Friday, 20 April 2018

#FridayFact - What GDPR means to indie authors and book bloggers

This Friday, Pict Publishing author Sarah Marie Graye talks us through how she believes GDPR will affect indie authors and book bloggers.

by Sarah Marie Graye

I'm going to start this article with a DISCLAIMER.

I'm not a lawyer or expert in EU data laws. My background is CRM marketing and this article covers my understanding of the requirements needed to cover the basics regarding GDPR.

This article does not claim to be legally or factually accurate. Nor does it claim to ensure that you will be GDPR compliant if you follow the information included here.

PLEASE NOTE: If you wish to dispute any of the information covered in this article please email the Pict team at

What is GDPR? 

As the UK is part of the EU, we have to abide by EU laws. There are two types of EU law: Directives and Regulations.

Our current data laws are based on an EU Directive. The new laws which come into effect on 25 May 2018 are an EU Regulation - the General Data Protection Regulation.

With a Directive, each EU member state interprets the rules and writes them into the laws of their country how they wish, which means the same set of laws are followed very differently across the different countries. With Regulations, all EU member states have to follow the laws as they are set down.

In theory, Regulations mean parity across all EU countries. The reality is that the laws are harder for individuals and companies to interpret - as we're all trying to understand laws that are not written as UK laws!

The independent authority overseeing GDPR in the UK is the Information Commissioner's Office (ICO) which was set up to uphold the current data laws. For more information on GDPR in the UK, visit the ICO website.

You might also find the website helpful, which has been set up to educate the public about the main elements of GDPR.

How does GDPR affect me?

If you COLLECT PERSONAL DATA in any way then GDPR will affect you. GDPR affects not only the way you collect the data, but also how you store it and use it, including when you must delete it.

The data must be stored safely and must only be used in the way agreed at the point of collection. Any person who you hold personal data for has the right to request it is deleted. And you must also delete personal data when you no longer have a legitimate reason to keep it.

A significant part of GDPR is explaining to people how you will store, use and delete their data - and you have to explain this in simple language without using legal jargon.

You also have to provide an individual with a copy of any personal data of theirs you hold should they request it.

Collect ~ Store ~ Use ~ Delete ~ Explain ~ Provide

Examples of data collection

I think the new rules make the most sense when they are applied to specific examples, so I've chosen some examples that could affect indie authors and book bloggers.

* * * * *

Marketing emails
If you send out marketing emails, how you collect email addresses has changed. And all the emails you have currently in your marketing list need to meet the new rules too.

See: Getting your email newsletter GDPR ready!

* * * * *

Your website or blog
If you collect data via your website - including people commenting on your blog posts - you need to update your Privacy Policy is clear on how this information is stored, used and deleted.

If we take the Pict website as an example, it is hosted by Blogger and we use various other plug-ins on the site from providers such as Rafflecopter and Google documents. We've included this information in our Privacy Policy and then linked to the Privacy Policies of the providers.

If you use a separate hosting service (e.g. if you have a site) you will need to include the hosting service in the information.

* * * * *

Sharing ebook files with reviewers
If you email reviewers or book bloggers (e.g. to let them know about blog tours you are running) these count as marketing emails - see above.

If you communicate with your reviewers in a different way (e.g. via a Facebook group), you don't need to go through the marketing email process. But the email addresses you hold to send ebooks to count as personal data and so are covered by GDPR.

One possible solution to collecting such emails would be to use a Google Form to collect emails. Any data collected is automatically stored within a Google Sheet - which is password protected by your Google account password.

* * * * *

Selling books on Amazon
When you sell a book on Amazon, you are an author, not a seller: Amazon is the seller. All personal data and payment details are processed by Amazon. It is Amazon who sends the Kindle to the device or the paperback to the address. The only customer data you have access to is anonymised. In this instance, GDPR is Amazon's responsibility. (Phew!)

* * * * *

Selling via an online shop
This is more tricky than being an Amazon author and it will depend on what set-up you have and what personal data you process through your shop.

If you host an online shop via a "seller service provider" - Amazon (as a seller) Etsy, Tictail, Shopify, etc. - you need to establish what personal data is handled directly by you and what is handled by the provider (or an add-on service).

For example, if you use built-in payment services where the personal payment information is handled by the service provider (or an add-on service such as PayPal), you need to state this in your Privacy Policy.

Any personal data you do handle is covered by GDPR. So you need to break down the various steps - collection, storing, using, deleting, explaining, providing - and see which ones you are responsible for.

It is usual for your service provider to collect the name and address of the customer as part of their checkout process. If they do this, they will be responsible for meeting the other GDPR requirements within their system.

However,  will need to use the name and address of the customer in order to send goods, so this is personal data that you will handle directly. You need to make sure you handle the data in agreement with the service provider's rules - as these are the rules the customer signed up to when they purchased.

So you would include a statement in your Privacy Policy that all personal data is collected and stored by the service provider and that any data handles by the store owner is done so in accordance with the rules of the service provider - and you would need to link to those rules.

It is typical for such service providers to allow you to use this data once only in order to ship the items sold. If this is the case, it means you cannot keep this customer's data outside of the service provider's system once the goods have been sent.

You will only be able to use the name and address of the customer for direct marketing purposes if the permission to do so is collected correctly via the service provider's checkout process. You will need to check your term of service for this information.

(It is usual for such service providers to limit such marketing permissions to their own services.)


Work out when it's you handling personal data directly and when it's a service provider.

Any service providers that hold data on your behalf should be listed as such in your Privacy Policy - and you should link to their Privacy Policy.

If you collect data:
  • You are responsible for how it is collected, stored, used and deleted
  • You must explain these processes in simple terms (at the point of collection and in you Privacy Policy)
  • You must provide a copy of the data you hold if it is requested