New laws on data protection – what do they mean for you?

15 November 2017

What and why is the GDPR?

The GDPR will govern the way companies of all sizes manage and are responsible for the personal information they store and use. It is designed to give people more control over the information that is held about them, and to provide a legal framework to protect that control.

The new legislation is necessary because the way personal information is stored and used has been completely transformed over the past few decades. Existing legislation across Europe, including our own Data Protection Act 1998, has fallen behind as innovative ways to collect and exploit personal records have evolved, especially online.

The changes will affect you if you:

  • Run a mailing list for readers
  • Sell books from your website
  • Informally collect contact details from people at events
  • Collect personal information from people as part of your research for your work

But I’m an individual – does it really apply to me?

Yes. The GDPR will affect all organisations, from blue-chip corporations to one-person businesses and everything in between.

Where’s the guidance?

Although self-employed individuals will be bound by the new regulations, the only guidance issued by the Information Commissioner’s Office (ICO) is written more with larger businesses in mind.

When we asked an ICO agent about guidance for self-employed individuals and very small businesses, he told us:

We're working on that but don't have it available yet. I would say that a key issue for authors/illustrators who are doing there [sic] own marketing or sales will be the GDPRs developments in terms of consent requirements for marketing.

Next steps

While we wait for official guidance specifically written for the smallest businesses, the good news is that there is plenty of information available to help you get started.

The principal areas you’ll need to be aware of are:

  • Consent – being able to demonstrate that people have actively given you permission to use their personal information
  • Control – ensuring that if someone wants to be removed from your list or see what information you hold about them, they can do so.
  • Security – making sure you store this information securely
  • Extra protection for children’s information

The resources below from charities body NCVO are the best place to start:

Other concerns

We are also working on another worrying side effect of the GDPR – this time in relation to its potential negative impact on freedom of expression.

We are lobbying for amendments to be made to the Data Protection Bill to ensure an appropriate balance is met between the data protection requirements of the GDPR and the right to freedom of expression (as protected by Article 10 of the European Convention on Human Rights).

This includes arguing against proposed new powers for ICO in its regulatory mandate, where any reliance upon an exemption including for the publication of academic and literary material in the public interest would be subject to an objective assessment by the regulator, not contingent on the reasonable belief of the author and publisher.

We will of course update you as soon as we have more information to share on all aspects of GDPR.


Emma Darwin (24/05/2018 03:15)
" A writer friend put me onto this post, which is very clear, and un-hysterical:"
Nicola Morgan (18/05/2018 11:26)
" Here’s my statement, which various authors have based theirs on and which you’re welcome to use:

It’s really not complicated once you get stuck in!"
Shoo Rayner (04/04/2018 10:18)
" Arrgh! Ive dine it - probably left some things out but I've done everything I can think of. See it here and feel free to copy but I'm not offering it as legal advice!
I've gone through all the apps I use and made sure passwords are strong and I have signed up for two factor authentication for them all too. Don't forget your computer and phone myst be protected by strong password too.
If it all gets too much for you, I use 1Password to collect up and store all my passwords securely and have them available on all devices."
Helen Matthews (03/04/2018 11:34)
" I've been following this thread and would be really interested in any answers to Nicola Morgan's post of 16/3/18. I also have an online shop. It's hosted by an external ecommerce provider and that provider makes it very clear they are the data processor and not the data controller. So although customers freely register and I don't physically hold the data (similar to the MailChimp scenario described), you can access names and addresses of customers via my website (in order to dispatch books!). I don't use the data for mailing lists or anything else but I'm reluctant to delete it in case I have an HMRC audit and have to evidence sales that don't come through the usual royalty channels.
I'm coming to the conclusion I will have to register. What does anyone else think?"
Nicola morgan (16/03/2018 12:15)
" I wonder if one of you experts could possibly say where you think my risks or action points are (and at least the first and third ones will be common to many authors, which is why I've put this question publicly instead of contacting SoA privately):

1. I have a mailing list, on Mailchimp. Every single person/school on the list has actively opted in - I have not added anyone myself. The only information I hold for them is name and email address, although those who signed up earlier had the opportunity to say whether they were school staff, parent or "other". When they signed up, they did so knowing that they would get a monthly newsletter and occasional other news and that their details would never be shared. They can unsubscribe at any time (by clicking the unsubscribe button at the bottom of each missive.) This list is only on Mailchimp - I don't have another copy.
I was planning to email the whole list and outline how their info is stored and reminding them of the terms and how they can unsubscribe.

2. People buy things from my website. For this, they (obviously) have to give their postal address and email address. Buying something does NOT link them to my mailchimp list so they don't receive any mailings from me unless there's a query about the order.
I have to keep the contact details of the schools that have bought classroom materials, as this gives them a perpetual licence, so I need to know who has a licence.

3. When someone (not on a mailing list) emails an author with any query, what are our responsibilities for their email address?

In short, is there something I should be doing a) to ensure the safety of their data and b) to inform them about that? All the info I've read seems geared to businesses with staff - eg re appointing a GDPR officer.

