version.

From May 25, 2018, EU residents have control over who can access their data and who can use it. At any time, an EU user can request details about what information you hold on them, require you to provide proof that they gave you permission to contact them, and they can insist that you delete all information that you might have on them. To me, this all sounds like common sense—the right to privacy. However, the internet era has added a whole level of complexity to this privacy of information concept.

Why is the GDPR so important?

When I first mentioned the GDPR compliance issues to various writers within my writing groups, some responded with “I don’t have an email list, so I don’t need to worry about that.” Actually, because they had a website through which they were selling their books, they did need to worry about it. Even if they have redesigned their website since to remove the eCommerce elements that directly connect to their site (now linking to Amazon), they are still collecting data on others — and they don’t even know it.

The GDPR is not just about email lists. It’s about personal data, regardless of how it’s collected. This includes exchanging business cards and contact details at conferences, selling a book through your website. For that matter, this also relates to having a website.

Most websites today use what is known as cookies. These are little data packets that help a website to track a user’s activities on a site. These cookies might seem harmless, allowing users to remain logged in to their favorite social media sites (Facebook, Twitter, etc.), but some cookies will also return MAC addresses to the website’s server. The MAC address is a specific code that relates to the motherboard on your device. This is how systems like Dropbox, Google Drive and One Drive know exactly when, and if, another device is connected to your account, and how they are able to give you the ability to log out on all devices through the web.

Even if the cookies used on your site are not that sophisticated, if your website uses cookies, it’s subject to GDPR regulations.

Having a contact form on your website means that you instantly become subject to the GDPR, especially if a resident of the EU is involved. This is because most contact forms ask for an email address AND often return the user’s ISP address too. Any skilled computer technician can take that ISP address and work out where in the world a computer is and what internet server it was using at the time the contact form was used.

Are you starting to understand the implications that internet usage has on private information?

You may be thinking, “Hey, this is an EU law, but I’m in the US (or some other country outside the EU). Why does this matter to me?” Well, it matters to anyone who handles personal data for any citizen in the EU, and remember that personal data doesn’t just include email address and names—just by having a website, you could be collecting personal data. If there is the slightest possibility that an EU user is involved, you instantly become subject to the GDPR. And the consequences for failure to comply with the privacy requirements set out by the regulation are incredibly high.

If a complaint against privacy practices is made by a resident in the EU, if it is consider a low-level breach, you could be liable for up to €10 million, or 2% of worldwide annual revenue of the prior financial year, whichever is higher. For a high-level breach, you could be looking at €20 million.

I don’t know about anyone else, but I don’t have that kind a money just lying around. (Although I can think of quite a few things that I would be doing if I did.)

Because websites have global reach, the GDPR has global implications. Unless you are prepared to block website access for ALL those who live in the EU (which, in my opinion, would be career suicide), you’re subject to the GDPR.

What can we do to prepare?

Now that the doom and gloom is out of the way, and hopefully, I’ve convinced you that the GDPR is something to concern yourself with, it’s actually not that complicated for writers and other public figures to be GDPR compliant. Yes, you have until May 25th, 2018; however, if I can bring up to compliance standard over 10 different websites (and 3 email mailing lists) within the span of 2 days, you have plenty of time to bring your own systems up to date. There’s what? Another 5 days left, at least?

(And yes, I really am the web master for over 10 different websites. Don’t ask, and someone smack me silly if I agree to take on another.)

GDPR and Your Website

There are only really three things that you need to do. Hopefully, you did at least one or two of them at the time you built your website.

1) Have a contact page with valid contact information on your website, NOT just links to your social media. Make sure it’s linked into your menus.

If you have been following Hidden Traps, or anything that I’ve ever said about websites for writers, then you would already have a contact page. If not, why not? If you don’t have a contact page, how can your fans send you fan mail? (You can’t honestly be trying to avoid the hate mail at this stage of your career.)

2) Any signup forms you have for your newsletters or blog are clearly marked as to what people are signing up for.

