25th May is just a few days away and I’m sure you’re swimming in emails asking you to ‘stay in touch’.
There’s been a hell of a lot of confusion over this rather significant change in the law, with people offering different advice based on their interpretations of the regulations. It’s fair to say a few people have panicked too, and who’s to blame them with threats of million pound fines for non-compliance.
The aim of this article is to quell those nerves and to offer some practical advice for writers on complying with the new laws.
Donning my retired lawyer’s hat, I’ve scoured and studied the resources of the legal commentariat and found a few helpful pointers.
*Before we venture further, I wish to make it clear that I’m not offering any legal advice here. If you want proper legal advice, speak to a solicitor or attorney.*
Toni Vitale, the head of regulation, data and information at law firm Winckworth Sherwood, provides a useful starting point:
“Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR,” Vitale said. “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.”
For writers, the main method of processing people’s data is going to be by consent. So what do we need to do to obtain this consent?
Back over to Mr Vitale:
“Even if you are relying on consent, that still does not mean you have to ask for consent again. Recital 171 of the GDPR makes clear you can continue to rely on any existing consent that was given in line with the GDPR requirements, and there’s no need to seek fresh consent. Just make sure that your consent met the GDPR standard and that consents are properly documented.”
Steve Wood, Deputy Information Commissioner of the Information Commissioner’s Office echoes this point:
“…it’s important to check your processes and records to be sure existing consents meet the GDPR standard. If they do there is no need to obtain fresh consent.”
The bar has been raised for obtaining consent. So what are the requirements for obtaining consent according to GDPR? Article 7 of the Regulations sets out 4 conditions for consent:
The ‘controller’ (i.e. the person processing data) must be able to demonstrate that a person has consented.
If consent is given in written form, the request to subscribe for instance must be clear, intelligible, using clear and plain language.
The person signing up must have the right to withdraw their consent at any time. It must be as easy to withdraw consent as it is to give it.
Consent must be freely given. Be wary of adding conditions to obtaining consent. It’s important to consider the definition of ‘freely given consent’, which you can read here (Recital 43)
The Regulations provide further guidance on ‘Conditions for Consent’ found in Recital 32.
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
One way you can ensure this affirmative act is to include a tick box in your sign up forms. A pre-ticked box does not count! On the subject of sign up forms, Recital 42 referring to the burden of proof and requirements for consent (click here to read) says the following:
“… a declaration of consent pre-formulated by the controller (person asking for consent) should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject (the person subscribing) should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.”
If you can say you complied with all of the above regulations, consent more than likely carries over, so you do not have to ask again.
In my view, it seems the purpose of the GDPR is to regulate bigger companies who obtain people’s data in unsavoury ways and have no way (or dishonest ways) of showing how they came to obtain that data in the first place. If you receive emails from companies asking you to confirm your consent, though you did not provide it in the first place, then those companies are breaching the law.
What should you do?
You have to keep safe records of who signed up and how. Failure to do so could see you get in trouble.
Perhaps the best way to do this is to use services such as MailChimp. Their signup and pop-up forms can be adjusted to comply with GDPR and automatically record the sign-up, therefore complying with the regulations. You could also factor in a two-step authentication process. By that I mean when you subscribe by email, you must then confirm your agreement to the subscription before being added to the mailing list.
Any emails sent out using MailChimp’s ‘Campaign’ system contains an unsubscribe button at the bottom of each email, again ensuring compliance.
So in summary, ensure the following:
- Check your existing mailing lists to see if they comply with GDPR before asking everybody to sign-up again.
- All sign-up forms must be clear and intelligible, with a tick box, and even a two-step authentication process.
- Keep detailed records of the sign-up. Using a service like MailChimp will help you comply.
- Ensure your subscribers can always unsubscribe.
Thank you for reading. I hope you found it useful. If you’d like to read more of the same, check out my blog log. If you haven’t already found them too, I have a bunch of helpful resources for writers, like lists of publishers, a free ebook on the craft of creative writing, and a list of book reviewers.
If you’d like to stay in touch, why not sign up to my mailing list? I send one newsletter a week packed with my latest blogs, news and articles I think you may find helpful, as well as any new resources I release.