The Myths of GDPR

25th May is just a few days away and I’m sure you’re swimming in emails asking you to ‘stay in touch’.

There’s been a hell of a lot of confusion over this rather significant change in the law, with people offering different advice based on their interpretations of the regulations. It’s fair to say a few people have panicked too, and who’s to blame them with threats of million pound fines for non-compliance.

The aim of this article is to quell those nerves and to offer some practical advice for writers on complying with the new laws.


Donning my retired lawyer’s hat, I’ve scoured and studied the resources of the legal commentariat and found a few helpful pointers.

*Before we venture further, I wish to make it clear that I’m not offering any legal advice here. If you want proper legal advice, speak to a solicitor or attorney.*

Toni Vitale, the head of regulation, data and information at law firm Winckworth Sherwood, provides a useful starting point:

“Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.”

For writers, the main method of processing people’s data is going to be by consent. So what do we need to do to obtain this consent?

Consent

Back over to Mr Vitale:

“Even if you are relying on consent, that still does not mean you have to ask for consent again. Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. Just make sure that your consent met the GDPR standard and that consents are properly documented.”

Steve Wood, Deputy Information Commissioner of the Information Commissioner’s Office echoes this point:

“…it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.”

The bar has been raised for obtaining consent. So what are the requirements for obtaining consent according to GDPR? Article 7 of the Regulations sets out 4 conditions for consent:

  1. The ‘controller’ (i.e. the person processing data) must be able to demonstrate that a person has consented.

  2. If consent is given in written form, the request to subscribe for instance must be clear, intelligible, using clear and plain language.

  3. The person signing up must have the right to withdraw their consent at any time. It must be as easy to withdraw consent as it is to give it.

  4. Consent must be freely given. Be wary of adding conditions to obtaining consent. It’s important to consider the definition of ‘freely given consent’, which you can read here (Recital 43)

The Regulations provide further guidance on ‘Conditions for Consent’ found in Recital 32.

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”

One way you can ensure this affirmative act is to include a tick box in your sign up forms. A pre-ticked box does not count! On the subject of sign up forms, Recital 42 referring to the burden of proof and requirements for consent (click here to read) says the following:

“… a declaration of consent pre-formulated by the controller (person asking for consent) should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject (the person subscribing) should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.”

If you can say you complied with all of the above regulations, consent more than likely carries over, so you do not have to ask again.

In my view, it seems the purpose of the GDPR is to regulate bigger companies who obtain people’s data in unsavoury ways and have no way (or dishonest ways) of showing how they came to obtain that data in the first place. If you receive emails from companies asking you to confirm your consent, though you did not provide it in the first place, then those companies are breaching the law.

What should you do?

You have to keep safe records of who signed up and how. Failure to do so could see you get in trouble.

Perhaps the best way to do this is to use services such as MailChimp. Their signup and pop-up forms can be adjusted to comply with GDPR and automatically record the sign-up, therefore complying with the regulations. You could also factor in a two-step authentication process. By that I mean when you subscribe by email, you must then confirm your agreement to the subscription before being added to the mailing list.

Any emails sent out using MailChimp’s ‘Campaign’ system contains an unsubscribe button at the bottom of each email, again ensuring compliance.

 

Summary

So in summary, ensure the following:

  • Check your existing mailing lists to see if they comply with GDPR before asking everybody to sign-up again.
  • All sign-up forms must be clear and intelligible, with a tick box, and even a two-step authentication process.
  • Keep detailed records of the sign-up. Using a service like MailChimp will help you comply.
  • Ensure your subscribers can always unsubscribe.

 

Resources

https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts?CMP=Share_iOSApp_Other

https://iconewsblog.org.uk/2018/05/09/raising-the-bar-consent-under-the-gdpr/

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/consent/

https://gdpr-info.eu/

 


Thank you for reading. I hope you found it useful. If you’d like to read more of the same, check out my blog log. If you haven’t already found them too, I have a bunch of helpful resources for writers, like lists of publishersa free ebook on the craft of creative writing, and a list of book reviewers.

If you’d like to stay in touch, why not sign up to my mailing list? I send one newsletter a week packed with my latest blogs, news and articles I think you may find helpful, as well as any new resources I release.

8 thoughts on “The Myths of GDPR”

  1. Most helpful, Richie. I rang up the helpline, and spoke to a very helpful lady. It’s £35 to register, but once you start, you have to repeat it every year. She told me I didn’t need to register as I was only doing what was necessary for carrying out my business on a day-to-day basis.

    I have 3 strands to my business: writing and publishing my books, running workshops for other writers, and my proof-reading and editing services. The small database I have is related to my learners, but I also run a spoken word night (which they can come and read at) and a writers’ community which meets every 3 months for a chat and to read work aloud to each other. I send out reminders to learners of the next workshop, plus a writers’ community newsletter. I do quite a bit of publicity for all this, as you might imagine! For that, it’s useful to have all the information I need in one place, rather than listed separately under people’s names.

    Anyway, if you want to post the information about the cost etc. I think there would be a few people who would find that really useful. Hope this helps.

    Helen 🙂

    Like

  2. The US could use such a law, but it would be unenforceable in this country. Most of the Emails I get come from somewhere very far away, and usually not even in English, insofar as the server is concerned. I often unsubscribe, and sometimes go so far as to block the sender, but I receive probably 300 “spam” emails per day, and have to delete them. If someone is on my “friends” list, they have a special folder in my vast email storage, but otherwise, they simply land and vanish, unless the subject intrigues me. This is a sad thing, as I’ve lost emails I really wanted to keep, just because they resembled something I didn’t want/need.. Good on ya, Unitied Kingdom, you’ve found something that has actual value as a law.

    Liked by 1 person

  3. Thank you for this. People are doing different things to comply, so it’s not easy to know if I’m doing it right, but your blog helped.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s