This article’s intention is to give you a basic overview of the GDPR and it doesn’t constitute legal advice. For more in-depth information, the best source is the UK Information Commissioner’s website https://ico.org.uk
Who does it apply to?
GDPR applies to anyone that collects personal data for any reason other than their own personal, family or household use (i,e. organising a birthday party), so they affect businesses, no matter how small, including self-publishing authors and creative freelancers. Although it may feel daunting if you have no legal and/or relevant IT training, and your resources are limited, it is also an opportunity to show your professionalism and how much you care for your readers.
Looking at the basics, apart from the definition of what constitutes personal data for the purposes of the Regulation, there are two aspects of the Regulation that give us a clue about what we need to focus on:
- the principles relating to the processing of personal data, including the legal basis for processing it.
- the rights of the data subject (the individual person whose data we are processing) and the obligations of the data controller (the natural of legal person who, alone or with other, determines the purposes and means of the processing of data) and data processor (natural or legal person that process the data on behalf of the controller)
Processing personal data
Processing data includes collecting, recording, storing, using, analysing, combining, disclosing and deleting.
Six principles of data collection
- Lawfulness, fairness and transparency
- Purpose limitation: Collected for specified, explicit and legitimate purposes and not processed for different purposes than the originally intended (there is an exception for public interest, scientific or historical research and statistics).
- Relevant to the specified purposes.
- Accuracy and up-to-date.
- Kept only for as long as it serves its original purpose.
- Security: Integrity and confidentiality.
Six legal basis for processing personal data
- Performance of a contract
- Legal obligation
- Performance of a task in the public interest
- Consent of the individual
- Legitimate interest
- Protect the vital interest of an individual
Rights & responsibilities
A key note on consent
It needs to be active and positive, it cannot be implied, the individual must tick the box and should be free to withdraw consent at all times. GDPR has amended the Privacy and Electronic Communications Regulations (PECR) to the effect that it requires consent to be actively given and freely withdrawn, this is relevant for email marketing and cookies. Basically, it means that you need to comply with both regulations and that pre-ticked consent boxes are not considered lawful consent.
Seven rights of the individuals
- Right of access to the data you keep and to data about your processing of their personal data. i.e what data you have and what you are doing with it.
- Right to portability, i.e right to provide copies of the data you hold for the individual’s own use.
- Right to object to processing.
- Right to restrict processing.
- Right to erasure of the data (Usually known as the right to be forgotten).
- Right to rectification: Right to correction of erroneous data.
- Right to human-made decisions: Right to object to automated data profiling and to human intervention in decision-making processes.
A further eighth right to be informed has been added in practice by regulators, including the ICO in the UK, to show full compliance with the requirement for transparency. This is very important regarding the reputation of the data controller and processor/s.
Consent regarding children
GDPR establishes a minimum of 16 years to be able to give consent without parental authorisation, but allows member states to reduce this age down to no lower than 13 years. In the UK is the lower limit is 13 years, but if you are offering your books in EU countries and may process personal data of minors, you need to make sure that you check the age of consent without parental intervention. The GDPR also states that you need to make reasonable efforts to make sure that consent is given and/or authorised by a parent or guardian.
And what about data security?
GDPR requires that data controllers and processors take an active approach to secure data and to have a plan in place to mitigate damage in case of a breach, examples of these measures are listed in GDPR art 32. In case of a serious breach GDPR requires that the relevant regulator is notified within 72 hours.
Taking into account all the above, to comply with the GDPR you need to understand and know what data you collect and store, how you collect it, what for, for how long and who can access it. Grasping these elements will support you with developing effective policies and best practices. For example being clear when you need to seek new consent from individuals: ie. you processed data for a newsletter regarding a trilogy and now you want to send an email about a different book to the same individuals, you need to refresh their consent.
There are also rules for transferring data to third parties, including the need for Standard Contractual Clauses and other agreements, please check the ICO website on the link above for further info.
Do you need to register with the ICO?
Regarding whether you need to register or not with the ICO and pay the fee, you can find out by using their self-assessment tool here.
Brexit will affect data protection in the UK once the transition period is over, in the meantime the rules stay the same. It is still not clear what this effect will be as it depends on whether there is or there isn’t an agreement between the EU and the UK. For further information visit the ICO’s Brexit website.