If you, like me, live in the EU, you've probably heard about the new EU General Data Protection Regulation (GDPR) by now. Even if you don't, you've probably noticed the onslaught of emails from various companies and websites where you're either a customer or subscriber to a newsletter. Why are companies and website owners sending out these emails? And do you need to send out some emails yourself if you have a newsletter to promote your blog and/or books? Keep reading to find out.

_________________________________________________________________________

Disclaimer: I am not a lawyer, and the information provided in this post should not in any way be construed as legal advice. The purpose of this post and future posts like it is to spotlight potential legal issue you may encounter in the course of indiepublishing.

________________________________________________________________________

What is GDPR?

The General Data Protection Regulation (GDPR) is a new regulation that replaces the previous Data Protection Directive. The purpose is to regulate the entire European Union and ensure equal privacy protection for all EU citizens. These regulations don't just apply to companies within the EU. As of May 25 this year, they apply to all companies processing personal data of data subjects (aka real-life people) living in the EU, regardless of the company’s location.

I don't live in the EU, why should I care?

If you don't have a website, and you don't have a mailing list for marketing purposes, it's possible you won't have to worry a bit about GDPR. Most likely, the only way it will impact you is that you will get a lot of emails asking for your permission to send you emails in the future, and that websites you visit will ask you to confirm you really, truly want to subscribe to their newsletter.

Now, if you do have a website, there are a few steps you need to take to ensure you're in compliance with the new legislation - even if you don't live in the EU! Why is this so important?

• The penalties are insane

If you are found to be in breach of GDPR, you can be fined up to 4% of your company's annual global turnover or €20 Million (whichever is greater). Safe to say, this would bankrupt any small business.

Of course, this is the maximum fine and it applies to the most serious infringements. What is considered a serious infringement? The European Union's website dedicated to explaining GDPR gives the example "not having sufficient customer consent to process data or violating the core of Privacy by Design concepts". Meaning, you definitely need to get consent from your subscribers to send them emails.

What is consent?

You know those buttons you need to click to confirm you accept a website's or company's Privacy Policy? And the links to those policies, which are packed with complicated language and arbitration clauses? Do you read them? Or do you just click OK anyway because you can't be bothered to try to figure out what it all means just so you can use an app?

GDPR requires that the request for consent must be clear and easy-to-understand, and that it must be easy to withdraw consent once you've given it. So you not only have to have a Privacy Policy on your website, it needs to be easy to understand, too.

What rights do GDPR grant to users?

As I mentioned earlier, the new regulation is meant to protect EU citizens and their rights to privacy. So what type of rights does this new regulation provide and what do they mean for companies and website owners?

• Breach Notification

This means that if your system gets hacked or infected by a virus, you need to let the people whose information you have collected know about it within 72 hours. 

• Right to Access

Anyone who submits information (such as an email adress in a subscribe-field), has the right to ask the company/website owner how their information is used, and receive a copy of that information.

• Right to be Forgotten

The person submitting information about him- or herself (the "Data Subject") has the right to tell the company/website owner collecting information ("the Data Controller") to delete any information processed about him or her.

• Data Portability

Data portability is the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly used and machine readable format' and have the right to transmit that data to another controller. 

How do I comply with GDPR?

Ask yourself these questions:

1. Do I have a Cookie Policy easily accessible on my website?

2. Do I have a Privacy Policy easily accessible on my website?

3. Do I make clear to potential subscribers that I will use their email address to send them newsletter/updates/marketing emails?

4. Do I make clear to people using my contact form that I will contact them via the email address they've provided?

5. Do I make it easy for subscribers to unsubcribe?

Over the past couple of weeks, I've learned a lot about the type of information that needs to be available on a website, and realized that I know very little at all about websites... eek! When your website is hosted somewhere, they are putting cookies on your site and gathering information about the website's visitors. It's your job as website owner to make sure your visitors know information is being collected about them, even if you're not the one actively keeping the record.

Again, I'm not a lawyer, but I've done my best to write a Cookie Policy and a Privacy Policy for Sheila & Swede that will hopefully make some sense to those who choose to read them before agreeing to them. You can find them at the top of all pages on this website, but if you choose to copy them for your own website, please keep in mind that: 1) I am not a lawyer, and 2) the policies are adapted to the type of information we might collect.

_____________

Post Author: The Swede

Source for the information provided in this post: https://www.eugdpr.org/

#sheilaandswede #businessandlegal #legalstuff #GDPR #indieauthors #IANAL