No offense, but if you aren’t doing this already, then you’re crazy. You run the risk of being called a spammer, and so many countries already have anti-spam laws in place, including the USA.

3) Add a privacy policy to your website, and link it into the menus.

You can find the privacy policy for this site on the sub-menu found at the bottom of this page or any page on my website. (Or just click here.)

That’s it. Website is ready to face GDPR. (See, it wasn’t that bad.)

Now, if you have eCommerce on your site, you should be using HTTPS protocols and a secure system for payments (such as PayPal integrations). But that was something that you should have set up at the time you integrated eCommerce into your site. If you didn’t, I’m just going to go sit right here, while you rush off to fix the disaster of eCommerce that you put onto your site. (Go on. I’ll just wait. You can come back to this post at any time.)

Website crisis averted…

GDPR and Your Email List

Okay, your email list is a little more complicated, but still shouldn’t be a massive headache, because you were smart and set up that email list correctly in the first place, right?

Whatever system you are using should provide information as to when and how people signed up to your list. If you want, just to be sure, send out a reconfirm email. (I intend to do this annually, but I’ll come to that shortly.)

EVERY email that you send to your list should include a method for unsubscribing. If you don’t have this, you are actually in breach of anti-spamming laws. GDPR will be the least of your worries.

I would also add a method for users to update their personal details. People do change emails. You don’t want to lose a subscriber because an email is killed and starts bouncing. I’m not saying that it won’t happen (it’s happened to me), but at least give people the ability to do something about it.

As a way of giving yourself some added protection under the GDPR and anti-spamming laws, employ double opt-in where possible. I know it’s not always possible, but… For those who don’t know, a double opt-in system will send a subscriber a confirm-your-subscription email and won’t add the subscriber to the email list until the confirmation has been given.

Again, these are all things that you should have thought about at the time that you started collecting that email list. (You did think about it, right?)

If you are using a reputable third-party email list service provider, then all of this would be built into the system.

Other Tactics to Protect Yourself

How many people sign up to a service and just hit the I Agree button without reading the Terms of Use or the Privacy Policy? (ME! ME! I’ll raise my hand, because I’m probably one of the guiltiest people out there for this one.) Well, now is the time to go and take a look at the privacy policies of any third-party service provider that you might use. If they’re GDPR compliant, then the odds are you will be too.

Now is also the time to take a look at who has access to your systems. If you have more than one administrator (I do), ensure that they are up to date with the systems that you are using.

The Merits of Annual Reconfirmations for Your Email List

In preparing my own sites and email lists to be GDPR compliant, I’ve noticed something. The numbers of those who actually opened emails on a regular basis was low. When I sent the GDPR reconfirm, 17% opened the email and reconfirmed within the first 24 hours. Another 20% actually opened the email, but did nothing. One unsubscribed. That’s where the numbers have stayed. My list is now 17% of the size that it was, and I fathom to understand why another 20% have opened the email, but haven’t done anything. Interesting statistics, but I digress.

When I cleaned my lists after the GDPR reconfirmation period was over, I was down to those who actually wanted to receive my emails. Those who registered just to get that free thing, but never bother with anything else I have on offer, were gone.

I’ve come to the conclusion that if I do this on an semi-annual basis, I will keep my list down to just those who are truly fans. It might mean that my lists remain small for a while, but if I can increase the opened emails and doing something from 17% to over 70%, then as that list grows, I will have a good conversion rate that could result in some significant returns. At least, that’s the theory.

Regardless, by doing the semi-annual reconfirmations, you’ll know that your list is filled with people who want to be there.

If you need any help to work your way through this GDPR stuff, I do offer a mentoring service on the technical things. (I’m not a lawyer, so don’t take anything I say as legal advice, but I know my way around the internet.)

P.S. I’d love to meet you on Twitter or Facebook.

If you enjoyed this post, please consider sharing it on Facebook, Twitter or Google+ below. You can read other posts like it here.

© Copyright, Judy L Mohr 2018

Posted in Email Lists, Hidden Traps, Writer's Platform and tagged , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.