15 November 2017

What and why is the GDPR?

The GDPR will govern the way companies of all sizes manage and are responsible for the personal information they store and use. It is designed to give people more control over the information that is held about them, and to provide a legal framework to protect that control.

The new legislation is necessary because the way personal information is stored and used has been completely transformed over the past few decades. Existing legislation across Europe, including our own Data Protection Act 1998, has fallen behind as innovative ways to collect and exploit personal records have evolved, especially online.

The changes will affect you if you:

• Run a mailing list for readers
• Sell books from your website
• Informally collect contact details from people at events
• Collect personal information from people as part of your research for your work

But I’m an individual – does it really apply to me?

Yes. The GDPR will affect all organisations, from blue-chip corporations to one-person businesses and everything in between.

Where’s the guidance?

Although self-employed individuals will be bound by the new regulations, the only guidance issued by the Information Commissioner’s Office (ICO) is written more with larger businesses in mind.

When we asked an ICO agent about guidance for self-employed individuals and very small businesses, he told us:

We're working on that but don't have it available yet. I would say that a key issue for authors/illustrators who are doing there [sic] own marketing or sales will be the GDPRs developments in terms of consent requirements for marketing.

Next steps

While we wait for official guidance specifically written for the smallest businesses, the good news is that there is plenty of information available to help you get started.

The principal areas you’ll need to be aware of are:

• Consent – being able to demonstrate that people have actively given you permission to use their personal information
• Control – ensuring that if someone wants to be removed from your list or see what information you hold about them, they can do so.
• Security – making sure you store this information securely
• Extra protection for children’s information

The resources below from charities body NCVO are the best place to start:

• 12 steps to prepare for GDPR
  Guidance from NCVO based on these 12 recommendations from ICO – designed for charities, but it’s the most accessible and practical resource we’ve found to date.
• What does GDPR mean for your charity?
  A NCVO webinar recording from October 2017 run as a basic introduction to GDPR – again aimed at charities, but a good overview of the principles and requirements.

Other concerns

We are also working on another worrying side effect of the GDPR – this time in relation to its potential negative impact on freedom of expression.

We are lobbying for amendments to be made to the Data Protection Bill to ensure an appropriate balance is met between the data protection requirements of the GDPR and the right to freedom of expression (as protected by Article 10 of the European Convention on Human Rights).

This includes arguing against proposed new powers for ICO in its regulatory mandate, where any reliance upon an exemption including for the publication of academic and literary material in the public interest would be subject to an objective assessment by the regulator, not contingent on the reasonable belief of the author and publisher.

We will of course update you as soon as we have more information to share on all aspects of GDPR.