Latest post on the Advanced Fiction Writing blog by Randy Ingermanson

GDPR for Authors, Part 1

By Randy as Admin on May 13, 2018 11:48 pm

For the last few weeks, I’ve been trying to wrap my head around the new GDPR (General Data Protection Regulation) which goes into effect on May 25, 2018. I’m starting to get clear on how it affects me and other authors. This is my first blog post about GDPR, but I expect it won’t be my last.

First, the standard disclaimer: I am not a lawyer and this blog post is not legal advice. This blog post is an attempt to explain in simple language what I’ve been learning. This post may not be completely accurate, but it’s my best shot.

What is GDPR and Why Should You Care?

The GDPR is a regulation created by the European Union to protect the personal data of European citizens. It applies to anyone who is offering goods and services (free or paid) to people in the European Union. That means if you have a website or blog that could ever be visited by someone from the EU, the GDPR applies to you.

You may be thinking that you don’t collect any personal data, so how could the GDPR apply to you? If you really don’t collect any private data at all, then you still need a privacy statement that says so. And that privacy statement needs to be clearly posted on your website or blog. 

But don’t be so sure you’re not collecting any private data at all. Websites are complicated beasts with a lot of moving parts under the hood. Here are some ways you may be collecting private data on your website or blog that you may not have thought of:

  • Do you have a contact form that lets people email you?
  • Do you have an email newsletter list?
  • Do you allow people to post comments on your blog or your website? 
  • Are you an affiliate of Amazon or Apple iBooks or any other online store?
  • Do you have Facebook Like buttons? Or Twitter Tweet buttons? Or any other social media buttons?
  • Do you track visitors to your site with Google Analytics or some other tracking tool?
  • Do you have any sort of cookies on your site?
  • Do you have a Facebook “pixel” on your site?
  • Do you use Feedburner for your blog?
  • Do you use a spam protection service, such as Akismet?

And there are hundreds of other ways your blog or website might conceivably be collecting personal information.

Now, it’s not wrong to collect and use personal information. That’s what allows you to serve people. But when you collect people’s personal information, such as names or email addresses, the GDPR says that you need to provide people with basic information: Who you are, what data you’re collecting and why, how long you hold on to that data, who you share that data with, how people can find out what data you’ve collected about them, how people can tell you to delete their data, and who they can contact in case they have questions.

You may be thinking this is getting complicated. Yes, it is a bit, but remember, this is for a good cause. This will benefit you. You will now be able to find out who has your personal data and what data they have. You will now be able to make them delete your personal data if you ask. Here’s why you will get this benefit: The GDPR gives European citizens the right to control their personal data. Therefore, virtually all websites and blogs will provide that right to Europeans—and at the same time, they’ll provide the same right to everyone else in the world, including you. (There may be a few sites that will find the GDPR too onerous and will refuse to serve European citizens. But the vast majority of sites are going to follow the GDPR.)

If you have a blog or a website, there are several things you need to do to get ready for GDPR. And the deadline is May 25, so now is a good time to begin.

So what do you need to do in order to make sure your website or blog is GDPR-compliant? What actions do you need to take?

That depends on what your site does. Most authors have simple “brochure websites” that will probably not take too much tweaking to get compliant.

In this blog post, I’ll talk only about the first step in the process. I don’t think you can do anything else until you take this first step.

First Things First—A Privacy Policy

From what I can see, the very first step is to get a good solid Privacy Policy. 

In the old days, people put a one-line statement on their e-mail signup form that said something along the lines of “I respect your privacy and would never spam you.” 

That’s not good enough anymore. You need a Privacy Policy that meets the requirements of the GDPR, using the correct language. I strongly, strongly, strongly recommend getting one written by lawyers who actually know all the regulations and can keep things up to date as the laws change. Because it’s a good bet that the laws are going to continue to change over the next few years.

Here’s a link to my Privacy Policy:

As you can see, it’s got some legalese built into it. I didn’t write that policy. I got it from a company named Iubenda that specializes in writing Privacy Policies for websites. They have a free Basic version. The Pro version costs $27 per year. I don’t remember the different between the Basic and Pro versions, but I paid for the Pro version. Iubenda generates the policy for you and keep it constantly up to date. If you need to make changes at any time, you can just click a few buttons and update your policy at no extra charge. 