And what risks am I running? I've been sailing along in the belief that I'm acting responsibly but I think I'm at risk of breaking the new regs somehow and would like to avoid that!"
Sue Moorcroft (18/11/2017 02:23)
" I presume a mailing list not actually held on my own devices is affected? I have a mailing list but I pay annually to YMLP to use their online mailing service, and they hold the data in their databank. The information belongs to me but is hosted by them."
Rhoda Baxter (18/11/2017 09:02)
" Does this mean that all authors who have a mailing list should register with the ICO as data controllers? In the past it's been ambiguous whether or not it was needed."
Gordon Owen @ IGO eBooks® (17/11/2017 09:56)
" Positive helpful information but with only 26 weeks left before implementation there is much more that can (and should be done), not least mapping what 'persona;' data you have. This can mean anything from actual names to associated data that can identify an individual. In over simplistic terms think three things that you should be able to answer if an individual or ICO were to ask you - (1) What personal data have you got on each individual?; (2) why have you got it?; (3) What are you going to do with it? Authors need to tick all three boxes not just one or two and not be hesitant to an individual if they ask otherwise you will be subject to an Enforcement which would certainly be both financially and reputationally damaging - even business breaking!

Look at personal data held, where, and unless you can BOTH justify why you are holding it AND show that you have 'explicit', NOT 'implicit' consent for each individual then it should be deleted. If you hold old databases or personal data on CRMs with people you have not been in contact with for the past 3-10+ why do you need to retain - delete. This includes on old desktops, laptops, memory sticks, smartphones/mobiles, backup drives, (and for larger groups servers/data centres). Everything should be 'evidence based' to justify so in the case of deleting, 'deletion certificates' should be produced to show what and when you done. All of this together with the explicit consents, (not just tick boxes on the website), should be gather, chroniclise for audit, and archived in the event of any future challenge.

Encrypt all personal data, beit on a database, or even an address book on your laptops, or mobile device to reduce risk of any loss being hacked and misused - remember you are responsible, even if you use 3rd parties to do tasks for you and they lose, you still are the owner of that personal data, and you will be the one heavily penalised.

So please, DO NOT panic!! On the start date of GDPR on 25th May 2018 mountains will not explode! Men in black costs will not be knocking on Authors door! This is about what the original article above says and the safety of everyone's personal ID. To recap:-

What is personal data?

Personal data is any record which can be used to identify a living individual - this can include e-mail address, job title/organisation, IP address, address, phone number, etc. and includes sensitive personal data such as health, religious beliefs, sexual orientation, criminal records, etc. This is not just limited to lists, spreadsheets or databases but includes documentation such as minutes and CVs where an individual is identifiable.

What is data minimisation?

Data minimisation is about collecting and keeping the minimum amount of personal data to enable you to carry out your work. To give what may seem an extreme example, HR may need to keep CVs to demonstrate individuals have certain qualifications but they are unlikely to need to keep personal profiles contained in the CV beyond the selection process. This means that HR would be required to redact all personal statements from the CVs held. GDPR requirements really are that granular!

Do I need to start redacting personal data from documentation?

Yes, as soon as you do a mapping exercise above and then followed by a cleansing excise and record your actions to show evidence that you have acted in compliance.

Start thinking and planning tomorrow and do this in bite-size steps between now and next May. We are not in a perfect world so things will go wrong for all sectors and industries, but as Authors you will set the bar and be able to demonstrate that reasonable actions were taken - it is those who are found wanting and taken little action who will be penalised the heaviest.

Gordon Owen

Biography: Spent past two years reading, presenting, including directly with the ICO to organisations and training on GDPR to better understand processes and give good guidance. Author & ePublisher on niche genre of third sector fundraising, governance, and organiosational matters."
Ian M. Stewart (17/11/2017 04:46)
" How would GDPR affect my non-fiction book I completed and wrote in 2009? In that book I "invite every reader of this book to approach the subject, unprejudiced and uncritical, as of right of those who ..." Does it need further changes to meet the new requirements of the GDPR which means republishing the revised and updated edition and disposing of the original editions? How would the UK Copyright Laws be affected especially where libel is concerned?"
Mark Williams - The New Publishing Standard (17/11/2017 04:36)
" I'm perhaps missing something here, Alex, but how would this affect your work unless you are writing true-life crime or using real people in your novels? I don't see how policing methods would be an issue here.

Can you clarify?"
Alex Gray (17/11/2017 03:48)
" As a published author of fifteen crime novels, I am concerned that some of my research may be affected by the new legislation. Currently I am able to talk to the most senior officers in Police Scotland without any problem whatsoever and with the blessing of our current ( acting) chief constable, Iain Livingstone. Writing police procedurals neccesitates having my facts right and keeping up with changes in day-to-day policing methods. I also have consulted many other experts in their fields, always acknowledging their help at the end of each novel. Does the new legislation spell the end for authors like myself and should I be thinking to switching to fantasy or sci fi in order to steer clear of reality?
I do hope not as it seems readers enjoy what I and my fellow crime writers produce.
Alex Gray, Scottish Chapter Convener of CWA and co- founder of Bloody Scotland."

 Security code