New laws on data protection – what do they mean for you?

15 November 2017

What and why is the GDPR?

The GDPR will govern the way companies of all sizes manage and are responsible for the personal information they store and use. It is designed to give people more control over the information that is held about them, and to provide a legal framework to protect that control.

The new legislation is necessary because the way personal information is stored and used has been completely transformed over the past few decades. Existing legislation across Europe, including our own Data Protection Act 1998, has fallen behind as innovative ways to collect and exploit personal records have evolved, especially online.

The changes will affect you if you:

  • Run a mailing list for readers
  • Sell books from your website
  • Informally collect contact details from people at events
  • Collect personal information from people as part of your research for your work

But I’m an individual – does it really apply to me?

Yes. The GDPR will affect all organisations, from blue-chip corporations to one-person businesses and everything in between.

Where’s the guidance?

Although self-employed individuals will be bound by the new regulations, the only guidance issued by the Information Commissioner’s Office (ICO) is written more with larger businesses in mind.

When we asked an ICO agent about guidance for self-employed individuals and very small businesses, he told us:

We're working on that but don't have it available yet. I would say that a key issue for authors/illustrators who are doing there [sic] own marketing or sales will be the GDPRs developments in terms of consent requirements for marketing.

Next steps

While we wait for official guidance specifically written for the smallest businesses, the good news is that there is plenty of information available to help you get started.

The principal areas you’ll need to be aware of are:

  • Consent – being able to demonstrate that people have actively given you permission to use their personal information
  • Control – ensuring that if someone wants to be removed from your list or see what information you hold about them, they can do so.
  • Security – making sure you store this information securely
  • Extra protection for children’s information

The resources below from charities body NCVO are the best place to start:

Other concerns

We are also working on another worrying side effect of the GDPR – this time in relation to its potential negative impact on freedom of expression.

We are lobbying for amendments to be made to the Data Protection Bill to ensure an appropriate balance is met between the data protection requirements of the GDPR and the right to freedom of expression (as protected by Article 10 of the European Convention on Human Rights).

This includes arguing against proposed new powers for ICO in its regulatory mandate, where any reliance upon an exemption including for the publication of academic and literary material in the public interest would be subject to an objective assessment by the regulator, not contingent on the reasonable belief of the author and publisher.

We will of course update you as soon as we have more information to share on all aspects of GDPR.


Tim Mainland (08/02/2018 12:22)
" How will GDPR affect the research for, and writing of recent historic content? More specifically, I'm looking at writing a history of a profession over the last century or so."
Sue Moorcroft (18/11/2017 02:23)
" I presume a mailing list not actually held on my own devices is affected? I have a mailing list but I pay annually to YMLP to use their online mailing service, and they hold the data in their databank. The information belongs to me but is hosted by them."
Rhoda Baxter (18/11/2017 09:02)
" Does this mean that all authors who have a mailing list should register with the ICO as data controllers? In the past it's been ambiguous whether or not it was needed."
Gordon Owen @ IGO eBooks® (17/11/2017 09:56)
" Positive helpful information but with only 26 weeks left before implementation there is much more that can (and should be done), not least mapping what 'persona;' data you have. This can mean anything from actual names to associated data that can identify an individual. In over simplistic terms think three things that you should be able to answer if an individual or ICO were to ask you - (1) What personal data have you got on each individual?; (2) why have you got it?; (3) What are you going to do with it? Authors need to tick all three boxes not just one or two and not be hesitant to an individual if they ask otherwise you will be subject to an Enforcement which would certainly be both financially and reputationally damaging - even business breaking!

Look at personal data held, where, and unless you can BOTH justify why you are holding it AND show that you have 'explicit', NOT 'implicit' consent for each individual then it should be deleted. If you hold old databases or personal data on CRMs with people you have not been in contact with for the past 3-10+ why do you need to retain - delete. This includes on old desktops, laptops, memory sticks, smartphones/mobiles, backup drives, (and for larger groups servers/data centres). Everything should be 'evidence based' to justify so in the case of deleting, 'deletion certificates' should be produced to show what and when you done. All of this together with the explicit consents, (not just tick boxes on the website), should be gather, chroniclise for audit, and archived in the event of any future challenge.

Encrypt all personal data, beit on a database, or even an address book on your laptops, or mobile device to reduce risk of any loss being hacked and misused - remember you are responsible, even if you use 3rd parties to do tasks for you and they lose, you still are the owner of that personal data, and you will be the one heavily penalised.

So please, DO NOT panic!! On the start date of GDPR on 25th May 2018 mountains will not explode! Men in black costs will not be knocking on Authors door! This is about what the original article above says and the safety of everyone's personal ID. To recap:-

What is personal data?

Personal data is any record which can be used to identify a living individual - this can include e-mail address, job title/organisation, IP address, address, phone number, etc. and includes sensitive personal data such as health, religious beliefs, sexual orientation, criminal records, etc. This is not just limited to lists, spreadsheets or databases but includes documentation such as minutes and CVs where an individual is identifiable.

What is data minimisation?

Data minimisation is about collecting and keeping the minimum amount of personal data to enable you to carry out your work. To give what may seem an extreme example, HR may need to keep CVs to demonstrate individuals have certain qualifications but they are unlikely to need to keep personal profiles contained in the CV beyond the selection process. This means that HR would be required to redact all personal statements from the CVs held. GDPR requirements really are that granular!

Do I need to start redacting personal data from documentation?

Yes, as soon as you do a mapping exercise above and then followed by a cleansing excise and record your actions to show evidence that you have acted in compliance.

Start thinking and planning tomorrow and do this in bite-size steps between now and next May. We are not in a perfect world so things will go wrong for all sectors and industries, but as Authors you will set the bar and be able to demonstrate that reasonable actions were taken - it is those who are found wanting and taken little action who will be penalised the heaviest.

Gordon Owen

Biography: Spent past two years reading, presenting, including directly with the ICO to organisations and training on GDPR to better understand processes and give good guidance. Author & ePublisher on niche genre of third sector fundraising, governance, and organiosational matters."
Ian M. Stewart (17/11/2017 04:46)
" How would GDPR affect my non-fiction book I completed and wrote in 2009? In that book I "invite every reader of this book to approach the subject, unprejudiced and uncritical, as of right of those who ..." Does it need further changes to meet the new requirements of the GDPR which means republishing the revised and updated edition and disposing of the original editions? How would the UK Copyright Laws be affected especially where libel is concerned?"
Mark Williams - The New Publishing Standard (17/11/2017 04:36)
" I'm perhaps missing something here, Alex, but how would this affect your work unless you are writing true-life crime or using real people in your novels? I don't see how policing methods would be an issue here.

Can you clarify?"
Alex Gray (17/11/2017 03:48)
" As a published author of fifteen crime novels, I am concerned that some of my research may be affected by the new legislation. Currently I am able to talk to the most senior officers in Police Scotland without any problem whatsoever and with the blessing of our current ( acting) chief constable, Iain Livingstone. Writing police procedurals neccesitates having my facts right and keeping up with changes in day-to-day policing methods. I also have consulted many other experts in their fields, always acknowledging their help at the end of each novel. Does the new legislation spell the end for authors like myself and should I be thinking to switching to fantasy or sci fi in order to steer clear of reality?
I do hope not as it seems readers enjoy what I and my fellow crime writers produce.
Alex Gray, Scottish Chapter Convener of CWA and co- founder of Bloody Scotland."

 Security code