Here’s my affiliate link to their site:

Full disclosure: The link just above is an affiliate link. That means if you click on it and buy a Privacy Policy from Iubenda, I’ll get paid an affiliate fee for referring you. And you will get a 10% discount for the first year of service. 

If you don’t want the discount for yourself nor the affiliate fee to go to me, I’m OK with that. You can just use this non-affiliate link: You’ll pay full price and I’ll get nothing. I would recommend Iubenda even if they had no affiliate program, because I think they do a good job at a fair price. I’ve been using their service for quite some time and I am happy with it.

Here’s what I like about Iubenda. When you create a Privacy Policy for your site, they show you a large list of many possible things that a website typically does. (Running an email newsletter, having a contact page, taking blog comments, allowing social media buttons, and many many more.) You select the ones your site actually does. Then Iubenda creates a custom Privacy Policy that tells what your site does. It’s written in GDPR-compliant language. Yay!

At the end of the process, Iubenda gives you a link to your policy. They host the policy on their site, so if they ever change the language to meet new regulations, it’s always up to date. You can put that link on your own site, and you’re good.

Posting Your Privacy Policy

You need to put a link to your Privacy Policy on every page of your website. The standard place where Privacy Policy links go on a website is at the very bottom, in the footer of the page. You can see an example on this page you’re reading right now, if you scroll down to the very bottom. You’ll see a button labeled Privacy Policy that brings up a screen on this page.

How do you put your Privacy Policy button on your own site? Iubenda gives you a piece of code to do that, along with instructions. Depending on how techie you are, you may find their explanation easy or hard to understand, but any webmaster will be able to follow their directions.

If you’re using WordPress, there is a plugin named Head, Footer, and Post Injections that lets you put a link in the header or footer of every page of your site. If you don’t know how to do this yourself, then you probably have a webmaster who does. Do it promptly and then check to make sure it’s right.

If you’re not using WordPress, then whatever technology you’re using should have some way for you to put a link to your Privacy Policy on the footer of every page.

You Need a Cookie Policy Too

Along with the Privacy Policy, Iubenda will generate for you a Cookie Policy, which you also need. You should post this in a link in your footer in the same way you did the Privacy Policy. The Cookie Policy doesn’t cost anything extra and it gets created at the same time as the Privacy Policy, so the only extra work is to add the Cookie Policy link.

You can see my Cookie Policy button at the very bottom of any page of my site here. 

And Finally You Need a Cookie Solution

Finally, you probably need to inform visitors to your site that you’re using cookies and get their consent before they do anything else on your site. Iubenda will provide you with code to do that, which you can put in the header of every page of your site. Iubenda calls their code the “Cookie Solution.” It’s a piece of Javascript that does all the magic.

When somebody visits your site, the Cookie Solution will create a banner across the top of the page saying that your site uses cookies. The banner will ask for the visitor’s consent, and give the visitor information on how to refuse consent. 

There’s more to GDPR

So far as I can tell, there are at least two more steps that most authors will need to take to get GDPR-compliant. (The two steps are to tweak your Contact page and your email newsletter signup form.) Both steps require that you have a Privacy Policy already written and that you have a link to that Privacy Policy. So get that Privacy Policy done first. Do it today. Do it now.

I haven’t yet done these next two steps, but I think I know what to do. I’ll be working on those shortly, and as soon as I’ve got them done, I’ll try to blog about it here (if I have the energy). That way, you can benefit from what I learn. And I hope that if I make any mistakes along the way, one of my Loyal Blog Readers will tell me where I’m wrong, and again we’ll all benefit.

If you’re thinking this is all a massive pain in the butt, well, I can’t disagree. I wish it were all super easy. But the reality is that this is going to take most people a few hours to get it done. And the clock is ticking.

The post GDPR for Authors, Part 1 appeared first on Advanced Fiction Writing.

Leave a Comment »
share on Twitter Like GDPR for Authors, Part 1 on Facebook

Copyright © 2018 Ingermanson Communications, Inc., All rights reserved.